[ipfire-3.x.git] / lfs / glibc

###############################################################################
#                                                                             #
# IPFire.org - A linux based firewall                                         #
# Copyright (C) 2007, 2008, 2009 Michael Tremer & Christian Schmidt           #
#                                                                             #
# This program is free software: you can redistribute it and/or modify        #
# it under the terms of the GNU General Public License as published by        #
# the Free Software Foundation, either version 3 of the License, or           #
# (at your option) any later version.                                         #
#                                                                             #
# This program is distributed in the hope that it will be useful,             #
# but WITHOUT ANY WARRANTY; without even the implied warranty of              #
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the               #
# GNU General Public License for more details.                                #
#                                                                             #
# You should have received a copy of the GNU General Public License           #
# along with this program.  If not, see <http://www.gnu.org/licenses/>.       #
#                                                                             #
###############################################################################

###############################################################################
# Definitions
###############################################################################

include Config

PKG_NAME   = glibc
VER        = 2.9
PKG_VER    = 0

THISAPP    = $(PKG_NAME)-$(VER)
DL_FILE    = $(THISAPP).tar.bz2
DIR_APP    = $(DIR_SRC)/$(THISAPP)

OBJECT     = $(DIR_INFO)/$(STAGE_ORDER)_$(STAGE)/$(THISAPP)

MAINTAINER =
GROUP      = System/Base
EXTRA      = no
DEBUG      = no
DEPS       =

URL        = http://sources.redhat.com/glibc/
LICENSE    = GPLv2+ LGPLv2+
SHORT_DESC = The GNU libc libraries.

define LONG_DESC
	The glibc package contains standard libraries which are used by \
	multiple programs on the system. In order to save disk space and \
	memory, as well as to make upgrading easier, common system code is \
	kept in one place and shared between programs. This particular package \
	contains the most important sets of shared libraries: the standard C \
	library and the standard math library. Without these two libraries, a \
	Linux system will not function.
endef

CFLAGS     = -O2 -pipe
CXXFLAGS   =

###############################################################################
# Top-level Rules
###############################################################################

objects = $(DL_FILE) \
	$(PKG_NAME)-libidn-$(VER).tar.bz2 \
	$(THISAPP)-pt_pax-1.patch \
	$(THISAPP)-strlcpy_strlcat-1.patch \
	$(THISAPP)-asprintf_reset2null-1.patch \
	$(THISAPP)-issetugid-1.patch \
	$(THISAPP)-localedef_trampoline-1.patch \
	$(THISAPP)-sanitize_env.patch \
	$(THISAPP)-mktemp_urandom.patch \
	$(THISAPP)-res_randomid.patch \
	$(THISAPP)-resolv_response_length.patch \
	$(THISAPP)-undefine-__i686.patch \
	$(THISAPP)-d_tlsdec.patch

download: $(objects)

info:
	$(DO_PKG_INFO)

install: $(OBJECT)

package:
	@$(DO_PACKAGE)

$(objects):
	@$(LOAD)

###############################################################################
# Installation Details
###############################################################################

$(OBJECT): $(objects)
	@$(PREBUILD)
	@rm -rf $(DIR_APP) $(DIR_SRC)/glibc-build && cd $(DIR_SRC) && $(EXTRACTOR) $(DIR_DL)/$(DL_FILE)
	@mkdir $(DIR_SRC)/glibc-build

	# Extracting libidn
	cd $(DIR_APP) && $(EXTRACTOR) $(DIR_DL)/$(PKG_NAME)-libidn-$(VER).tar.bz2
	cd $(DIR_APP) && mv -v $(PKG_NAME)-libidn-$(VER) libidn

	# In the vi_VN.TCVN locale, bash enters an infinite loop at startup. It is
	# unknown whether this is a bash bug or a Glibc problem. Disable
	# installation of this locale in order to avoid the problem.
	cd $(DIR_APP) && sed -i '/vi_VN.TCVN/d' localedata/SUPPORTED

	# The ldd shell script contains Bash-specific syntax. Change its default
	# program interpreter to /bin/bash in case another /bin/sh is installed.
	cd $(DIR_APP) && sed -i 's|@BASH@|/bin/bash|' elf/ldd.bash.in

	# The next patch modifies the localedef program so it does not use GCC
	# Trampoline code (http://gcc.gnu.org/onlinedocs/gccint/Trampolines.html),
	# which relies on an executable stack to run. Without this patch the localedef
	# program will be killed if it is run on a kernel with PaX memory protection.
	# See http://pax.grsecurity.net/docs/pageexec.txt and
	# http://pax.grsecurity.net/docs/segmexec.txt for more information:
	cd $(DIR_APP) && patch -Np1 -i $(DIR_PATCHES)/$(THISAPP)-localedef_trampoline-1.patch

	# Support for PT_PaX markings:
	cd $(DIR_APP) && patch -Np1 -i $(DIR_PATCHES)/$(THISAPP)-pt_pax-1.patch

	# The asprintf(3) and vasprintf(3) functions are GNU extentions, not defined
	# by C or Posix standards. In Glibc these functions leave (char **strp) undefined
	# after an error. This patch resets (char **strp) to NULL after an error, for
	# sanity.
	cd $(DIR_APP) && patch -Np1 -i $(DIR_PATCHES)/$(THISAPP)-asprintf_reset2null-1.patch

	# This patch adds the issetugid() function, which is a front-end to the
	# __libc_enable_secure() dynamic linker private function. This function
	# reports whether the program is running with matching real and effective
	# ID's, or not, to determine whether the program is running with set-uid or
	# set-gid privileges. Many packages will search for issetugid() and use it if
	# found, such as Ncurses. This is safer than allowing each program to
	# determine privileges itself because it is tested at a lower level which is
	# not manipulatable by the user. Apply this patch with the following command:
	cd $(DIR_APP) && patch -Np1 -i $(DIR_PATCHES)/$(THISAPP)-issetugid-1.patch

	# This patch resticts the environment, particularly with setuid programs:
	cd $(DIR_APP) && patch -Np1 -i $(DIR_PATCHES)/$(THISAPP)-sanitize_env.patch

	# This patch adds the strlcpy and strlcat functions and manual pages to Glibc.
	# A paper written about these functions is available here:
	# http://www.courtesan.com/todd/papers/strlcpy.html. The Glibc project has
	# refused to add these functions, and that mail tread starts here:
	# http://sources.redhat.com/ml/libc-alpha/2000-08/msg00052.html. Linus Torvalds
	# has added a similar function to the Linux kernel, and that mail thread is
	# here: http://lwn.net/Articles/33814/. The strlcpy() and strlcat() functions
	# are replacements for strncpy() and strncat(). The controversy of these
	# functions is that strlcpy() and strlcat() copy the source data to the
	# destination buffer until the destination is full, and discards the rest of
	# the data if there is any. This means that these functions will never
	# overflow. The basis for the Glibc team's refusal to add these functions is
	# that they silently hide programing errors, and they have a higher performance
	# hit than strncpy() and strncat(). These functions should not be needed in a
	# perfect world, but were invented to deal with the real world. Many packages
	# will use these functions if they are found, such as Perl and many BLFS
	# packages. These functions do reduce buffer overflows, and so they are
	# recommended. After installing this patch no other effort is needed to use it.
	# Packages will use autotools to detect whether they are available or not:
	cd $(DIR_APP) && patch -Np1 -i $(DIR_PATCHES)/$(THISAPP)-strlcpy_strlcat-1.patch

	# The patch modifies __gen_tempname(), used by the mk*temp()/tmpnam() family
	# of functions, to use /dev/urandom instead of hp-timing, gettimeofday(), or
	# getpid():
	cd $(DIR_APP) && patch -Np1 -i $(DIR_PATCHES)/$(THISAPP)-mktemp_urandom.patch

	# The res_randomid() function is a pseudo-random number generator, using
	# getpid() for entropy. See: http://www.openbsd.org/advisories/res_random.txt
	# for the vulnerability. This patch uses /dev/urandom instead:
	cd $(DIR_APP) && patch -Np1 -i $(DIR_PATCHES)/$(THISAPP)-res_randomid.patch

	# This patch does a check on the buffer size of res_* functions:
	cd $(DIR_APP) && patch -Np1 -i $(DIR_PATCHES)/$(THISAPP)-resolv_response_length.patch

	# We don't install pt_chown(1) on the final system, so why install it to
	# $(TOOLS_DIR):
	cd $(DIR_APP) && sed -e "/^install.*pt_chown/d" -i login/Makefile

	# ldconfig is statically linked, so don't build it PIC:
	cd $(DIR_APP) && sed "s/CFLAGS-ldconfig.c =/& -fno-PIC -fno-PIE/" \
		-i elf/Makefile

	# Build nscd with -fstack-protector-all, instead of -fstack-protector:
	cd $(DIR_APP) && sed -e "s/fstack-protector/&-all/" -i nscd/Makefile

	# We don't need to set -march=i?86 in confparams because GCC was built with
	# --with-arch=i?86.
ifeq "$(MACHINE)" "i686"
	cd $(DIR_APP) && patch -Np0 -i $(DIR_PATCHES)/$(THISAPP)-undefine-__i686.patch
endif

	# Replace a direct call of a i686 function (Not able to compile at i586)
	cd $(DIR_APP) && patch -Np1 -i $(DIR_PATCHES)/$(THISAPP)-d_tlsdec.patch

	# --sbindir=$(TOOLS_DIR)/bin does not work... anyone want to fix this?
	# We don't need Glibc's sbin programs, but still.

	# --enable-stackguard-randomization could be added here, but this is primarily
	# for attacks by local users, and we shouldn't have those in the rebooted
	# system. Adding this will empty the /dev/random entropy pool (via
	# /dev/urandom), unless the system is running a Random Number Gathering Daemon
	# (rngd). This version of Glibc uses high precision timing with SSP, so the
	# canary value changes at run-time. This is not as good as /dev/urandom, but
	# it's better than nothing and has very good performance.

ifeq "$(STAGE)" "toolchain"
	# Glibc uses a hard coded path for /etc/ld.so.preload. To keep Glibc from
	# preloading libraries from the host machine perform the following command:
	cd $(DIR_APP) && sed -e "s@/etc/ld.so.preload@$(TOOLS_DIR)@" -i elf/rtld.c
	-mkdir -v $(TOOLS_DIR)/etc
	touch $(TOOLS_DIR)/etc/ld.so.conf

	cd $(DIR_SRC)/glibc-build && \
		../$(THISAPP)/configure \
			$(CONFIGURE_ARCH) \
			--prefix=$(TOOLS_DIR) \
			--libexecdir=$(TOOLS_DIR)/lib/$(PKG_NAME) \
			--with-headers=$(TOOLS_DIR)/include \
			--with-binutils=$(TOOLS_DIR)/bin \
			--disable-profile \
			--enable-add-ons \
			--enable-kernel=2.6.0 \
			--without-selinux \
			--without-gd \
			--enable-bind-now \
			--enable-stackguard-randomization
endif

ifeq "$(STAGE)" "base"
	if [ ! -e /bin/pwd ]; then ln -sfn $(TOOLS_DIR)/bin/pwd /bin/pwd; fi
	cd $(DIR_APP) && sed 's/-nostdlib/& -fno-stack-protector/g' -i.orig configure
	cd $(DIR_APP) && sed -i 's|libs -o|libs -L/usr/lib -Wl,-dynamic-linker=$(LINKER) -o|' \
		scripts/test-installation.pl
	touch /etc/ld.so.conf

	cd $(DIR_SRC)/glibc-build && \
		../$(THISAPP)/configure \
			$(CONFIGURE_ARCH) \
			--prefix=/usr \
			--libexecdir=/usr/lib/glibc \
			--disable-profile \
			--enable-add-ons \
			--enable-kernel=2.6.0 \
			--without-selinux \
			--disable-werror \
			--enable-bind-now \
			--enable-stackguard-randomization
endif

	# Our GCC is already passing -fPIC, and that's all we want for the libraries.
	# LDFLAGS.so is appended to so we don't build shared libraries with
	# DT_TEXTREL (and to tell us if something goes wrong). For now we only build
	# the libraries, not the programs:
	echo "build-programs=no" \
		>> $(DIR_SRC)/glibc-build/configparms
	echo "CC = gcc -fPIC -fno-stack-protector -U_FORTIFY_SOURCE -nonow -nopie" \
		>> $(DIR_SRC)/glibc-build/configparms
	echo "CXX = g++ -fPIC -fno-stack-protector -U_FORTIFY_SOURCE -nonow -nopie" \
		>> $(DIR_SRC)/glibc-build/configparms
	echo "LDFLAGS.so += -Wl,--warn-shared-textrel,--fatal-warnings" \
		>> $(DIR_SRC)/glibc-build/configparms
	cd $(DIR_SRC)/glibc-build && make PARALLELMFLAGS=$(PARALLELISMFLAGS)

	# Then build the programs with hardening, so everything possible in
	# $(TOOLS_DIR) is hardened:
	@rm -f $(DIR_SRC)/glibc-build/configparms
	echo "CC = gcc -fPIE -fstack-protector-all -D_FORTIFY_SOURCE=2" \
		>> $(DIR_SRC)/glibc-build/configparms
	echo "CXX = g++ -fPIE -fstack-protector-all -D_FORTIFY_SOURCE=2" \
		>> $(DIR_SRC)/glibc-build/configparms
	echo "CFLAGS-sln.c += -fno-PIC -fno-PIE" \
		>> $(DIR_SRC)/glibc-build/configparms
	echo "+link = \$$(CC) -nostdlib -nostartfiles -fPIE -pie -o \$$@ \\" \
		>> $(DIR_SRC)/glibc-build/configparms
	echo " \$$(sysdep-LDFLAGS) \$$(config-LDFLAGS) \$$(LDFLAGS) \$$(LDFLAGS-\$$(@F)) \\" \
		>> $(DIR_SRC)/glibc-build/configparms
	echo " -Wl,-z,combreloc -Wl,-z,relro -Wl,-z,now \$$(hashstyle-LDFLAGS) \\" \
		>> $(DIR_SRC)/glibc-build/configparms
	echo " -Wl,--warn-shared-textrel,--fatal-warnings \\" \
		>> $(DIR_SRC)/glibc-build/configparms
	echo " \$$(addprefix \$$(csu-objpfx),S\$$(start-installed-name)) \\" \
		>> $(DIR_SRC)/glibc-build/configparms
	echo " \$$(+preinit) `\$$(CC) --print-file-name=crtbeginS.o` \\" \
		>> $(DIR_SRC)/glibc-build/configparms
	echo " \$$(filter-out \$$(addprefix \$$(csu-objpfx),start.o \\" \
		>> $(DIR_SRC)/glibc-build/configparms
	echo " \$$(start-installed-name))\\" \
		>> $(DIR_SRC)/glibc-build/configparms
	echo " \$$(+preinit) \$$(link-extra-libs) \\" \
		>> $(DIR_SRC)/glibc-build/configparms
	echo " \$$(common-objpfx)libc% \$$(+postinit),\$$^) \\" \
		>> $(DIR_SRC)/glibc-build/configparms
	echo " \$$(link-extra-libs) \$$(link-libc) `\$$(CC) --print-file-name=crtendS.o` \$$(+postinit)" \
		>> $(DIR_SRC)/glibc-build/configparms
	cd $(DIR_SRC)/glibc-build && make PARALLELMFLAGS=$(PARALLELISMFLAGS)
	cd $(DIR_SRC)/glibc-build && make install

ifeq "$(STAGE)" "base"
	install -vd /usr/lib/static/
	mv -v /usr/lib/{libbsd-compat,libg,libieee,libmcheck}.a /usr/lib/static/
	mv -v /usr/lib/{libBrokenLocale,libanl,libcrypt}.a /usr/lib/static/
	mv -v /usr/lib/{libm,libnsl,libpthread,libresolv}.a /usr/lib/static/
	mv -v /usr/lib/{librpcsvc,librt,libutil}.a /usr/lib/static/

	# Locales
	-mkdir -pv /usr/lib/locale
	# This would install all locales that are supported, but we do only
	# install a minimal set of them
	#cd $(DIR_SRC)/glibc-build && make localedata/install-locales
	cd $(DIR_SRC)/glibc-build && localedef -i de_DE -f UTF-8 de_DE.UTF-8
	cd $(DIR_SRC)/glibc-build && localedef -i en_US -f UTF-8 en_US.UTF-8
	cd $(DIR_SRC)/glibc-build && localedef -i da_DK -f UTF-8 da_DK.UTF-8

	# Timezone
	cp -v --remove-destination /usr/share/zoneinfo/GMT /etc/localtime

	# Set up ld.so.conf
	echo -e "# Begin /etc/ld.so.conf\n"	>> /etc/ld.so.conf
	echo -e "/usr/local/lib\n"		>> /etc/ld.so.conf
	echo    "# End /etc/ld.so.conf"		>> /etc/ld.so.conf

	if [ -h /bin/pwd ]; then rm -f /bin/pwd; fi
endif

	@rm -rf $(DIR_APP) $(DIR_SRC)/glibc-build
	@$(POSTBUILD)
Commit	Line	Data
cd1a2927	1	###############################################################################
cd1a2927	2	# #
70df8302	3	# IPFire.org - A linux based firewall #
858780eb	4	# Copyright (C) 2007, 2008, 2009 Michael Tremer & Christian Schmidt #
70df8302 MT	5	# #
70df8302 MT	6	# This program is free software: you can redistribute it and/or modify #
cd1a2927	7	# it under the terms of the GNU General Public License as published by #
70df8302	8	# the Free Software Foundation, either version 3 of the License, or #
cd1a2927 MT	9	# (at your option) any later version. #
cd1a2927 MT	10	# #
70df8302	11	# This program is distributed in the hope that it will be useful, #
cd1a2927 MT	12	# but WITHOUT ANY WARRANTY; without even the implied warranty of #
	13	# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #
	14	# GNU General Public License for more details. #
	15	# #
	16	# You should have received a copy of the GNU General Public License #
70df8302	17	# along with this program. If not, see <http://www.gnu.org/licenses/>. #
cd1a2927	18	# #
cd1a2927 MT	19	###############################################################################
	20
	21	###############################################################################
	22	# Definitions
	23	###############################################################################
	24
	25	include Config
	26
be472d5a	27	PKG_NAME = glibc
ac5480b5	28	VER = 2.9
858780eb	29	PKG_VER = 0
cd1a2927	30
be472d5a	31	THISAPP = $(PKG_NAME)-$(VER)
cd1a2927	32	DL_FILE = $(THISAPP).tar.bz2
cd1a2927	33	DIR_APP = $(DIR_SRC)/$(THISAPP)
be472d5a	34
858780eb MT	35	OBJECT = $(DIR_INFO)/$(STAGE_ORDER)_$(STAGE)/$(THISAPP)
	36
	37	MAINTAINER =
	38	GROUP = System/Base
	39	EXTRA = no
	40	DEBUG = no
	41	DEPS =
	42
	43	URL = http://sources.redhat.com/glibc/
	44	LICENSE = GPLv2+ LGPLv2+
	45	SHORT_DESC = The GNU libc libraries.
	46
	47	define LONG_DESC
	48	The glibc package contains standard libraries which are used by \
	49	multiple programs on the system. In order to save disk space and \
	50	memory, as well as to make upgrading easier, common system code is \
	51	kept in one place and shared between programs. This particular package \
	52	contains the most important sets of shared libraries: the standard C \
	53	library and the standard math library. Without these two libraries, a \
	54	Linux system will not function.
	55	endef
	56
eabfc119	57	CFLAGS = -O2 -pipe
cd1a2927 MT	58	CXXFLAGS =
cd1a2927 MT	59
cd1a2927 MT	60	###############################################################################
	61	# Top-level Rules
	62	###############################################################################
	63
a530418d	64	objects = $(DL_FILE) \
ac5480b5	65	$(PKG_NAME)-libidn-$(VER).tar.bz2 \
a530418d	66	$(THISAPP)-pt_pax-1.patch \
a530418d MT	67	$(THISAPP)-strlcpy_strlcat-1.patch \
a530418d MT	68	$(THISAPP)-asprintf_reset2null-1.patch \
88068980 MT	69	$(THISAPP)-issetugid-1.patch \
	70	$(THISAPP)-localedef_trampoline-1.patch \
	71	$(THISAPP)-sanitize_env.patch \
	72	$(THISAPP)-mktemp_urandom.patch \
7f97b5d4	73	$(THISAPP)-res_randomid.patch \
9f64b600	74	$(THISAPP)-resolv_response_length.patch \
231c3fba AF	75	$(THISAPP)-undefine-__i686.patch \
231c3fba AF	76	$(THISAPP)-d_tlsdec.patch
cd1a2927	77
858780eb MT	78	download: $(objects)
	79
	80	info:
	81	$(DO_PKG_INFO)
	82
	83	install: $(OBJECT)
cd1a2927	84
858780eb MT	85	package:
858780eb MT	86	@$(DO_PACKAGE)
cd1a2927	87
858780eb	88	$(objects):
cd1a2927 MT	89	@$(LOAD)
cd1a2927 MT	90
cd1a2927 MT	91	###############################################################################
	92	# Installation Details
	93	###############################################################################
	94
858780eb	95	$(OBJECT): $(objects)
cd1a2927	96	@$(PREBUILD)
858780eb	97	@rm -rf $(DIR_APP) $(DIR_SRC)/glibc-build && cd $(DIR_SRC) && $(EXTRACTOR) $(DIR_DL)/$(DL_FILE)
3888140c	98	@mkdir $(DIR_SRC)/glibc-build
9b0ff0a0	99
ac5480b5 MT	100	# Extracting libidn
	101	cd $(DIR_APP) && $(EXTRACTOR) $(DIR_DL)/$(PKG_NAME)-libidn-$(VER).tar.bz2
	102	cd $(DIR_APP) && mv -v $(PKG_NAME)-libidn-$(VER) libidn
	103
eabfc119 MT	104	# In the vi_VN.TCVN locale, bash enters an infinite loop at startup. It is
	105	# unknown whether this is a bash bug or a Glibc problem. Disable
	106	# installation of this locale in order to avoid the problem.
	107	cd $(DIR_APP) && sed -i '/vi_VN.TCVN/d' localedata/SUPPORTED
	108
	109	# The ldd shell script contains Bash-specific syntax. Change its default
	110	# program interpreter to /bin/bash in case another /bin/sh is installed.
	111	cd $(DIR_APP) && sed -i 's\|@BASH@\|/bin/bash\|' elf/ldd.bash.in
88068980 MT	112
	113	# The next patch modifies the localedef program so it does not use GCC
	114	# Trampoline code (http://gcc.gnu.org/onlinedocs/gccint/Trampolines.html),
	115	# which relies on an executable stack to run. Without this patch the localedef
	116	# program will be killed if it is run on a kernel with PaX memory protection.
	117	# See http://pax.grsecurity.net/docs/pageexec.txt and
	118	# http://pax.grsecurity.net/docs/segmexec.txt for more information:
	119	cd $(DIR_APP) && patch -Np1 -i $(DIR_PATCHES)/$(THISAPP)-localedef_trampoline-1.patch
	120
	121	# Support for PT_PaX markings:
a530418d	122	cd $(DIR_APP) && patch -Np1 -i $(DIR_PATCHES)/$(THISAPP)-pt_pax-1.patch
88068980	123
eabfc119 MT	124	# The asprintf(3) and vasprintf(3) functions are GNU extentions, not defined
	125	# by C or Posix standards. In Glibc these functions leave (char **strp) undefined
	126	# after an error. This patch resets (char **strp) to NULL after an error, for
	127	# sanity.
	128	cd $(DIR_APP) && patch -Np1 -i $(DIR_PATCHES)/$(THISAPP)-asprintf_reset2null-1.patch
	129
88068980 MT	130	# This patch adds the issetugid() function, which is a front-end to the
	131	# __libc_enable_secure() dynamic linker private function. This function
	132	# reports whether the program is running with matching real and effective
	133	# ID's, or not, to determine whether the program is running with set-uid or
	134	# set-gid privileges. Many packages will search for issetugid() and use it if
	135	# found, such as Ncurses. This is safer than allowing each program to
	136	# determine privileges itself because it is tested at a lower level which is
	137	# not manipulatable by the user. Apply this patch with the following command:
	138	cd $(DIR_APP) && patch -Np1 -i $(DIR_PATCHES)/$(THISAPP)-issetugid-1.patch
	139
	140	# This patch resticts the environment, particularly with setuid programs:
	141	cd $(DIR_APP) && patch -Np1 -i $(DIR_PATCHES)/$(THISAPP)-sanitize_env.patch
	142
	143	# This patch adds the strlcpy and strlcat functions and manual pages to Glibc.
	144	# A paper written about these functions is available here:
	145	# http://www.courtesan.com/todd/papers/strlcpy.html. The Glibc project has
	146	# refused to add these functions, and that mail tread starts here:
	147	# http://sources.redhat.com/ml/libc-alpha/2000-08/msg00052.html. Linus Torvalds
	148	# has added a similar function to the Linux kernel, and that mail thread is
	149	# here: http://lwn.net/Articles/33814/. The strlcpy() and strlcat() functions
	150	# are replacements for strncpy() and strncat(). The controversy of these
	151	# functions is that strlcpy() and strlcat() copy the source data to the
	152	# destination buffer until the destination is full, and discards the rest of
	153	# the data if there is any. This means that these functions will never
	154	# overflow. The basis for the Glibc team's refusal to add these functions is
	155	# that they silently hide programing errors, and they have a higher performance
	156	# hit than strncpy() and strncat(). These functions should not be needed in a
	157	# perfect world, but were invented to deal with the real world. Many packages
	158	# will use these functions if they are found, such as Perl and many BLFS
	159	# packages. These functions do reduce buffer overflows, and so they are
	160	# recommended. After installing this patch no other effort is needed to use it.
	161	# Packages will use autotools to detect whether they are available or not:
	162	cd $(DIR_APP) && patch -Np1 -i $(DIR_PATCHES)/$(THISAPP)-strlcpy_strlcat-1.patch
	163
	164	# The patch modifies __gen_tempname(), used by the mk*temp()/tmpnam() family
	165	# of functions, to use /dev/urandom instead of hp-timing, gettimeofday(), or
	166	# getpid():
	167	cd $(DIR_APP) && patch -Np1 -i $(DIR_PATCHES)/$(THISAPP)-mktemp_urandom.patch
	168
	169	# The res_randomid() function is a pseudo-random number generator, using
	170	# getpid() for entropy. See: http://www.openbsd.org/advisories/res_random.txt
	171	# for the vulnerability. This patch uses /dev/urandom instead:
	172	cd $(DIR_APP) && patch -Np1 -i $(DIR_PATCHES)/$(THISAPP)-res_randomid.patch
	173
9f64b600 MT	174	# This patch does a check on the buffer size of res_* functions:
	175	cd $(DIR_APP) && patch -Np1 -i $(DIR_PATCHES)/$(THISAPP)-resolv_response_length.patch
	176
88068980 MT	177	# We don't install pt_chown(1) on the final system, so why install it to
	178	# $(TOOLS_DIR):
	179	cd $(DIR_APP) && sed -e "/^install.*pt_chown/d" -i login/Makefile
	180
	181	# ldconfig is statically linked, so don't build it PIC:
	182	cd $(DIR_APP) && sed "s/CFLAGS-ldconfig.c =/& -fno-PIC -fno-PIE/" \
	183	-i elf/Makefile
	184
	185	# Build nscd with -fstack-protector-all, instead of -fstack-protector:
	186	cd $(DIR_APP) && sed -e "s/fstack-protector/&-all/" -i nscd/Makefile
	187
	188	# We don't need to set -march=i?86 in confparams because GCC was built with
	189	# --with-arch=i?86.
7f97b5d4 MT	190	ifeq "$(MACHINE)" "i686"
	191	cd $(DIR_APP) && patch -Np0 -i $(DIR_PATCHES)/$(THISAPP)-undefine-__i686.patch
	192	endif
88068980	193
231c3fba AF	194	# Replace a direct call of a i686 function (Not able to compile at i586)
	195	cd $(DIR_APP) && patch -Np1 -i $(DIR_PATCHES)/$(THISAPP)-d_tlsdec.patch
	196
88068980 MT	197	# --sbindir=$(TOOLS_DIR)/bin does not work... anyone want to fix this?
	198	# We don't need Glibc's sbin programs, but still.
	199
	200	# --enable-stackguard-randomization could be added here, but this is primarily
	201	# for attacks by local users, and we shouldn't have those in the rebooted
	202	# system. Adding this will empty the /dev/random entropy pool (via
	203	# /dev/urandom), unless the system is running a Random Number Gathering Daemon
	204	# (rngd). This version of Glibc uses high precision timing with SSP, so the
	205	# canary value changes at run-time. This is not as good as /dev/urandom, but
	206	# it's better than nothing and has very good performance.
	207
eabfc119 MT	208	ifeq "$(STAGE)" "toolchain"
	209	# Glibc uses a hard coded path for /etc/ld.so.preload. To keep Glibc from
	210	# preloading libraries from the host machine perform the following command:
	211	cd $(DIR_APP) && sed -e "s@/etc/ld.so.preload@$(TOOLS_DIR)@" -i elf/rtld.c
	212	-mkdir -v $(TOOLS_DIR)/etc
	213	touch $(TOOLS_DIR)/etc/ld.so.conf
	214
88068980	215	cd $(DIR_SRC)/glibc-build && \
a530418d	216	../$(THISAPP)/configure \
de2f3e23	217	$(CONFIGURE_ARCH) \
a530418d	218	--prefix=$(TOOLS_DIR) \
88068980 MT	219	--libexecdir=$(TOOLS_DIR)/lib/$(PKG_NAME) \
	220	--with-headers=$(TOOLS_DIR)/include \
	221	--with-binutils=$(TOOLS_DIR)/bin \
a530418d MT	222	--disable-profile \
	223	--enable-add-ons \
	224	--enable-kernel=2.6.0 \
a530418d MT	225	--without-selinux \
a530418d MT	226	--without-gd \
68b43dc2 MT	227	--enable-bind-now \
68b43dc2 MT	228	--enable-stackguard-randomization
eabfc119 MT	229	endif
	230
	231	ifeq "$(STAGE)" "base"
	232	if [ ! -e /bin/pwd ]; then ln -sfn $(TOOLS_DIR)/bin/pwd /bin/pwd; fi
	233	cd $(DIR_APP) && sed 's/-nostdlib/& -fno-stack-protector/g' -i.orig configure
	234	cd $(DIR_APP) && sed -i 's\|libs -o\|libs -L/usr/lib -Wl,-dynamic-linker=$(LINKER) -o\|' \
	235	scripts/test-installation.pl
	236	touch /etc/ld.so.conf
	237
	238	cd $(DIR_SRC)/glibc-build && \
	239	../$(THISAPP)/configure \
231c3fba	240	$(CONFIGURE_ARCH) \
eabfc119 MT	241	--prefix=/usr \
	242	--libexecdir=/usr/lib/glibc \
	243	--disable-profile \
	244	--enable-add-ons \
	245	--enable-kernel=2.6.0 \
	246	--without-selinux \
	247	--disable-werror \
68b43dc2 MT	248	--enable-bind-now \
68b43dc2 MT	249	--enable-stackguard-randomization
eabfc119	250	endif
88068980 MT	251
	252	# Our GCC is already passing -fPIC, and that's all we want for the libraries.
	253	# LDFLAGS.so is appended to so we don't build shared libraries with
	254	# DT_TEXTREL (and to tell us if something goes wrong). For now we only build
	255	# the libraries, not the programs:
	256	echo "build-programs=no" \
	257	>> $(DIR_SRC)/glibc-build/configparms
68b43dc2 MT	258	echo "CC = gcc -fPIC -fno-stack-protector -U_FORTIFY_SOURCE -nonow -nopie" \
	259	>> $(DIR_SRC)/glibc-build/configparms
	260	echo "CXX = g++ -fPIC -fno-stack-protector -U_FORTIFY_SOURCE -nonow -nopie" \
	261	>> $(DIR_SRC)/glibc-build/configparms
88068980 MT	262	echo "LDFLAGS.so += -Wl,--warn-shared-textrel,--fatal-warnings" \
88068980 MT	263	>> $(DIR_SRC)/glibc-build/configparms
3e0df362	264	cd $(DIR_SRC)/glibc-build && make PARALLELMFLAGS=$(PARALLELISMFLAGS)
88068980 MT	265
	266	# Then build the programs with hardening, so everything possible in
	267	# $(TOOLS_DIR) is hardened:
	268	@rm -f $(DIR_SRC)/glibc-build/configparms
	269	echo "CC = gcc -fPIE -fstack-protector-all -D_FORTIFY_SOURCE=2" \
	270	>> $(DIR_SRC)/glibc-build/configparms
	271	echo "CXX = g++ -fPIE -fstack-protector-all -D_FORTIFY_SOURCE=2" \
	272	>> $(DIR_SRC)/glibc-build/configparms
	273	echo "CFLAGS-sln.c += -fno-PIC -fno-PIE" \
	274	>> $(DIR_SRC)/glibc-build/configparms
	275	echo "+link = \$$(CC) -nostdlib -nostartfiles -fPIE -pie -o \$$@ \\" \
	276	>> $(DIR_SRC)/glibc-build/configparms
	277	echo " \$$(sysdep-LDFLAGS) \$$(config-LDFLAGS) \$$(LDFLAGS) \$$(LDFLAGS-\$$(@F)) \\" \
	278	>> $(DIR_SRC)/glibc-build/configparms
	279	echo " -Wl,-z,combreloc -Wl,-z,relro -Wl,-z,now \$$(hashstyle-LDFLAGS) \\" \
	280	>> $(DIR_SRC)/glibc-build/configparms
	281	echo " -Wl,--warn-shared-textrel,--fatal-warnings \\" \
	282	>> $(DIR_SRC)/glibc-build/configparms
	283	echo " \$$(addprefix \$$(csu-objpfx),S\$$(start-installed-name)) \\" \
	284	>> $(DIR_SRC)/glibc-build/configparms
	285	echo " \$$(+preinit) `\$$(CC) --print-file-name=crtbeginS.o` \\" \
	286	>> $(DIR_SRC)/glibc-build/configparms
	287	echo " \$$(filter-out \$$(addprefix \$$(csu-objpfx),start.o \\" \
	288	>> $(DIR_SRC)/glibc-build/configparms
	289	echo " \$$(start-installed-name))\\" \
	290	>> $(DIR_SRC)/glibc-build/configparms
	291	echo " \$$(+preinit) \$$(link-extra-libs) \\" \
	292	>> $(DIR_SRC)/glibc-build/configparms
	293	echo " \$$(common-objpfx)libc% \$$(+postinit),\$$^) \\" \
	294	>> $(DIR_SRC)/glibc-build/configparms
	295	echo " \$$(link-extra-libs) \$$(link-libc) `\$$(CC) --print-file-name=crtendS.o` \$$(+postinit)" \
	296	>> $(DIR_SRC)/glibc-build/configparms
	297	cd $(DIR_SRC)/glibc-build && make PARALLELMFLAGS=$(PARALLELISMFLAGS)
be472d5a	298	cd $(DIR_SRC)/glibc-build && make install
cd1a2927	299
3888140c	300	ifeq "$(STAGE)" "base"
a530418d MT	301	install -vd /usr/lib/static/
	302	mv -v /usr/lib/{libbsd-compat,libg,libieee,libmcheck}.a /usr/lib/static/
	303	mv -v /usr/lib/{libBrokenLocale,libanl,libcrypt}.a /usr/lib/static/
	304	mv -v /usr/lib/{libm,libnsl,libpthread,libresolv}.a /usr/lib/static/
	305	mv -v /usr/lib/{librpcsvc,librt,libutil}.a /usr/lib/static/
	306
3888140c	307	# Locales
f8598a87 MT	308	-mkdir -pv /usr/lib/locale
	309	# This would install all locales that are supported, but we do only
	310	# install a minimal set of them
	311	#cd $(DIR_SRC)/glibc-build && make localedata/install-locales
	312	cd $(DIR_SRC)/glibc-build && localedef -i de_DE -f UTF-8 de_DE.UTF-8
	313	cd $(DIR_SRC)/glibc-build && localedef -i en_US -f UTF-8 en_US.UTF-8
	314	cd $(DIR_SRC)/glibc-build && localedef -i da_DK -f UTF-8 da_DK.UTF-8
a530418d	315
3888140c MT	316	# Timezone
3888140c MT	317	cp -v --remove-destination /usr/share/zoneinfo/GMT /etc/localtime
eabfc119	318
a530418d MT	319	# Set up ld.so.conf
	320	echo -e "# Begin /etc/ld.so.conf\n" >> /etc/ld.so.conf
	321	echo -e "/usr/local/lib\n" >> /etc/ld.so.conf
	322	echo "# End /etc/ld.so.conf" >> /etc/ld.so.conf
b4341285 MT	323
b4341285 MT	324	if [ -h /bin/pwd ]; then rm -f /bin/pwd; fi
3888140c MT	325	endif
3888140c MT	326
cd1a2927 MT	327	@rm -rf $(DIR_APP) $(DIR_SRC)/glibc-build
cd1a2927 MT	328	@$(POSTBUILD)