]>
Commit | Line | Data |
---|---|---|
6cf77d05 SS |
1 | Build binaries in this package as RELRO PIEs, libraries as partial RELRO, |
2 | and install shared libraries with the execute bit set on them. Prune out | |
3 | the -L/usr/lib* and PIE flags where they might leak out and affect | |
4 | apps which just want to link with the libraries. FIXME: needs to check and | |
5 | not just assume that the compiler supports using these flags. | |
6 | ||
7 | --- krb5/src/config/shlib.conf | |
8 | +++ krb5/src/config/shlib.conf | |
9 | @@ -419,7 +419,7 @@ mips-*-netbsd*) | |
10 | SHLIBEXT=.so | |
11 | # Linux ld doesn't default to stuffing the SONAME field... | |
12 | # Use objdump -x to examine the fields of the library | |
13 | - LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT),--no-undefined' | |
14 | + LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT),--no-undefined -Wl,-z,relro' | |
15 | # | |
16 | LDCOMBINE_TAIL='-Wl,--version-script binutils.versions && $(PERL) -w $(top_srcdir)/util/export-check.pl $(SHLIB_EXPORT_FILE) $@' | |
17 | SHLIB_EXPORT_FILE_DEP=binutils.versions | |
18 | @@ -430,7 +430,8 @@ | |
19 | SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)' | |
20 | PROFFLAGS=-pg | |
21 | PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)' | |
22 | - CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)' | |
23 | + CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) -pie -Wl,-z,relro -Wl,-z,now $(LDFLAGS)' | |
24 | + INSTALL_SHLIB='${INSTALL} -m755' | |
25 | CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)' | |
26 | CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)' | |
27 | CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)' | |
28 | --- krb5/src/krb5-config.in | |
29 | +++ krb5/src/krb5-config.in | |
30 | @@ -189,6 +189,13 @@ if test -n "$do_libs"; then | |
31 | -e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \ | |
32 | -e 's#\$(CFLAGS)##'` | |
33 | ||
34 | + if test `dirname $libdir` = /usr ; then | |
35 | + lib_flags=`echo $lib_flags | sed -e "s#-L$libdir##" -e "s#$RPATH_FLAG$libdir##"` | |
36 | + fi | |
37 | + lib_flags=`echo $lib_flags | sed -e "s#-fPIE##g" -e "s#-pie##g"` | |
38 | + lib_flags=`echo $lib_flags | sed -e "s#-Wl,-z,relro##g"` | |
39 | + lib_flags=`echo $lib_flags | sed -e "s#-Wl,-z,now##g"` | |
40 | + | |
41 | if test $library = 'kdb'; then | |
42 | lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB" | |
43 | library=krb5 | |
44 | --- krb5/src/config/pre.in | |
45 | +++ krb5/src/config/pre.in | |
46 | @@ -188,7 +188,7 @@ | |
47 | INSTALL_SCRIPT=@INSTALL_PROGRAM@ | |
48 | INSTALL_DATA=@INSTALL_DATA@ | |
49 | INSTALL_SHLIB=@INSTALL_SHLIB@ | |
50 | -INSTALL_SETUID=$(INSTALL) $(INSTALL_STRIP) -m 4755 -o root | |
51 | +INSTALL_SETUID=$(INSTALL) $(INSTALL_STRIP) -m 4755 | |
52 | ## This is needed because autoconf will sometimes define @exec_prefix@ to be | |
53 | ## ${prefix}. | |
54 | prefix=@prefix@ |