pkgsrc-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[pkgsrc/trunk]: pkgsrc/mk Add a package-settable variable PKGSRC_OVERRIDE_MKPIE



details:   https://anonhg.NetBSD.org/pkgsrc/rev/40b3a993b500
branches:  trunk
changeset: 372026:40b3a993b500
user:      pho <pho%pkgsrc.org@localhost>
date:      Tue Jan 18 01:41:09 2022 +0000

description:
Add a package-settable variable PKGSRC_OVERRIDE_MKPIE

This is needed by packages that require hand-holding in building PIE. Also a
post-build check for MKPIE is performed by default when PKG_DEVELOPER=YES.

diffstat:

 mk/bsd.prefs.mk            |  18 +++++++-
 mk/check/bsd.check-vars.mk |   3 +-
 mk/check/bsd.check.mk      |   3 +-
 mk/check/check-pie-elf.awk |  87 ++++++++++++++++++++++++++++++++++++++++++++++
 mk/check/check-pie.mk      |  75 +++++++++++++++++++++++++++++++++++++++
 mk/compiler/gcc.mk         |   4 +-
 mk/cwrappers.mk            |   8 ++-
 mk/wrapper/bsd.wrapper.mk  |   4 +-
 8 files changed, 191 insertions(+), 11 deletions(-)

diffs (truncated from 312 to 300 lines):

diff -r 494c44da487b -r 40b3a993b500 mk/bsd.prefs.mk
--- a/mk/bsd.prefs.mk   Mon Jan 17 19:02:33 2022 +0000
+++ b/mk/bsd.prefs.mk   Tue Jan 18 01:41:09 2022 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: bsd.prefs.mk,v 1.415 2021/11/30 09:39:11 jperkin Exp $
+# $NetBSD: bsd.prefs.mk,v 1.416 2022/01/18 01:41:09 pho Exp $
 #
 # This file includes the mk.conf file, which contains the user settings.
 #
@@ -27,6 +27,17 @@
 #      directory. Typical values look like editors/emacs or
 #      misc/openoffice-bin.
 #
+# Package-settable variables:
+#
+# PKGSRC_OVERRIDE_MKPIE
+#      When this variable is set to no, MKPIE is enforced by putting toolchain
+#      flags into tool wrapper scripts. Setting it to yes prevents that and
+#      shifts the responsibility of building PIE from the pkgsrc infrastructure
+#      to an individual package.
+#
+#      Possible values: yes, no
+#      Default value: no
+#
 # Keywords: mk.conf user platform
 #
 
@@ -736,11 +747,12 @@
 # Allows the security mitigation of ASLR to be used.
 # Impact: very small performance drop.
 #
-_PKGSRC_MKPIE= no
+PKGSRC_OVERRIDE_MKPIE?=        no
+_PKGSRC_MKPIE=         no
 .if ${PKGSRC_MKPIE:tl} == "yes" && \
     ${MKPIE_SUPPORTED:Uyes:tl} == "yes" && \
     ${_OPSYS_SUPPORTS_MKPIE:Uno} == "yes"
-_PKGSRC_MKPIE= yes
+_PKGSRC_MKPIE=         yes
 .endif
 
 # Enable reproducible build flags
diff -r 494c44da487b -r 40b3a993b500 mk/check/bsd.check-vars.mk
--- a/mk/check/bsd.check-vars.mk        Mon Jan 17 19:02:33 2022 +0000
+++ b/mk/check/bsd.check-vars.mk        Tue Jan 18 01:41:09 2022 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: bsd.check-vars.mk,v 1.10 2017/10/03 09:43:06 jperkin Exp $
+# $NetBSD: bsd.check-vars.mk,v 1.11 2022/01/18 01:41:09 pho Exp $
 #
 # This Makefile fragment is included separately by bsd.pkg.mk and
 # defines some variables which must be defined earlier than where
@@ -6,6 +6,7 @@
 #
 
 CHECK_FILES_SUPPORTED?=                yes
+CHECK_PIE_SUPPORTED?=          yes
 CHECK_RELRO_SUPPORTED?=                yes
 CHECK_SHLIBS_SUPPORTED?=       yes
 CHECK_SSP_SUPPORTED?=          yes
diff -r 494c44da487b -r 40b3a993b500 mk/check/bsd.check.mk
--- a/mk/check/bsd.check.mk     Mon Jan 17 19:02:33 2022 +0000
+++ b/mk/check/bsd.check.mk     Tue Jan 18 01:41:09 2022 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: bsd.check.mk,v 1.10 2017/10/03 09:43:06 jperkin Exp $
+# $NetBSD: bsd.check.mk,v 1.11 2022/01/18 01:41:09 pho Exp $
 #
 # This Makefile fragment is included by bsd.pkg.mk and provides all
 # variables and targets related to build and install checks.
@@ -29,6 +29,7 @@
 .include "check-headers.mk"
 .include "check-interpreter.mk"
 .include "check-perms.mk"
+.include "check-pie.mk"
 .include "check-portability.mk"
 .include "check-relro.mk"
 .include "check-shlibs.mk"
diff -r 494c44da487b -r 40b3a993b500 mk/check/check-pie-elf.awk
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/mk/check/check-pie-elf.awk        Tue Jan 18 01:41:09 2022 +0000
@@ -0,0 +1,87 @@
+# $NetBSD: check-pie-elf.awk,v 1.1 2022/01/18 01:41:09 pho Exp $
+#
+# Read a list of potential ELF binaries from stdin. For each, extract the list
+# of headers. There are four possibilities:
+#
+# 1. Elf_Ehdr.e_type == ET_EXEC &&
+#    PT_INTERP does not exist
+#
+#      This is a statically-linked executable. Ignore these, as they cannot
+#      ever be a PIE.
+#
+# 2. Elf_Ehdr.e_type == ET_EXEC &&
+#    PT_INTERP exists in the program headers
+#
+#      This is a dynamically-linked non-PIE that this script complains about.
+#
+# 3. Elf_Ehdr.e_type == ET_DYN &&
+#    PT_INTERP exists in the program headers &&
+#    DT_FLAGS_1 exists in the dynamic section &&
+#    DT_FLAGS_1 contains DF_1_PIE
+#
+#      This is a PIE.
+#
+# 4. Elf_Ehdr.e_type == ET_DYN &&
+#    PT_INTERP does not exist in the program headers
+#
+#      This is a shared object.
+#
+# See also https://stackoverflow.com/a/55704865
+#
+
+function shquote(IN, out) {
+       out = IN;
+       gsub("\\\\", "\\\\", out);
+       gsub("\\\n", "\\n", out);
+       gsub("\\\t", "\\t", out);
+       gsub(" ", "\\ ", out);
+       gsub("'", "\\'", out);
+       gsub("`", "\\`", out);
+       gsub("\"", "\\\"", out);
+       gsub(";", "\\;", out);
+       gsub("&", "\\&", out);
+       gsub("<", "\\<", out);
+       gsub(">", "\\>", out);
+       gsub("\\(", "\\(", out);
+       gsub("\\)", "\\)", out);
+       gsub("\\|", "\\|", out);
+       gsub("\\*", "\\*", out);
+       gsub("\\?", "\\?", out);
+       gsub("\\{", "\\{", out);
+       gsub("\\}", "\\}", out);
+       gsub("\\[", "\\[", out);
+       gsub("\\]", "\\]", out);
+       gsub("\\$", "\\$", out);
+       gsub("!", "\\!", out);
+       gsub("#", "\\#", out);
+       gsub("\\^", "\\^", out);
+       gsub("~", "\\~", out);
+       return out;
+}
+
+function check_pie(ELF, is_non_pie, is_dyn_exec) {
+       is_non_pie = 0;
+       is_dyn_exec = 0;
+       cmd = readelf " -Whl " shquote(ELF) " 2>/dev/null";
+       while ((cmd | getline) > 0) {
+               if ($1 == "Type:" && $2 == "EXEC") {
+                       is_non_pie = 1;
+               }
+               else if ($1 == "INTERP") {
+                       is_dyn_exec = 1;
+               }
+       }
+       close(cmd);
+       if (is_non_pie == 1 && is_dyn_exec == 1) {
+               print ELF ": not a PIE";
+       }
+}
+
+BEGIN {
+       readelf = ENVIRON["READELF"];
+       if (readelf == "") {
+               readelf = "readelf";
+       }
+}
+
+{ check_pie($0); }
diff -r 494c44da487b -r 40b3a993b500 mk/check/check-pie.mk
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/mk/check/check-pie.mk     Tue Jan 18 01:41:09 2022 +0000
@@ -0,0 +1,75 @@
+# $NetBSD
+#
+# This file verifies that MKPIE (position-independent executables) was applied
+# accordingly at build-time.
+#
+# User-settable variables:
+#
+# CHECK_PIE
+#      Whether the check should be enabled or not.
+#
+#      Default value: "yes" for PKG_DEVELOPERs, "no" otherwise.
+#
+# Package-settable variables:
+#
+# CHECK_PIE_SKIP
+#      A list of shell patterns (like man/*) that should be excluded
+#      from the check. Note that a * in a pattern also matches a slash
+#      in a pathname.
+#
+#      Default value: empty.
+#
+# CHECK_PIE_SUPPORTED
+#      Whether the check should be enabled for this package or not.
+#
+#      Default value: yes
+#
+
+_VARGROUPS+=           check-pie
+_USER_VARS.check-pie=  CHECK_PIE
+_PKG_VARS.check-pie=   CHECK_PIE_SUPPORTED
+
+.if ${_PKGSRC_MKPIE:Uno} != "no" && ${PKG_DEVELOPER:Uno:tl} != "no"
+CHECK_PIE?=            yes
+.else
+CHECK_PIE?=            no
+.endif
+CHECK_PIE_SUPPORTED?=  yes
+CHECK_PIE_SKIP?=       # none
+
+# All binaries but not libraries
+_CHECK_PIE_ERE=                (bin/|sbin/|libexec/)
+
+_CHECK_PIE_FILELIST_CMD?=                                      \
+       ${SED} -e '/^@/d' ${PLIST} |                            \
+       while read file; do                                     \
+               ${TEST} -h "$$file" || ${ECHO} "$$file";        \
+       done
+
+_CHECK_PIE_CMD=                # empty
+.if ${OBJECT_FMT} == "ELF"
+USE_TOOLS+=            awk readelf
+_CHECK_PIE_CMD=                ${AWK} -f ${PKGSRCDIR}/mk/check/check-pie-elf.awk
+_CHECK_PIE_ENV+=       READELF=${TOOLS_PATH.readelf:Q}
+.endif
+
+.if    ${CHECK_PIE:tl} == "yes" && \
+       ${CHECK_PIE_SUPPORTED:tl} == "yes" && \
+       !empty(_CHECK_PIE_CMD)
+privileged-install-hook: _check-pie
+_check-pie: error-check .PHONY
+       @${STEP_MSG} "Checking for PIE in ${PKGNAME}"
+       ${RUN} rm -f ${ERROR_DIR}/${.TARGET}
+       ${RUN}                                                          \
+               cd ${DESTDIR:Q}${PREFIX:Q};                             \
+               ${_CHECK_PIE_FILELIST_CMD} |                            \
+               ${EGREP} -h ${_CHECK_PIE_ERE:Q} |                       \
+               while read file; do                                     \
+                       case "$$file" in                                \
+                               ${CHECK_PIE_SKIP:@p@${p}) continue;;@}  \
+                               *) ${ECHO} "$$file";                    \
+                       esac;                                           \
+               done |                                                  \
+               ${PKGSRC_SETENV} ${_CHECK_PIE_ENV} ${_CHECK_PIE_CMD}    \
+                       > ${ERROR_DIR}/${.TARGET}
+.endif
diff -r 494c44da487b -r 40b3a993b500 mk/compiler/gcc.mk
--- a/mk/compiler/gcc.mk        Mon Jan 17 19:02:33 2022 +0000
+++ b/mk/compiler/gcc.mk        Tue Jan 18 01:41:09 2022 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: gcc.mk,v 1.234 2021/12/22 10:14:27 nia Exp $
+# $NetBSD: gcc.mk,v 1.235 2022/01/18 01:41:09 pho Exp $
 #
 # This is the compiler definition for the GNU Compiler Collection.
 #
@@ -352,6 +352,7 @@
 # XXX for libraries a sink wrapper around gcc is required and used instead
 _MKPIE_LDFLAGS.gcc=    -pie
 
+.  if ${PKGSRC_OVERRIDE_MKPIE:tl} == "no"
 _GCC_CFLAGS+=          ${_MKPIE_CFLAGS.gcc}
 _GCC_FCFLAGS+=         ${_MKPIE_FCFLAGS.gcc}
 #_GCC_LDFLAGS+=                ${_MKPIE_LDFLAGS.gcc}
@@ -360,6 +361,7 @@
 CWRAPPERS_APPEND.f77+= ${_MKPIE_FCFLAGS.gcc}
 # this differs for libraries and executables (handled in mk/cwrappers.mk)
 # CWRAPPERS_APPEND.ld+=        ${_MKPIE_LDFLAGS.gcc}
+.  endif
 .endif
 
 .if ${_PKGSRC_MKREPRO} == "yes"
diff -r 494c44da487b -r 40b3a993b500 mk/cwrappers.mk
--- a/mk/cwrappers.mk   Mon Jan 17 19:02:33 2022 +0000
+++ b/mk/cwrappers.mk   Tue Jan 18 01:41:09 2022 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: cwrappers.mk,v 1.31 2019/05/07 19:36:43 rillig Exp $
+# $NetBSD: cwrappers.mk,v 1.32 2022/01/18 01:41:09 pho Exp $
 #
 # This Makefile fragment implements integration of pkgtools/cwrappers.
 
@@ -89,9 +89,11 @@
        ${RUN}ln -s ${CWRAPPERS_SRC_DIR}/${CWRAPPERS_CONFIG.${wrappee}}-wrapper ${WRAPPER_BINDIR}/${alias}
 .  endfor
 . if ${_PKGSRC_MKPIE} == "yes"
-.  for arg in ${_MKPIE_LDFLAGS.gcc}
+.  if ${PKGSRC_OVERRIDE_MKPIE:tl} == "no"
+.    for arg in ${_MKPIE_LDFLAGS.gcc}
        ${RUN}echo append_executable=${arg} >> ${CWRAPPERS_CONFIG_DIR}/${CWRAPPERS_CONFIG.${wrappee}}
-.  endfor
+.    endfor
+.  endif
 . endif
 .endfor
 
diff -r 494c44da487b -r 40b3a993b500 mk/wrapper/bsd.wrapper.mk
--- a/mk/wrapper/bsd.wrapper.mk Mon Jan 17 19:02:33 2022 +0000
+++ b/mk/wrapper/bsd.wrapper.mk Tue Jan 18 01:41:09 2022 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: bsd.wrapper.mk,v 1.102 2020/04/27 05:23:11 rillig Exp $
+# $NetBSD: bsd.wrapper.mk,v 1.103 2022/01/18 01:41:09 pho Exp $



Home | Main Index | Thread Index | Old Index