]>
Commit | Line | Data |
---|---|---|
166a6c21 MT |
1 | ############################################################################### |
2 | # # | |
3 | # IPFire.org - A linux based firewall # | |
4 | # Copyright (C) 2007, 2008, 2009 Michael Tremer & Christian Schmidt # | |
5 | # # | |
6 | # This program is free software: you can redistribute it and/or modify # | |
7 | # it under the terms of the GNU General Public License as published by # | |
8 | # the Free Software Foundation, either version 3 of the License, or # | |
9 | # (at your option) any later version. # | |
10 | # # | |
11 | # This program is distributed in the hope that it will be useful, # | |
12 | # but WITHOUT ANY WARRANTY; without even the implied warranty of # | |
13 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # | |
14 | # GNU General Public License for more details. # | |
15 | # # | |
16 | # You should have received a copy of the GNU General Public License # | |
17 | # along with this program. If not, see <http://www.gnu.org/licenses/>. # | |
18 | # # | |
19 | ############################################################################### | |
20 | ||
21 | ############################################################################### | |
22 | # Definitions | |
23 | ############################################################################### | |
24 | ||
25 | include ../../Config | |
26 | ||
27 | PKG_NAME = glibc | |
28 | PKG_VER = 2.10.1 | |
29 | PKG_REL = 0 | |
30 | ||
31 | PKG_MAINTAINER = Michael Tremer <michael.tremer@ipfire.org> | |
32 | PKG_GROUP = System/Base | |
33 | PKG_URL = http://sources.redhat.com/glibc/ | |
34 | PKG_LICENSE = GPLv2+ LGPLv2+ | |
35 | PKG_SUMMARY = The GNU libc libraries. | |
36 | ||
37 | define PKG_DESCRIPTION | |
38 | The glibc package contains standard libraries which are used by \ | |
39 | multiple programs on the system. In order to save disk space and \ | |
40 | memory, as well as to make upgrading easier, common system code is \ | |
41 | kept in one place and shared between programs. This particular package \ | |
42 | contains the most important sets of shared libraries: the standard C \ | |
43 | library and the standard math library. Without these two libraries, a \ | |
44 | Linux system will not function. | |
45 | endef | |
46 | ||
47 | PKG_BUILD_DEPS = # Has got no dependencies | |
48 | ||
49 | CFLAGS = -O2 -fomit-frame-pointer -pipe -DPIC -fno-strict-aliasing \ | |
50 | -mno-tls-direct-seg-refs -D_FORTIFY_SOURCE=2 \ | |
51 | -fstack-protector-all | |
52 | CXXFLAGS = $(CFLAGS) | |
53 | ||
54 | OPTIMIZED_KERNEL = 2.6.18 | |
55 | ||
56 | PKG_OBJECTS += $(THISAPP).tar.bz2 | |
57 | ||
58 | # Support for PT_PaX markings: | |
59 | PKG_PATCHES += $(THISAPP)-pt_pax-1.patch | |
60 | ||
61 | # This patch adds the strlcpy and strlcat functions and manual pages to Glibc. | |
62 | # A paper written about these functions is available here: | |
63 | # http://www.courtesan.com/todd/papers/strlcpy.html. The Glibc project has | |
64 | # refused to add these functions, and that mail tread starts here: | |
65 | # http://sources.redhat.com/ml/libc-alpha/2000-08/msg00052.html. Linus Torvalds | |
66 | # has added a similar function to the Linux kernel, and that mail thread is | |
67 | # here: http://lwn.net/Articles/33814/. The strlcpy() and strlcat() functions | |
68 | # are replacements for strncpy() and strncat(). The controversy of these | |
69 | # functions is that strlcpy() and strlcat() copy the source data to the | |
70 | # destination buffer until the destination is full, and discards the rest of | |
71 | # the data if there is any. This means that these functions will never | |
72 | # overflow. The basis for the Glibc team's refusal to add these functions is | |
73 | # that they silently hide programing errors, and they have a higher performance | |
74 | # hit than strncpy() and strncat(). These functions should not be needed in a | |
75 | # perfect world, but were invented to deal with the real world. Many packages | |
76 | # will use these functions if they are found, such as Perl and many BLFS | |
77 | # packages. These functions do reduce buffer overflows, and so they are | |
78 | # recommended. After installing this patch no other effort is needed to use it. | |
79 | # Packages will use autotools to detect whether they are available or not: | |
80 | PKG_PATCHES += $(THISAPP)-strlcpy_strlcat-1.patch | |
81 | ||
82 | # The asprintf(3) and vasprintf(3) functions are GNU extentions, not defined | |
83 | # by C or Posix standards. In Glibc these functions leave (char **strp) undefined | |
84 | # after an error. This patch resets (char **strp) to NULL after an error, for | |
85 | # sanity. | |
86 | PKG_PATCHES += $(THISAPP)-asprintf_reset2null-1.patch | |
87 | ||
88 | # This patch adds the issetugid() function, which is a front-end to the | |
89 | # __libc_enable_secure() dynamic linker private function. This function | |
90 | # reports whether the program is running with matching real and effective | |
91 | # ID's, or not, to determine whether the program is running with set-uid or | |
92 | # set-gid privileges. Many packages will search for issetugid() and use it if | |
93 | # found, such as Ncurses. This is safer than allowing each program to | |
94 | # determine privileges itself because it is tested at a lower level which is | |
95 | # not manipulatable by the user. Apply this patch with the following command: | |
96 | PKG_PATCHES += $(THISAPP)-issetugid-1.patch | |
97 | ||
98 | # The next patch modifies the localedef program so it does not use GCC | |
99 | # Trampoline code (http://gcc.gnu.org/onlinedocs/gccint/Trampolines.html), | |
100 | # which relies on an executable stack to run. Without this patch the localedef | |
101 | # program will be killed if it is run on a kernel with PaX memory protection. | |
102 | # See http://pax.grsecurity.net/docs/pageexec.txt and | |
103 | # http://pax.grsecurity.net/docs/segmexec.txt for more information: | |
104 | PKG_PATCHES += $(THISAPP)-localedef_trampoline-1.patch | |
105 | ||
106 | # This patch resticts the environment, particularly with setuid programs: | |
107 | #PKG_PATCHES += $(THISAPP)-sanitize_env.patch | |
108 | ||
109 | # The patch modifies __gen_tempname(), used by the mk*temp()/tmpnam() family | |
110 | # of functions, to use /dev/urandom instead of hp-timing, gettimeofday(), or | |
111 | # getpid(): | |
112 | PKG_PATCHES += $(THISAPP)-mktemp_urandom.patch | |
113 | ||
114 | # The res_randomid() function is a pseudo-random number generator, using | |
115 | # getpid() for entropy. See: http://www.openbsd.org/advisories/res_random.txt | |
116 | # for the vulnerability. This patch uses /dev/urandom instead: | |
117 | PKG_PATCHES += $(THISAPP)-res_randomid.patch | |
118 | ||
119 | # This patch does a check on the buffer size of res_* functions: | |
120 | PKG_PATCHES += $(THISAPP)-resolv_response_length.patch | |
121 | ||
122 | PKG_PATCHES += $(THISAPP)-undefine-__i686.patch | |
123 | PKG_PATCHES += $(THISAPP)-arc4random.patch | |
124 | PKG_PATCHES += $(THISAPP)-hardened-configure-picdefault.patch | |
125 | PKG_PATCHES += $(THISAPP)-hardened-inittls-nosysenter.patch | |
126 | PKG_PATCHES += $(THISAPP)-hardened-pie.patch | |
127 | ||
128 | include ../../Rules | |
129 | ||
130 | ############################################################################### | |
131 | # Installation Details | |
132 | ############################################################################### | |
133 | ||
134 | $(STAGE_PREPARE): $(OBJECTS) | |
135 | @@$(PRE_PREPARE) | |
136 | @rm -rf $(DIR_APP) $(DIR_SRC)/glibc-build && cd $(DIR_SRC) && $(DO_EXTRACT) $(DIR_DL)/$(firstword $(PKG_OBJECTS)) | |
137 | @mkdir $(DIR_SRC)/glibc-build | |
138 | ||
139 | # In the vi_VN.TCVN locale, bash enters an infinite loop at startup. It is | |
140 | # unknown whether this is a bash bug or a Glibc problem. Disable | |
141 | # installation of this locale in order to avoid the problem. | |
142 | cd $(DIR_APP) && sed -i '/vi_VN.TCVN/d' localedata/SUPPORTED | |
143 | ||
144 | # The ldd shell script contains Bash-specific syntax. Change its default | |
145 | # program interpreter to /bin/bash in case another /bin/sh is installed. | |
146 | cd $(DIR_APP) && sed -i 's|@BASH@|/bin/bash|' elf/ldd.bash.in | |
147 | ||
148 | $(DO_PATCHES) | |
149 | ||
150 | # We don't install pt_chown(1) on the final system, so why install it to | |
151 | # $(TOOLS_DIR): | |
152 | cd $(DIR_APP) && sed -e "/^install.*pt_chown/d" -i login/Makefile | |
153 | ||
154 | # ldconfig is statically linked, so don't build it PIC: | |
155 | cd $(DIR_APP) && sed "s/CFLAGS-ldconfig.c =/& -fno-PIC -fno-PIE/" \ | |
156 | -i elf/Makefile | |
157 | ||
158 | # Build nscd with -fstack-protector-all, instead of -fstack-protector: | |
159 | cd $(DIR_APP) && sed -e "s/fstack-protector/&-all/" -i nscd/Makefile | |
160 | ||
161 | # We don't need to set -march=i?86 in confparams because GCC was built with | |
162 | # --with-arch=i?86. | |
163 | ||
164 | cat $(DIR_SOURCE)/$(THISAPP)-stack_chk_fail.c \ | |
165 | > $(DIR_APP)/debug/stack_chk_fail.c | |
166 | ||
167 | @$(POST_PREPARE) | |
168 | ||
169 | ||
170 | $(STAGE_BUILD): $(STAGE_PREPARE) | |
171 | @$(PRE_BUILD) | |
172 | # --enable-stackguard-randomization could be added here, but this is primarily | |
173 | # for attacks by local users, and we shouldn't have those in the rebooted | |
174 | # system. Adding this will empty the /dev/random entropy pool (via | |
175 | # /dev/urandom), unless the system is running a Random Number Gathering Daemon | |
176 | # (rngd). This version of Glibc uses high precision timing with SSP, so the | |
177 | # canary value changes at run-time. This is not as good as /dev/urandom, but | |
178 | # it's better than nothing and has very good performance. | |
179 | ||
180 | if [ ! -e /bin/pwd ]; then ln -sfn $(TOOLS_DIR)/bin/pwd /bin/pwd; fi | |
181 | ||
182 | cd $(DIR_APP) && sed 's/-nostdlib/& -fno-stack-protector/g' -i.orig configure | |
183 | ||
184 | cd $(DIR_APP) && sed -i 's|libs -o|libs -L/usr/lib -Wl,-dynamic-linker=$(LINKER) -o|' \ | |
185 | scripts/test-installation.pl | |
186 | ||
187 | cd $(DIR_SRC)/glibc-build && \ | |
188 | CFLAGS= \ | |
189 | CXXFLAGS= \ | |
190 | ../$(THISAPP)/configure \ | |
191 | $(CONFIGURE_ARCH) \ | |
192 | --prefix=/usr \ | |
193 | --libexecdir=/usr/lib/glibc \ | |
194 | --disable-profile \ | |
195 | --enable-add-ons \ | |
196 | --enable-kernel=$(OPTIMIZED_KERNEL) \ | |
197 | --without-selinux \ | |
198 | --disable-werror \ | |
199 | --enable-bind-now \ | |
200 | --enable-stackguard-randomization \ | |
201 | --with-stack-protector=all \ | |
202 | --enable-omitfp | |
203 | ||
204 | # Our GCC is already passing -fPIC, and that's all we want for the libraries. | |
205 | # LDFLAGS.so is appended to so we don't build shared libraries with | |
206 | # DT_TEXTREL (and to tell us if something goes wrong). For now we only build | |
207 | # the libraries, not the programs: | |
208 | echo "build-programs=no" \ | |
209 | >> $(DIR_SRC)/glibc-build/configparms | |
210 | ||
211 | cd $(DIR_SRC)/glibc-build && make PARALLELMFLAGS=$(PARALLELISMFLAGS) \ | |
212 | CFLAGS="-O2 -DPIC -fno-stack-protector -U_FORTIFY_SOURCE" \ | |
213 | CXXFLAGS="-O2 -DPIC -fno-stack-protector -U_FORTIFY_SOURCE" | |
214 | ||
215 | # Then build the programs with hardening, so everything possible in | |
216 | # $(TOOLS_DIR) is hardened: | |
217 | echo "CFLAGS = $(CFLAGS)" > $(DIR_SRC)/glibc-build/configparms | |
218 | echo "CXXFLAGS = $(CXXFLAGS)" >> $(DIR_SRC)/glibc-build/configparms | |
219 | cd $(DIR_SRC)/glibc-build && make PARALLELMFLAGS=$(PARALLELISMFLAGS) \ | |
220 | CFLAGS="$(CFLAGS)" CXXFLAGS="$(CXXFLAGS)" | |
221 | ||
222 | @$(POST_BUILD) | |
223 | ||
224 | $(STAGE_INSTALL): $(STAGE_BUILD) | |
225 | @$(PRE_INSTALL) | |
226 | ||
227 | cd $(DIR_SRC)/glibc-build && make install install_root=$(BUILDROOT) | |
228 | ||
229 | install -vd $(BUILDROOT)/usr/lib/static/ | |
230 | mv -v $(BUILDROOT)/usr/lib/{libbsd-compat,libg,libieee,libmcheck}.a $(BUILDROOT)/usr/lib/static/ | |
231 | mv -v $(BUILDROOT)/usr/lib/{libBrokenLocale,libanl,libcrypt}.a $(BUILDROOT)/usr/lib/static/ | |
232 | mv -v $(BUILDROOT)/usr/lib/{libm,libnsl,libpthread,libresolv}.a $(BUILDROOT)/usr/lib/static/ | |
233 | mv -v $(BUILDROOT)/usr/lib/{librpcsvc,librt,libutil}.a $(BUILDROOT)/usr/lib/static/ | |
234 | ||
235 | rm -vf $(BUILDROOT){/usr,}/lib/*_g.a | |
236 | ||
237 | # Locales | |
238 | -mkdir -pv $(BUILDROOT)/usr/lib/locale | |
239 | # This would install all locales that are supported, but we do only | |
240 | # install a minimal set of them | |
241 | cd $(DIR_SRC)/glibc-build && make localedata/install-locales install_root=$(BUILDROOT) | |
242 | ||
243 | ||
244 | # Timezone | |
245 | cp -v --remove-destination $(BUILDROOT)/usr/share/zoneinfo/GMT $(BUILDROOT)/etc/localtime | |
246 | ||
247 | # Configuration | |
248 | cp -vf $(DIR_SOURCE)/{ld.so.conf,nsswitch.conf} $(BUILDROOT)/etc | |
249 | ||
250 | if [ -h /bin/pwd ]; then rm -f /bin/pwd; fi | |
251 | ||
252 | @$(POST_INSTALL) |