]>
Commit | Line | Data |
---|---|---|
166a6c21 MT |
1 | ############################################################################### |
2 | # # | |
3 | # IPFire.org - A linux based firewall # | |
4 | # Copyright (C) 2007, 2008, 2009 Michael Tremer & Christian Schmidt # | |
5 | # # | |
6 | # This program is free software: you can redistribute it and/or modify # | |
7 | # it under the terms of the GNU General Public License as published by # | |
8 | # the Free Software Foundation, either version 3 of the License, or # | |
9 | # (at your option) any later version. # | |
10 | # # | |
11 | # This program is distributed in the hope that it will be useful, # | |
12 | # but WITHOUT ANY WARRANTY; without even the implied warranty of # | |
13 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # | |
14 | # GNU General Public License for more details. # | |
15 | # # | |
16 | # You should have received a copy of the GNU General Public License # | |
17 | # along with this program. If not, see <http://www.gnu.org/licenses/>. # | |
18 | # # | |
19 | ############################################################################### | |
20 | ||
21 | ############################################################################### | |
22 | # Definitions | |
23 | ############################################################################### | |
24 | ||
a7c97434 | 25 | include $(PKGROOT)/Include |
166a6c21 MT |
26 | |
27 | PKG_NAME = glibc | |
3ae9e320 | 28 | PKG_VER = 2.12 |
166a6c21 MT |
29 | PKG_REL = 0 |
30 | ||
31 | PKG_MAINTAINER = Michael Tremer <michael.tremer@ipfire.org> | |
32 | PKG_GROUP = System/Base | |
33 | PKG_URL = http://sources.redhat.com/glibc/ | |
34 | PKG_LICENSE = GPLv2+ LGPLv2+ | |
35 | PKG_SUMMARY = The GNU libc libraries. | |
36 | ||
72d2189b | 37 | PKG_PACKAGES += $(PKG_NAME_REAL)-devel |
48add3fd | 38 | |
166a6c21 MT |
39 | define PKG_DESCRIPTION |
40 | The glibc package contains standard libraries which are used by \ | |
41 | multiple programs on the system. In order to save disk space and \ | |
42 | memory, as well as to make upgrading easier, common system code is \ | |
43 | kept in one place and shared between programs. This particular package \ | |
44 | contains the most important sets of shared libraries: the standard C \ | |
45 | library and the standard math library. Without these two libraries, a \ | |
46 | Linux system will not function. | |
47 | endef | |
48 | ||
0bed08cd | 49 | PKG_DEPS = # Has got no dependencies |
166a6c21 | 50 | |
0bed08cd MT |
51 | GLIBC_FLAGS += -DPIC -fno-strict-aliasing -mno-tls-direct-seg-refs |
52 | ||
53 | CFLAGS += $(GLIBC_FLAGS) | |
54 | CXXFLAGS += $(GLIBC_FLAGS) | |
166a6c21 MT |
55 | |
56 | OPTIMIZED_KERNEL = 2.6.18 | |
57 | ||
58 | PKG_OBJECTS += $(THISAPP).tar.bz2 | |
59 | ||
b2ec3c8a MT |
60 | # $(THISAPP)-pt_pax-1.patch - Support for PT_PaX markings. |
61 | ||
62 | # $(THISAPP)-strlcpy_strlcat-1.patch | |
63 | # This patch adds the strlcpy and strlcat functions and manual pages to Glibc. | |
64 | # A paper written about these functions is available here: | |
65 | # http://www.courtesan.com/todd/papers/strlcpy.html. The Glibc project has | |
66 | # refused to add these functions, and that mail tread starts here: | |
67 | # http://sources.redhat.com/ml/libc-alpha/2000-08/msg00052.html. Linus Torvalds | |
68 | # has added a similar function to the Linux kernel, and that mail thread is | |
69 | # here: http://lwn.net/Articles/33814/. The strlcpy() and strlcat() functions | |
70 | # are replacements for strncpy() and strncat(). The controversy of these | |
71 | # functions is that strlcpy() and strlcat() copy the source data to the | |
72 | # destination buffer until the destination is full, and discards the rest of | |
73 | # the data if there is any. This means that these functions will never | |
74 | # overflow. The basis for the Glibc team's refusal to add these functions is | |
75 | # that they silently hide programing errors, and they have a higher performance | |
76 | # hit than strncpy() and strncat(). These functions should not be needed in a | |
77 | # perfect world, but were invented to deal with the real world. Many packages | |
78 | # will use these functions if they are found, such as Perl and many BLFS | |
79 | # packages. These functions do reduce buffer overflows, and so they are | |
80 | # recommended. After installing this patch no other effort is needed to use it. | |
81 | # Packages will use autotools to detect whether they are available or not. | |
82 | ||
83 | # $(THISAPP)-asprintf_reset2null-1.patch | |
84 | # The asprintf(3) and vasprintf(3) functions are GNU extentions, not defined | |
85 | # by C or Posix standards. In Glibc these functions leave (char **strp) undefined | |
86 | # after an error. This patch resets (char **strp) to NULL after an error, for | |
87 | # sanity. | |
88 | ||
89 | # $(THISAPP)-issetugid-1.patch | |
90 | # This patch adds the issetugid() function, which is a front-end to the | |
91 | # __libc_enable_secure() dynamic linker private function. This function | |
92 | # reports whether the program is running with matching real and effective | |
93 | # ID's, or not, to determine whether the program is running with set-uid or | |
94 | # set-gid privileges. Many packages will search for issetugid() and use it if | |
95 | # found, such as Ncurses. This is safer than allowing each program to | |
96 | # determine privileges itself because it is tested at a lower level which is | |
97 | # not manipulatable by the user. Apply this patch with the following command: | |
98 | ||
99 | # $(THISAPP)-localedef_trampoline-1.patch | |
100 | # The next patch modifies the localedef program so it does not use GCC | |
101 | # Trampoline code (http://gcc.gnu.org/onlinedocs/gccint/Trampolines.html), | |
102 | # which relies on an executable stack to run. Without this patch the localedef | |
103 | # program will be killed if it is run on a kernel with PaX memory protection. | |
104 | # See http://pax.grsecurity.net/docs/pageexec.txt and | |
105 | # http://pax.grsecurity.net/docs/segmexec.txt for more information. | |
106 | ||
107 | # $(THISAPP)-sanitize_env.patch | |
108 | # This patch resticts the environment, particularly with setuid programs. | |
109 | ||
110 | # $(THISAPP)-mktemp_urandom.patch | |
111 | # The patch modifies __gen_tempname(), used by the mk*temp()/tmpnam() family | |
112 | # of functions, to use /dev/urandom instead of hp-timing, gettimeofday(), or | |
113 | # getpid(): | |
114 | ||
115 | # $(THISAPP)-res_randomid.patch | |
116 | # The res_randomid() function is a pseudo-random number generator, using | |
117 | # getpid() for entropy. See: http://www.openbsd.org/advisories/res_random.txt | |
118 | # for the vulnerability. This patch uses /dev/urandom instead. | |
119 | ||
120 | # $(THISAPP)-resolv_response_length.patch | |
121 | # This patch does a check on the buffer size of res_* functions. | |
166a6c21 | 122 | |
370830cf | 123 | QUALITY_AGENT_RPATH_ALLOW_ORIGIN=yes |
166a6c21 | 124 | |
17c0ee8a MT |
125 | define STAGE_PREPARE |
126 | @cd $(DIR_SRC) && $(DO_EXTRACT) $(DIR_DL)/$(firstword $(PKG_OBJECTS)) | |
166a6c21 MT |
127 | @mkdir $(DIR_SRC)/glibc-build |
128 | ||
129 | # In the vi_VN.TCVN locale, bash enters an infinite loop at startup. It is | |
130 | # unknown whether this is a bash bug or a Glibc problem. Disable | |
131 | # installation of this locale in order to avoid the problem. | |
132 | cd $(DIR_APP) && sed -i '/vi_VN.TCVN/d' localedata/SUPPORTED | |
133 | ||
134 | # The ldd shell script contains Bash-specific syntax. Change its default | |
135 | # program interpreter to /bin/bash in case another /bin/sh is installed. | |
136 | cd $(DIR_APP) && sed -i 's|@BASH@|/bin/bash|' elf/ldd.bash.in | |
137 | ||
138 | $(DO_PATCHES) | |
139 | ||
140 | # We don't install pt_chown(1) on the final system, so why install it to | |
141 | # $(TOOLS_DIR): | |
142 | cd $(DIR_APP) && sed -e "/^install.*pt_chown/d" -i login/Makefile | |
143 | ||
166a6c21 MT |
144 | # Build nscd with -fstack-protector-all, instead of -fstack-protector: |
145 | cd $(DIR_APP) && sed -e "s/fstack-protector/&-all/" -i nscd/Makefile | |
146 | ||
147 | # We don't need to set -march=i?86 in confparams because GCC was built with | |
148 | # --with-arch=i?86. | |
149 | ||
bceb6c91 | 150 | cat $(DIR_SOURCE)/$(PKG_NAME)-stack_chk_fail.c \ |
166a6c21 | 151 | > $(DIR_APP)/debug/stack_chk_fail.c |
f1fdd4d6 MT |
152 | |
153 | cd $(DIR_APP) && \ | |
154 | sed -e "s|libs -o|libs -L/usr/lib -Wl,-dynamic-linker=$(shell readelf -l /bin/sh | sed -n 's@.*interpret.*$(TOOLS_DIR)\(.*\)]$$@\1@p') -o|" \ | |
155 | -i scripts/test-installation.pl | |
8a346372 | 156 | |
0bed08cd MT |
157 | # Use gnu hash style |
158 | cd $(DIR_APP) && sed -i Makeconfig \ | |
159 | -e "s/-Wl,--hash-style=both/-Wl,--hash-style=gnu -Wl,-O1/" | |
342b9bc7 MT |
160 | |
161 | # stdlib/tst-putenvmod is not linked against libc. | |
162 | cd $(DIR_APP) && sed -i stdlib/Makefile \ | |
163 | -e "s/^CFLAGS-tst-putenvmod.c.*/& -fno-stack-protector/g" | |
164 | ||
165 | # stdio-common/bug22 hits timeout. | |
166 | cd $(DIR_APP) && sed -i stdio-common/bug22.c \ | |
167 | -e "s/#define TIMEOUT.*/#define TIMEOUT 300/" | |
ce136479 MT |
168 | |
169 | # These tests don't work or need more investigation: | |
170 | cd $(DIR_APP) && sed -i dlfcn/Makefile -e "s/default //g" | |
171 | ||
172 | cd $(DIR_APP) && sed -i nptl/Makefile \ | |
173 | -e "s/tst-mutex5 //g" \ | |
174 | -e "s/tst-mutex5a //g" \ | |
175 | -e "s/tst-cond11 //g" \ | |
176 | -e "s/tst-rwlock6 //g" \ | |
177 | -e "s/tst-rwlock7 //g" \ | |
178 | -e "s/tst-sem5 //g" \ | |
179 | -e "s/tst-cancelx4 //g" \ | |
180 | -e "s/tst-cancelx5 //g" \ | |
181 | -e "s/tst-cancelx10 //g" \ | |
182 | -e "s/tst-cancelx18 //g" \ | |
183 | ||
184 | # These are known to fail on x86: | |
185 | cd $(DIR_APP) && sed -i rt/Makefile \ | |
186 | -e "s/tst-cpuclock1 //g" \ | |
187 | -e "s/tst-cpuclock2 //g" | |
188 | ||
189 | cd $(DIR_APP) && sed -i elf/Makefile \ | |
190 | -e "s/tst-tls1 //g" \ | |
191 | -e "s/tst-tls1-static //g" \ | |
192 | -e "s/tst-tls2 //g" \ | |
193 | -e "s/tst-tls2-static //g" \ | |
194 | -e "s/tst-tls3 //g" \ | |
195 | -e "s/resolvfail //g" \ | |
196 | -e "s/constload1 //g" \ | |
197 | -e "s/order //g" \ | |
198 | -e "s/lateglobal //g" \ | |
199 | -e "s/dblload //g" \ | |
200 | -e "s/dblunload //g" \ | |
201 | -e "s/reldep6 //g" \ | |
202 | -e "s/circleload1 //g" \ | |
203 | -e "s/tst-global1 //g" \ | |
204 | -e "s/tst-audit2 //g" \ | |
205 | -e "s/check-localplt //g" \ | |
206 | -e "s/check-localplt.out$$//g" | |
207 | ||
17c0ee8a | 208 | endef |
166a6c21 | 209 | |
17c0ee8a | 210 | define STAGE_BUILD |
166a6c21 MT |
211 | # --enable-stackguard-randomization could be added here, but this is primarily |
212 | # for attacks by local users, and we shouldn't have those in the rebooted | |
213 | # system. Adding this will empty the /dev/random entropy pool (via | |
214 | # /dev/urandom), unless the system is running a Random Number Gathering Daemon | |
215 | # (rngd). This version of Glibc uses high precision timing with SSP, so the | |
216 | # canary value changes at run-time. This is not as good as /dev/urandom, but | |
217 | # it's better than nothing and has very good performance. | |
218 | ||
166a6c21 MT |
219 | cd $(DIR_SRC)/glibc-build && \ |
220 | CFLAGS= \ | |
221 | CXXFLAGS= \ | |
222 | ../$(THISAPP)/configure \ | |
166a6c21 MT |
223 | --prefix=/usr \ |
224 | --libexecdir=/usr/lib/glibc \ | |
225 | --disable-profile \ | |
226 | --enable-add-ons \ | |
227 | --enable-kernel=$(OPTIMIZED_KERNEL) \ | |
228 | --without-selinux \ | |
229 | --disable-werror \ | |
230 | --enable-bind-now \ | |
231 | --enable-stackguard-randomization \ | |
bc4ad5b7 | 232 | --with-stack-protector=all |
166a6c21 MT |
233 | |
234 | # Our GCC is already passing -fPIC, and that's all we want for the libraries. | |
235 | # LDFLAGS.so is appended to so we don't build shared libraries with | |
236 | # DT_TEXTREL (and to tell us if something goes wrong). For now we only build | |
237 | # the libraries, not the programs: | |
238 | echo "build-programs=no" \ | |
239 | >> $(DIR_SRC)/glibc-build/configparms | |
240 | ||
241 | cd $(DIR_SRC)/glibc-build && make PARALLELMFLAGS=$(PARALLELISMFLAGS) \ | |
0bed08cd MT |
242 | CFLAGS="$(CFLAGS) -fno-stack-protector -U_FORTIFY_SOURCE" \ |
243 | CXXFLAGS="$(CXXFLAGS) -fno-stack-protector -U_FORTIFY_SOURCE" | |
166a6c21 MT |
244 | |
245 | # Then build the programs with hardening, so everything possible in | |
246 | # $(TOOLS_DIR) is hardened: | |
0bed08cd | 247 | echo "# Nothing in here :D" > $(DIR_SRC)/glibc-build/configparms |
166a6c21 MT |
248 | cd $(DIR_SRC)/glibc-build && make PARALLELMFLAGS=$(PARALLELISMFLAGS) \ |
249 | CFLAGS="$(CFLAGS)" CXXFLAGS="$(CXXFLAGS)" | |
17c0ee8a | 250 | endef |
166a6c21 | 251 | |
34c789f0 MT |
252 | define STAGE_TEST |
253 | cd $(DIR_SRC)/glibc-build && make check | |
254 | endef | |
b6ca5178 | 255 | |
17c0ee8a | 256 | define STAGE_INSTALL |
166a6c21 MT |
257 | cd $(DIR_SRC)/glibc-build && make install install_root=$(BUILDROOT) |
258 | ||
166a6c21 MT |
259 | # Locales |
260 | -mkdir -pv $(BUILDROOT)/usr/lib/locale | |
f1fdd4d6 | 261 | # This would install all locales that are supported |
166a6c21 MT |
262 | cd $(DIR_SRC)/glibc-build && make localedata/install-locales install_root=$(BUILDROOT) |
263 | ||
166a6c21 MT |
264 | # Timezone |
265 | cp -v --remove-destination $(BUILDROOT)/usr/share/zoneinfo/GMT $(BUILDROOT)/etc/localtime | |
266 | ||
267 | # Configuration | |
268 | cp -vf $(DIR_SOURCE)/{ld.so.conf,nsswitch.conf} $(BUILDROOT)/etc | |
647b4a94 | 269 | -mkdir -pv $(BUILDROOT)/etc/ld.so.conf.d |
17c0ee8a | 270 | endef |