* This patchset add a switch to configure gcc driver with PIE defaults * Add support for generating static PIE in gcc * Gets rid of lot of bandaids from distro security flags file * Adjust recipes for new way of specifying pie
v1->v2: * apply linking spec changes libssp_nonshared.a to musl alone * icu/iptable/gstreamer1.0-plugins-bad fixes are done on top not really depend on pie rework v2->v3: * Add glibc 2.25.90 upgrade patches to this pull request as it has few depending gcc patches with hardening * Fixes for recipes to build against glibc 2.26 * Add fixes to sysklogd * Dont compile sysklogd with PIE The following changes since commit de7914954571ea8e717f56b6d6df13157b0973bc: scripts/contrib/patchreview: add new script (2017-06-29 13:01:32 +0100) are available in the git repository at: git://git.openembedded.org/openembedded-core-contrib kraj/hardening-fixes http://cgit.openembedded.org/openembedded-core-contrib/log/?h=kraj/hardening-fixes Khem Raj (19): glibc: Upgrade to 2.25.90 glibc: Drop obsoleted bits/string.h from multilibbing glibc: Enable obsoleted nsl gcc: Introduce a knob to configure gcc to default to PIE security_flags.inc: Delete pinnings for SECURITY_NO_PIE_CFLAGS distutils,setuptools: Delete use of SECURITY_NO_PIE_CFLAGS gcc7: Enable static PIE gcc: Link libssp_nonshared.a only on musl targets sysklogd: Improve build and fix runtime crash libunwind: We set -fPIE in security flags now if gcc is not configured for default PIE valgrind: Remove -no-pie from cflags icu: Fix build with glibc 2.26 gstreamer1.0-plugins-bad: Fix missing library with bcm egl gcc-sanitizer: Fix build with glibc 2.26 gcc: Use ucontext_t instead of ucontext valgrind: Fix build with glibc 2.26 strace: upgrade to 4.17 qemu: Replace use of struct ucontext with ucontext_t epiphany: Fix build errors when compiling with security flags meta/classes/distutils-common-base.bbclass | 2 - meta/classes/setuptools.bbclass | 2 - meta/conf/distro/include/security_flags.inc | 85 ++----- meta/conf/distro/include/tcmode-default.inc | 2 +- ...e_2.25.bb => cross-localedef-native_2.25.90.bb} | 27 ++- ...bc-initial_2.25.bb => glibc-initial_2.25.90.bb} | 0 ...libc-locale_2.25.bb => glibc-locale_2.25.90.bb} | 0 ...libc-mtrace_2.25.bb => glibc-mtrace_2.25.90.bb} | 0 meta/recipes-core/glibc/glibc-package.inc | 2 +- ...bc-scripts_2.25.bb => glibc-scripts_2.25.90.bb} | 0 ...libc-Look-for-host-system-ld.so.cache-as-.patch | 6 +- ...libc-Fix-buffer-overrun-with-a-relocated-.patch | 6 +- ...libc-Raise-the-size-of-arrays-containing-.patch | 34 +-- ...ivesdk-glibc-Allow-64-bit-atomics-for-x86.patch | 11 +- ...500-e5500-e6500-603e-fsqrt-implementation.patch | 42 ++-- ...-OECORE_KNOWN_INTERPRETER_NAMES-to-known-.patch | 6 +- ...-Fix-undefined-reference-to-__sqrt_finite.patch | 28 +-- ...qrt-f-are-now-inline-functions-and-call-o.patch | 28 +-- ...bug-1443-which-explains-what-the-patch-do.patch | 8 +- ...n-libm-err-tab.pl-with-specific-dirs-in-S.patch | 6 +- ...qrt-f-are-now-inline-functions-and-call-o.patch | 8 +- ...ersion-output-matching-grok-gold-s-output.patch | 44 ---- ...configure.ac-handle-correctly-libc_cv_ro.patch} | 10 +- ...ibute.patch => 0013-Add-unused-attribute.patch} | 8 +- ...hin-the-path-sets-wrong-config-variables.patch} | 30 +-- ...timezone-re-written-tzselect-as-posix-sh.patch} | 12 +- ...ove-bash-dependency-for-nscd-init-script.patch} | 11 +- ...-Cross-building-and-testing-instructions.patch} | 10 +- ...18-eglibc-Help-bootstrap-cross-toolchain.patch} | 10 +- ... 0019-eglibc-Clear-cache-lines-on-ppc8xx.patch} | 10 +- ...020-eglibc-Resolve-__fpscr_values-on-SH4.patch} | 10 +- ...atch => 0021-eglibc-Install-PIC-archives.patch} | 20 +- ...ard-port-cross-locale-generation-support.patch} | 36 +-- ...023-Define-DUMMY_LOCALE_T-if-not-defined.patch} | 8 +- ...m.patch => 0024-local-dynamic-resolvconf.patch} | 57 +++-- ...c-Make-_dl_build_local_scope-breadth-fir.patch} | 8 +- ...locale-fix-hard-coded-reference-to-gcc-E.patch} | 10 +- .../glibc/{glibc_2.25.bb => glibc_2.25.90.bb} | 37 +-- meta/recipes-devtools/gcc/gcc-7.1.inc | 5 +- ...shared-to-link-commandline-for-musl-targe.patch | 42 ++++ .../gcc/gcc-7.1/0040-ssp_nonshared.patch | 28 --- .../gcc/gcc-7.1/0048-gcc-Enable-static-PIE.patch | 37 +++ ...r-Use-stack_t-instead-of-struct-sigaltsta.patch | 160 +++++++++++++ ...0-replace-struct-ucontext-with-ucontext_t.patch | 149 ++++++++++++ meta/recipes-devtools/gcc/gcc-configure-common.inc | 3 + ...lace-struct-ucontext-with-ucontext_t-type.patch | 265 +++++++++++++++++++++ meta/recipes-devtools/qemu/qemu_2.8.1.1.bb | 46 ++-- ...8-replace-struct-ucontext-with-ucontext_t.patch | 31 +++ .../strace/strace/Makefile-ptest.patch | 19 +- .../strace/{strace_4.16.bb => strace_4.17.bb} | 5 +- ...sts-Use-ucontext_t-instead-of-struct-ucon.patch | 30 +++ meta/recipes-devtools/valgrind/valgrind_3.12.0.bb | 3 +- ...s-that-causes-a-segmentation-fault-under-.patch | 28 +++ ...way-for-respecting-flags-from-environment.patch | 35 +++ meta/recipes-extended/sysklogd/sysklogd.inc | 6 +- meta/recipes-gnome/epiphany/epiphany_3.24.2.bb | 6 +- ...bookmarks-Check-for-return-value-of-fread.patch | 32 +++ .../link-with-libvchostif.patch | 35 +++ .../gstreamer/gstreamer1.0-plugins-bad_1.10.4.bb | 1 + .../icu/icu/0001-i18n-Drop-include-xlocale.h.patch | 31 +++ meta/recipes-support/icu/icu_58.2.bb | 3 +- meta/recipes-support/libunwind/libunwind_1.2.bb | 4 - 62 files changed, 1209 insertions(+), 429 deletions(-) rename meta/recipes-core/glibc/{cross-localedef-native_2.25.bb => cross-localedef-native_2.25.90.bb} (61%) rename meta/recipes-core/glibc/{glibc-initial_2.25.bb => glibc-initial_2.25.90.bb} (100%) rename meta/recipes-core/glibc/{glibc-locale_2.25.bb => glibc-locale_2.25.90.bb} (100%) rename meta/recipes-core/glibc/{glibc-mtrace_2.25.bb => glibc-mtrace_2.25.90.bb} (100%) rename meta/recipes-core/glibc/{glibc-scripts_2.25.bb => glibc-scripts_2.25.90.bb} (100%) delete mode 100644 meta/recipes-core/glibc/glibc/0012-Make-ld-version-output-matching-grok-gold-s-output.patch rename meta/recipes-core/glibc/glibc/{0013-sysdeps-gnu-configure.ac-handle-correctly-libc_cv_ro.patch => 0012-sysdeps-gnu-configure.ac-handle-correctly-libc_cv_ro.patch} (82%) rename meta/recipes-core/glibc/glibc/{0014-Add-unused-attribute.patch => 0013-Add-unused-attribute.patch} (82%) rename meta/recipes-core/glibc/glibc/{0015-yes-within-the-path-sets-wrong-config-variables.patch => 0014-yes-within-the-path-sets-wrong-config-variables.patch} (94%) rename meta/recipes-core/glibc/glibc/{0016-timezone-re-written-tzselect-as-posix-sh.patch => 0015-timezone-re-written-tzselect-as-posix-sh.patch} (81%) rename meta/recipes-core/glibc/glibc/{0017-Remove-bash-dependency-for-nscd-init-script.patch => 0016-Remove-bash-dependency-for-nscd-init-script.patch} (89%) rename meta/recipes-core/glibc/glibc/{0018-eglibc-Cross-building-and-testing-instructions.patch => 0017-eglibc-Cross-building-and-testing-instructions.patch} (99%) rename meta/recipes-core/glibc/glibc/{0019-eglibc-Help-bootstrap-cross-toolchain.patch => 0018-eglibc-Help-bootstrap-cross-toolchain.patch} (94%) rename meta/recipes-core/glibc/glibc/{0021-eglibc-Clear-cache-lines-on-ppc8xx.patch => 0019-eglibc-Clear-cache-lines-on-ppc8xx.patch} (94%) rename meta/recipes-core/glibc/glibc/{0022-eglibc-Resolve-__fpscr_values-on-SH4.patch => 0020-eglibc-Resolve-__fpscr_values-on-SH4.patch} (88%) rename meta/recipes-core/glibc/glibc/{0023-eglibc-Install-PIC-archives.patch => 0021-eglibc-Install-PIC-archives.patch} (90%) rename meta/recipes-core/glibc/glibc/{0024-eglibc-Forward-port-cross-locale-generation-support.patch => 0022-eglibc-Forward-port-cross-locale-generation-support.patch} (96%) rename meta/recipes-core/glibc/glibc/{0025-Define-DUMMY_LOCALE_T-if-not-defined.patch => 0023-Define-DUMMY_LOCALE_T-if-not-defined.patch} (80%) rename meta/recipes-core/glibc/glibc/{0020-eglibc-cherry-picked-from.patch => 0024-local-dynamic-resolvconf.patch} (49%) rename meta/recipes-core/glibc/glibc/{0026-elf-dl-deps.c-Make-_dl_build_local_scope-breadth-fir.patch => 0025-elf-dl-deps.c-Make-_dl_build_local_scope-breadth-fir.patch} (89%) rename meta/recipes-core/glibc/glibc/{0027-locale-fix-hard-coded-reference-to-gcc-E.patch => 0026-locale-fix-hard-coded-reference-to-gcc-E.patch} (82%) rename meta/recipes-core/glibc/{glibc_2.25.bb => glibc_2.25.90.bb} (80%) create mode 100644 meta/recipes-devtools/gcc/gcc-7.1/0040-Add-ssp_nonshared-to-link-commandline-for-musl-targe.patch delete mode 100644 meta/recipes-devtools/gcc/gcc-7.1/0040-ssp_nonshared.patch create mode 100644 meta/recipes-devtools/gcc/gcc-7.1/0048-gcc-Enable-static-PIE.patch create mode 100644 meta/recipes-devtools/gcc/gcc-7.1/0049-libsanitizer-Use-stack_t-instead-of-struct-sigaltsta.patch create mode 100644 meta/recipes-devtools/gcc/gcc-7.1/0050-replace-struct-ucontext-with-ucontext_t.patch create mode 100644 meta/recipes-devtools/qemu/qemu/0001-replace-struct-ucontext-with-ucontext_t-type.patch create mode 100644 meta/recipes-devtools/strace/strace/0008-replace-struct-ucontext-with-ucontext_t.patch rename meta/recipes-devtools/strace/{strace_4.16.bb => strace_4.17.bb} (87%) create mode 100644 meta/recipes-devtools/valgrind/valgrind/0001-memcheck-tests-Use-ucontext_t-instead-of-struct-ucon.patch create mode 100644 meta/recipes-extended/sysklogd/files/0001-fix-problems-that-causes-a-segmentation-fault-under-.patch create mode 100644 meta/recipes-extended/sysklogd/files/0002-Make-way-for-respecting-flags-from-environment.patch create mode 100644 meta/recipes-gnome/epiphany/files/0001-bookmarks-Check-for-return-value-of-fread.patch create mode 100644 meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-bad/link-with-libvchostif.patch create mode 100644 meta/recipes-support/icu/icu/0001-i18n-Drop-include-xlocale.h.patch -- 2.13.2 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core
