You made me curious, so I took a look at on this.
The eclass has a single function stating: "Set up CFLAGS for a debug
build" in its description. Although it is not conditional for debug
builds, so gets applied all the time, being called from the eclass'
src_configure function. The filter flags statements are conditional and
applied only in case of a static-libs build.
Appending lazy binding is also conditional for Xorg and drivers.
According to the Hardened/Toolchains wiki, one can find this section:
"The following packages have issues with BIND_NOW at the time of writing,
and it has to be relaxed somewhat for them:
X - some drivers consist of several libraries which are co-dependent,
and the modules frequently have references to modules that they load.
transcode - relies on lazy binding to be able to load its modules; the
issues are similar to the X issues."
The function does not check whether the build happens on a hardened system
or not.
If you are using a hardened toolchain, relro and now is specified by
default. I guess lazy takes precedence if present. Unless it would have no
effect. I'm not sure what you mean by adding relro and now to the filters.
Since these would be applied anyways by gcc specs. I'm also not sure what
happens if both lazy and relro+now are appended at the same time.
If I would try to test Xorg and its drivers with relro+now, I would
comment out the append lazy line. I can give that a try if it is
reasonable, but the statement in the wiki seems pretty clear. I don't know
when those experiences described came from.
Regards:
Dw.
--
dr Tóth Attila, Radiológus, 06-20-825-8057
Attila Toth MD, Radiologist, +36-20-825-8057
2013.Szeptember 30.(H) 14:41 időpontban Hinnerk van Bruinehsen ezt írta:
> Hi,
>
> If one builds Xorg it's build with only partial RELRO enabled (test e.g.
> with
> checksec.sh).
> This is caused by the xorg-2.eclass and affects seemingly all packages
> that use
> that eclass (It has a conditional that checks if hardened is used and
> filters
> some flags).
> Does anyone know why this is the case? Is it a legacy issue or are there
> valid
> reasons why Xorg is build with only partial RELRO?
> I've tried to build it on my systems with full RELRO (by adding
> -z,relro,-z,now
> to the filter inside the eclass) and it works without issues so far.
>
> WKR
> Hinnerk
>
