]>
Commit | Line | Data |
---|---|---|
cd1a2927 | 1 | ############################################################################### |
cd1a2927 | 2 | # # |
70df8302 | 3 | # IPFire.org - A linux based firewall # |
858780eb | 4 | # Copyright (C) 2007, 2008, 2009 Michael Tremer & Christian Schmidt # |
70df8302 MT |
5 | # # |
6 | # This program is free software: you can redistribute it and/or modify # | |
cd1a2927 | 7 | # it under the terms of the GNU General Public License as published by # |
70df8302 | 8 | # the Free Software Foundation, either version 3 of the License, or # |
cd1a2927 MT |
9 | # (at your option) any later version. # |
10 | # # | |
70df8302 | 11 | # This program is distributed in the hope that it will be useful, # |
cd1a2927 MT |
12 | # but WITHOUT ANY WARRANTY; without even the implied warranty of # |
13 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # | |
14 | # GNU General Public License for more details. # | |
15 | # # | |
16 | # You should have received a copy of the GNU General Public License # | |
70df8302 | 17 | # along with this program. If not, see <http://www.gnu.org/licenses/>. # |
cd1a2927 | 18 | # # |
cd1a2927 MT |
19 | ############################################################################### |
20 | ||
21 | ############################################################################### | |
22 | # Definitions | |
23 | ############################################################################### | |
24 | ||
25 | include Config | |
26 | ||
be472d5a | 27 | PKG_NAME = glibc |
ac5480b5 | 28 | VER = 2.9 |
858780eb | 29 | PKG_VER = 0 |
cd1a2927 | 30 | |
be472d5a | 31 | THISAPP = $(PKG_NAME)-$(VER) |
cd1a2927 | 32 | DL_FILE = $(THISAPP).tar.bz2 |
cd1a2927 | 33 | DIR_APP = $(DIR_SRC)/$(THISAPP) |
be472d5a | 34 | |
858780eb MT |
35 | OBJECT = $(DIR_INFO)/$(STAGE_ORDER)_$(STAGE)/$(THISAPP) |
36 | ||
37 | MAINTAINER = | |
38 | GROUP = System/Base | |
39 | EXTRA = no | |
40 | DEBUG = no | |
41 | DEPS = | |
42 | ||
43 | URL = http://sources.redhat.com/glibc/ | |
44 | LICENSE = GPLv2+ LGPLv2+ | |
45 | SHORT_DESC = The GNU libc libraries. | |
46 | ||
47 | define LONG_DESC | |
48 | The glibc package contains standard libraries which are used by \ | |
49 | multiple programs on the system. In order to save disk space and \ | |
50 | memory, as well as to make upgrading easier, common system code is \ | |
51 | kept in one place and shared between programs. This particular package \ | |
52 | contains the most important sets of shared libraries: the standard C \ | |
53 | library and the standard math library. Without these two libraries, a \ | |
54 | Linux system will not function. | |
55 | endef | |
56 | ||
eabfc119 | 57 | CFLAGS = -O2 -pipe |
cd1a2927 MT |
58 | CXXFLAGS = |
59 | ||
cd1a2927 MT |
60 | ############################################################################### |
61 | # Top-level Rules | |
62 | ############################################################################### | |
63 | ||
a530418d | 64 | objects = $(DL_FILE) \ |
ac5480b5 | 65 | $(PKG_NAME)-libidn-$(VER).tar.bz2 \ |
a530418d | 66 | $(THISAPP)-pt_pax-1.patch \ |
a530418d MT |
67 | $(THISAPP)-strlcpy_strlcat-1.patch \ |
68 | $(THISAPP)-asprintf_reset2null-1.patch \ | |
88068980 MT |
69 | $(THISAPP)-issetugid-1.patch \ |
70 | $(THISAPP)-localedef_trampoline-1.patch \ | |
71 | $(THISAPP)-sanitize_env.patch \ | |
72 | $(THISAPP)-mktemp_urandom.patch \ | |
7f97b5d4 | 73 | $(THISAPP)-res_randomid.patch \ |
9f64b600 | 74 | $(THISAPP)-resolv_response_length.patch \ |
231c3fba AF |
75 | $(THISAPP)-undefine-__i686.patch \ |
76 | $(THISAPP)-d_tlsdec.patch | |
cd1a2927 | 77 | |
858780eb MT |
78 | download: $(objects) |
79 | ||
80 | info: | |
81 | $(DO_PKG_INFO) | |
82 | ||
83 | install: $(OBJECT) | |
cd1a2927 | 84 | |
858780eb MT |
85 | package: |
86 | @$(DO_PACKAGE) | |
cd1a2927 | 87 | |
858780eb | 88 | $(objects): |
cd1a2927 MT |
89 | @$(LOAD) |
90 | ||
cd1a2927 MT |
91 | ############################################################################### |
92 | # Installation Details | |
93 | ############################################################################### | |
94 | ||
858780eb | 95 | $(OBJECT): $(objects) |
cd1a2927 | 96 | @$(PREBUILD) |
858780eb | 97 | @rm -rf $(DIR_APP) $(DIR_SRC)/glibc-build && cd $(DIR_SRC) && $(EXTRACTOR) $(DIR_DL)/$(DL_FILE) |
3888140c | 98 | @mkdir $(DIR_SRC)/glibc-build |
9b0ff0a0 | 99 | |
ac5480b5 MT |
100 | # Extracting libidn |
101 | cd $(DIR_APP) && $(EXTRACTOR) $(DIR_DL)/$(PKG_NAME)-libidn-$(VER).tar.bz2 | |
102 | cd $(DIR_APP) && mv -v $(PKG_NAME)-libidn-$(VER) libidn | |
103 | ||
eabfc119 MT |
104 | # In the vi_VN.TCVN locale, bash enters an infinite loop at startup. It is |
105 | # unknown whether this is a bash bug or a Glibc problem. Disable | |
106 | # installation of this locale in order to avoid the problem. | |
107 | cd $(DIR_APP) && sed -i '/vi_VN.TCVN/d' localedata/SUPPORTED | |
108 | ||
109 | # The ldd shell script contains Bash-specific syntax. Change its default | |
110 | # program interpreter to /bin/bash in case another /bin/sh is installed. | |
111 | cd $(DIR_APP) && sed -i 's|@BASH@|/bin/bash|' elf/ldd.bash.in | |
88068980 MT |
112 | |
113 | # The next patch modifies the localedef program so it does not use GCC | |
114 | # Trampoline code (http://gcc.gnu.org/onlinedocs/gccint/Trampolines.html), | |
115 | # which relies on an executable stack to run. Without this patch the localedef | |
116 | # program will be killed if it is run on a kernel with PaX memory protection. | |
117 | # See http://pax.grsecurity.net/docs/pageexec.txt and | |
118 | # http://pax.grsecurity.net/docs/segmexec.txt for more information: | |
119 | cd $(DIR_APP) && patch -Np1 -i $(DIR_PATCHES)/$(THISAPP)-localedef_trampoline-1.patch | |
120 | ||
121 | # Support for PT_PaX markings: | |
a530418d | 122 | cd $(DIR_APP) && patch -Np1 -i $(DIR_PATCHES)/$(THISAPP)-pt_pax-1.patch |
88068980 | 123 | |
eabfc119 MT |
124 | # The asprintf(3) and vasprintf(3) functions are GNU extentions, not defined |
125 | # by C or Posix standards. In Glibc these functions leave (char **strp) undefined | |
126 | # after an error. This patch resets (char **strp) to NULL after an error, for | |
127 | # sanity. | |
128 | cd $(DIR_APP) && patch -Np1 -i $(DIR_PATCHES)/$(THISAPP)-asprintf_reset2null-1.patch | |
129 | ||
88068980 MT |
130 | # This patch adds the issetugid() function, which is a front-end to the |
131 | # __libc_enable_secure() dynamic linker private function. This function | |
132 | # reports whether the program is running with matching real and effective | |
133 | # ID's, or not, to determine whether the program is running with set-uid or | |
134 | # set-gid privileges. Many packages will search for issetugid() and use it if | |
135 | # found, such as Ncurses. This is safer than allowing each program to | |
136 | # determine privileges itself because it is tested at a lower level which is | |
137 | # not manipulatable by the user. Apply this patch with the following command: | |
138 | cd $(DIR_APP) && patch -Np1 -i $(DIR_PATCHES)/$(THISAPP)-issetugid-1.patch | |
139 | ||
140 | # This patch resticts the environment, particularly with setuid programs: | |
141 | cd $(DIR_APP) && patch -Np1 -i $(DIR_PATCHES)/$(THISAPP)-sanitize_env.patch | |
142 | ||
143 | # This patch adds the strlcpy and strlcat functions and manual pages to Glibc. | |
144 | # A paper written about these functions is available here: | |
145 | # http://www.courtesan.com/todd/papers/strlcpy.html. The Glibc project has | |
146 | # refused to add these functions, and that mail tread starts here: | |
147 | # http://sources.redhat.com/ml/libc-alpha/2000-08/msg00052.html. Linus Torvalds | |
148 | # has added a similar function to the Linux kernel, and that mail thread is | |
149 | # here: http://lwn.net/Articles/33814/. The strlcpy() and strlcat() functions | |
150 | # are replacements for strncpy() and strncat(). The controversy of these | |
151 | # functions is that strlcpy() and strlcat() copy the source data to the | |
152 | # destination buffer until the destination is full, and discards the rest of | |
153 | # the data if there is any. This means that these functions will never | |
154 | # overflow. The basis for the Glibc team's refusal to add these functions is | |
155 | # that they silently hide programing errors, and they have a higher performance | |
156 | # hit than strncpy() and strncat(). These functions should not be needed in a | |
157 | # perfect world, but were invented to deal with the real world. Many packages | |
158 | # will use these functions if they are found, such as Perl and many BLFS | |
159 | # packages. These functions do reduce buffer overflows, and so they are | |
160 | # recommended. After installing this patch no other effort is needed to use it. | |
161 | # Packages will use autotools to detect whether they are available or not: | |
162 | cd $(DIR_APP) && patch -Np1 -i $(DIR_PATCHES)/$(THISAPP)-strlcpy_strlcat-1.patch | |
163 | ||
164 | # The patch modifies __gen_tempname(), used by the mk*temp()/tmpnam() family | |
165 | # of functions, to use /dev/urandom instead of hp-timing, gettimeofday(), or | |
166 | # getpid(): | |
167 | cd $(DIR_APP) && patch -Np1 -i $(DIR_PATCHES)/$(THISAPP)-mktemp_urandom.patch | |
168 | ||
169 | # The res_randomid() function is a pseudo-random number generator, using | |
170 | # getpid() for entropy. See: http://www.openbsd.org/advisories/res_random.txt | |
171 | # for the vulnerability. This patch uses /dev/urandom instead: | |
172 | cd $(DIR_APP) && patch -Np1 -i $(DIR_PATCHES)/$(THISAPP)-res_randomid.patch | |
173 | ||
9f64b600 MT |
174 | # This patch does a check on the buffer size of res_* functions: |
175 | cd $(DIR_APP) && patch -Np1 -i $(DIR_PATCHES)/$(THISAPP)-resolv_response_length.patch | |
176 | ||
88068980 MT |
177 | # We don't install pt_chown(1) on the final system, so why install it to |
178 | # $(TOOLS_DIR): | |
179 | cd $(DIR_APP) && sed -e "/^install.*pt_chown/d" -i login/Makefile | |
180 | ||
181 | # ldconfig is statically linked, so don't build it PIC: | |
182 | cd $(DIR_APP) && sed "s/CFLAGS-ldconfig.c =/& -fno-PIC -fno-PIE/" \ | |
183 | -i elf/Makefile | |
184 | ||
185 | # Build nscd with -fstack-protector-all, instead of -fstack-protector: | |
186 | cd $(DIR_APP) && sed -e "s/fstack-protector/&-all/" -i nscd/Makefile | |
187 | ||
188 | # We don't need to set -march=i?86 in confparams because GCC was built with | |
189 | # --with-arch=i?86. | |
7f97b5d4 MT |
190 | ifeq "$(MACHINE)" "i686" |
191 | cd $(DIR_APP) && patch -Np0 -i $(DIR_PATCHES)/$(THISAPP)-undefine-__i686.patch | |
192 | endif | |
88068980 | 193 | |
231c3fba AF |
194 | # Replace a direct call of a i686 function (Not able to compile at i586) |
195 | cd $(DIR_APP) && patch -Np1 -i $(DIR_PATCHES)/$(THISAPP)-d_tlsdec.patch | |
196 | ||
88068980 MT |
197 | # --sbindir=$(TOOLS_DIR)/bin does not work... anyone want to fix this? |
198 | # We don't need Glibc's sbin programs, but still. | |
199 | ||
200 | # --enable-stackguard-randomization could be added here, but this is primarily | |
201 | # for attacks by local users, and we shouldn't have those in the rebooted | |
202 | # system. Adding this will empty the /dev/random entropy pool (via | |
203 | # /dev/urandom), unless the system is running a Random Number Gathering Daemon | |
204 | # (rngd). This version of Glibc uses high precision timing with SSP, so the | |
205 | # canary value changes at run-time. This is not as good as /dev/urandom, but | |
206 | # it's better than nothing and has very good performance. | |
207 | ||
eabfc119 MT |
208 | ifeq "$(STAGE)" "toolchain" |
209 | # Glibc uses a hard coded path for /etc/ld.so.preload. To keep Glibc from | |
210 | # preloading libraries from the host machine perform the following command: | |
211 | cd $(DIR_APP) && sed -e "s@/etc/ld.so.preload@$(TOOLS_DIR)@" -i elf/rtld.c | |
212 | -mkdir -v $(TOOLS_DIR)/etc | |
213 | touch $(TOOLS_DIR)/etc/ld.so.conf | |
214 | ||
88068980 | 215 | cd $(DIR_SRC)/glibc-build && \ |
a530418d | 216 | ../$(THISAPP)/configure \ |
de2f3e23 | 217 | $(CONFIGURE_ARCH) \ |
a530418d | 218 | --prefix=$(TOOLS_DIR) \ |
88068980 MT |
219 | --libexecdir=$(TOOLS_DIR)/lib/$(PKG_NAME) \ |
220 | --with-headers=$(TOOLS_DIR)/include \ | |
221 | --with-binutils=$(TOOLS_DIR)/bin \ | |
a530418d MT |
222 | --disable-profile \ |
223 | --enable-add-ons \ | |
224 | --enable-kernel=2.6.0 \ | |
a530418d MT |
225 | --without-selinux \ |
226 | --without-gd \ | |
68b43dc2 MT |
227 | --enable-bind-now \ |
228 | --enable-stackguard-randomization | |
eabfc119 MT |
229 | endif |
230 | ||
231 | ifeq "$(STAGE)" "base" | |
232 | if [ ! -e /bin/pwd ]; then ln -sfn $(TOOLS_DIR)/bin/pwd /bin/pwd; fi | |
233 | cd $(DIR_APP) && sed 's/-nostdlib/& -fno-stack-protector/g' -i.orig configure | |
234 | cd $(DIR_APP) && sed -i 's|libs -o|libs -L/usr/lib -Wl,-dynamic-linker=$(LINKER) -o|' \ | |
235 | scripts/test-installation.pl | |
236 | touch /etc/ld.so.conf | |
237 | ||
238 | cd $(DIR_SRC)/glibc-build && \ | |
239 | ../$(THISAPP)/configure \ | |
231c3fba | 240 | $(CONFIGURE_ARCH) \ |
eabfc119 MT |
241 | --prefix=/usr \ |
242 | --libexecdir=/usr/lib/glibc \ | |
243 | --disable-profile \ | |
244 | --enable-add-ons \ | |
245 | --enable-kernel=2.6.0 \ | |
246 | --without-selinux \ | |
247 | --disable-werror \ | |
68b43dc2 MT |
248 | --enable-bind-now \ |
249 | --enable-stackguard-randomization | |
eabfc119 | 250 | endif |
88068980 MT |
251 | |
252 | # Our GCC is already passing -fPIC, and that's all we want for the libraries. | |
253 | # LDFLAGS.so is appended to so we don't build shared libraries with | |
254 | # DT_TEXTREL (and to tell us if something goes wrong). For now we only build | |
255 | # the libraries, not the programs: | |
256 | echo "build-programs=no" \ | |
257 | >> $(DIR_SRC)/glibc-build/configparms | |
68b43dc2 MT |
258 | echo "CC = gcc -fPIC -fno-stack-protector -U_FORTIFY_SOURCE -nonow -nopie" \ |
259 | >> $(DIR_SRC)/glibc-build/configparms | |
260 | echo "CXX = g++ -fPIC -fno-stack-protector -U_FORTIFY_SOURCE -nonow -nopie" \ | |
261 | >> $(DIR_SRC)/glibc-build/configparms | |
88068980 MT |
262 | echo "LDFLAGS.so += -Wl,--warn-shared-textrel,--fatal-warnings" \ |
263 | >> $(DIR_SRC)/glibc-build/configparms | |
3e0df362 | 264 | cd $(DIR_SRC)/glibc-build && make PARALLELMFLAGS=$(PARALLELISMFLAGS) |
88068980 MT |
265 | |
266 | # Then build the programs with hardening, so everything possible in | |
267 | # $(TOOLS_DIR) is hardened: | |
268 | @rm -f $(DIR_SRC)/glibc-build/configparms | |
269 | echo "CC = gcc -fPIE -fstack-protector-all -D_FORTIFY_SOURCE=2" \ | |
270 | >> $(DIR_SRC)/glibc-build/configparms | |
271 | echo "CXX = g++ -fPIE -fstack-protector-all -D_FORTIFY_SOURCE=2" \ | |
272 | >> $(DIR_SRC)/glibc-build/configparms | |
273 | echo "CFLAGS-sln.c += -fno-PIC -fno-PIE" \ | |
274 | >> $(DIR_SRC)/glibc-build/configparms | |
275 | echo "+link = \$$(CC) -nostdlib -nostartfiles -fPIE -pie -o \$$@ \\" \ | |
276 | >> $(DIR_SRC)/glibc-build/configparms | |
277 | echo " \$$(sysdep-LDFLAGS) \$$(config-LDFLAGS) \$$(LDFLAGS) \$$(LDFLAGS-\$$(@F)) \\" \ | |
278 | >> $(DIR_SRC)/glibc-build/configparms | |
279 | echo " -Wl,-z,combreloc -Wl,-z,relro -Wl,-z,now \$$(hashstyle-LDFLAGS) \\" \ | |
280 | >> $(DIR_SRC)/glibc-build/configparms | |
281 | echo " -Wl,--warn-shared-textrel,--fatal-warnings \\" \ | |
282 | >> $(DIR_SRC)/glibc-build/configparms | |
283 | echo " \$$(addprefix \$$(csu-objpfx),S\$$(start-installed-name)) \\" \ | |
284 | >> $(DIR_SRC)/glibc-build/configparms | |
285 | echo " \$$(+preinit) `\$$(CC) --print-file-name=crtbeginS.o` \\" \ | |
286 | >> $(DIR_SRC)/glibc-build/configparms | |
287 | echo " \$$(filter-out \$$(addprefix \$$(csu-objpfx),start.o \\" \ | |
288 | >> $(DIR_SRC)/glibc-build/configparms | |
289 | echo " \$$(start-installed-name))\\" \ | |
290 | >> $(DIR_SRC)/glibc-build/configparms | |
291 | echo " \$$(+preinit) \$$(link-extra-libs) \\" \ | |
292 | >> $(DIR_SRC)/glibc-build/configparms | |
293 | echo " \$$(common-objpfx)libc% \$$(+postinit),\$$^) \\" \ | |
294 | >> $(DIR_SRC)/glibc-build/configparms | |
295 | echo " \$$(link-extra-libs) \$$(link-libc) `\$$(CC) --print-file-name=crtendS.o` \$$(+postinit)" \ | |
296 | >> $(DIR_SRC)/glibc-build/configparms | |
297 | cd $(DIR_SRC)/glibc-build && make PARALLELMFLAGS=$(PARALLELISMFLAGS) | |
be472d5a | 298 | cd $(DIR_SRC)/glibc-build && make install |
cd1a2927 | 299 | |
3888140c | 300 | ifeq "$(STAGE)" "base" |
a530418d MT |
301 | install -vd /usr/lib/static/ |
302 | mv -v /usr/lib/{libbsd-compat,libg,libieee,libmcheck}.a /usr/lib/static/ | |
303 | mv -v /usr/lib/{libBrokenLocale,libanl,libcrypt}.a /usr/lib/static/ | |
304 | mv -v /usr/lib/{libm,libnsl,libpthread,libresolv}.a /usr/lib/static/ | |
305 | mv -v /usr/lib/{librpcsvc,librt,libutil}.a /usr/lib/static/ | |
306 | ||
3888140c | 307 | # Locales |
f8598a87 MT |
308 | -mkdir -pv /usr/lib/locale |
309 | # This would install all locales that are supported, but we do only | |
310 | # install a minimal set of them | |
311 | #cd $(DIR_SRC)/glibc-build && make localedata/install-locales | |
312 | cd $(DIR_SRC)/glibc-build && localedef -i de_DE -f UTF-8 de_DE.UTF-8 | |
313 | cd $(DIR_SRC)/glibc-build && localedef -i en_US -f UTF-8 en_US.UTF-8 | |
314 | cd $(DIR_SRC)/glibc-build && localedef -i da_DK -f UTF-8 da_DK.UTF-8 | |
a530418d | 315 | |
3888140c MT |
316 | # Timezone |
317 | cp -v --remove-destination /usr/share/zoneinfo/GMT /etc/localtime | |
eabfc119 | 318 | |
a530418d MT |
319 | # Set up ld.so.conf |
320 | echo -e "# Begin /etc/ld.so.conf\n" >> /etc/ld.so.conf | |
321 | echo -e "/usr/local/lib\n" >> /etc/ld.so.conf | |
322 | echo "# End /etc/ld.so.conf" >> /etc/ld.so.conf | |
b4341285 MT |
323 | |
324 | if [ -h /bin/pwd ]; then rm -f /bin/pwd; fi | |
3888140c MT |
325 | endif |
326 | ||
cd1a2927 MT |
327 | @rm -rf $(DIR_APP) $(DIR_SRC)/glibc-build |
328 | @$(POSTBUILD) |