############################################################################### # # # IPFire.org - A linux based firewall # # Copyright (C) 2007, 2008, 2009 Michael Tremer & Christian Schmidt # # # # This program is free software: you can redistribute it and/or modify # # it under the terms of the GNU General Public License as published by # # the Free Software Foundation, either version 3 of the License, or # # (at your option) any later version. # # # # This program is distributed in the hope that it will be useful, # # but WITHOUT ANY WARRANTY; without even the implied warranty of # # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # # GNU General Public License for more details. # # # # You should have received a copy of the GNU General Public License # # along with this program. If not, see . # # # ############################################################################### ############################################################################### # Definitions ############################################################################### include Config PKG_NAME = glibc VER = 2.9 PKG_VER = 0 THISAPP = $(PKG_NAME)-$(VER) DL_FILE = $(THISAPP).tar.bz2 DIR_APP = $(DIR_SRC)/$(THISAPP) OBJECT = $(DIR_INFO)/$(STAGE_ORDER)_$(STAGE)/$(THISAPP) MAINTAINER = GROUP = System/Base EXTRA = no DEBUG = no DEPS = URL = http://sources.redhat.com/glibc/ LICENSE = GPLv2+ LGPLv2+ SHORT_DESC = The GNU libc libraries. define LONG_DESC The glibc package contains standard libraries which are used by \ multiple programs on the system. In order to save disk space and \ memory, as well as to make upgrading easier, common system code is \ kept in one place and shared between programs. This particular package \ contains the most important sets of shared libraries: the standard C \ library and the standard math library. Without these two libraries, a \ Linux system will not function. endef CFLAGS = -O2 -pipe CXXFLAGS = ############################################################################### # Top-level Rules ############################################################################### objects = $(DL_FILE) \ $(PKG_NAME)-libidn-$(VER).tar.bz2 \ $(THISAPP)-pt_pax-1.patch \ $(THISAPP)-strlcpy_strlcat-1.patch \ $(THISAPP)-asprintf_reset2null-1.patch \ $(THISAPP)-issetugid-1.patch \ $(THISAPP)-localedef_trampoline-1.patch \ $(THISAPP)-sanitize_env.patch \ $(THISAPP)-mktemp_urandom.patch \ $(THISAPP)-res_randomid.patch \ $(THISAPP)-resolv_response_length.patch \ $(THISAPP)-undefine-__i686.patch \ $(THISAPP)-d_tlsdec.patch download: $(objects) info: $(DO_PKG_INFO) install: $(OBJECT) package: @$(DO_PACKAGE) $(objects): @$(LOAD) ############################################################################### # Installation Details ############################################################################### $(OBJECT): $(objects) @$(PREBUILD) @rm -rf $(DIR_APP) $(DIR_SRC)/glibc-build && cd $(DIR_SRC) && $(EXTRACTOR) $(DIR_DL)/$(DL_FILE) @mkdir $(DIR_SRC)/glibc-build # Extracting libidn cd $(DIR_APP) && $(EXTRACTOR) $(DIR_DL)/$(PKG_NAME)-libidn-$(VER).tar.bz2 cd $(DIR_APP) && mv -v $(PKG_NAME)-libidn-$(VER) libidn # In the vi_VN.TCVN locale, bash enters an infinite loop at startup. It is # unknown whether this is a bash bug or a Glibc problem. Disable # installation of this locale in order to avoid the problem. cd $(DIR_APP) && sed -i '/vi_VN.TCVN/d' localedata/SUPPORTED # The ldd shell script contains Bash-specific syntax. Change its default # program interpreter to /bin/bash in case another /bin/sh is installed. cd $(DIR_APP) && sed -i 's|@BASH@|/bin/bash|' elf/ldd.bash.in # The next patch modifies the localedef program so it does not use GCC # Trampoline code (http://gcc.gnu.org/onlinedocs/gccint/Trampolines.html), # which relies on an executable stack to run. Without this patch the localedef # program will be killed if it is run on a kernel with PaX memory protection. # See http://pax.grsecurity.net/docs/pageexec.txt and # http://pax.grsecurity.net/docs/segmexec.txt for more information: cd $(DIR_APP) && patch -Np1 -i $(DIR_PATCHES)/$(THISAPP)-localedef_trampoline-1.patch # Support for PT_PaX markings: cd $(DIR_APP) && patch -Np1 -i $(DIR_PATCHES)/$(THISAPP)-pt_pax-1.patch # The asprintf(3) and vasprintf(3) functions are GNU extentions, not defined # by C or Posix standards. In Glibc these functions leave (char **strp) undefined # after an error. This patch resets (char **strp) to NULL after an error, for # sanity. cd $(DIR_APP) && patch -Np1 -i $(DIR_PATCHES)/$(THISAPP)-asprintf_reset2null-1.patch # This patch adds the issetugid() function, which is a front-end to the # __libc_enable_secure() dynamic linker private function. This function # reports whether the program is running with matching real and effective # ID's, or not, to determine whether the program is running with set-uid or # set-gid privileges. Many packages will search for issetugid() and use it if # found, such as Ncurses. This is safer than allowing each program to # determine privileges itself because it is tested at a lower level which is # not manipulatable by the user. Apply this patch with the following command: cd $(DIR_APP) && patch -Np1 -i $(DIR_PATCHES)/$(THISAPP)-issetugid-1.patch # This patch resticts the environment, particularly with setuid programs: cd $(DIR_APP) && patch -Np1 -i $(DIR_PATCHES)/$(THISAPP)-sanitize_env.patch # This patch adds the strlcpy and strlcat functions and manual pages to Glibc. # A paper written about these functions is available here: # http://www.courtesan.com/todd/papers/strlcpy.html. The Glibc project has # refused to add these functions, and that mail tread starts here: # http://sources.redhat.com/ml/libc-alpha/2000-08/msg00052.html. Linus Torvalds # has added a similar function to the Linux kernel, and that mail thread is # here: http://lwn.net/Articles/33814/. The strlcpy() and strlcat() functions # are replacements for strncpy() and strncat(). The controversy of these # functions is that strlcpy() and strlcat() copy the source data to the # destination buffer until the destination is full, and discards the rest of # the data if there is any. This means that these functions will never # overflow. The basis for the Glibc team's refusal to add these functions is # that they silently hide programing errors, and they have a higher performance # hit than strncpy() and strncat(). These functions should not be needed in a # perfect world, but were invented to deal with the real world. Many packages # will use these functions if they are found, such as Perl and many BLFS # packages. These functions do reduce buffer overflows, and so they are # recommended. After installing this patch no other effort is needed to use it. # Packages will use autotools to detect whether they are available or not: cd $(DIR_APP) && patch -Np1 -i $(DIR_PATCHES)/$(THISAPP)-strlcpy_strlcat-1.patch # The patch modifies __gen_tempname(), used by the mk*temp()/tmpnam() family # of functions, to use /dev/urandom instead of hp-timing, gettimeofday(), or # getpid(): cd $(DIR_APP) && patch -Np1 -i $(DIR_PATCHES)/$(THISAPP)-mktemp_urandom.patch # The res_randomid() function is a pseudo-random number generator, using # getpid() for entropy. See: http://www.openbsd.org/advisories/res_random.txt # for the vulnerability. This patch uses /dev/urandom instead: cd $(DIR_APP) && patch -Np1 -i $(DIR_PATCHES)/$(THISAPP)-res_randomid.patch # This patch does a check on the buffer size of res_* functions: cd $(DIR_APP) && patch -Np1 -i $(DIR_PATCHES)/$(THISAPP)-resolv_response_length.patch # We don't install pt_chown(1) on the final system, so why install it to # $(TOOLS_DIR): cd $(DIR_APP) && sed -e "/^install.*pt_chown/d" -i login/Makefile # ldconfig is statically linked, so don't build it PIC: cd $(DIR_APP) && sed "s/CFLAGS-ldconfig.c =/& -fno-PIC -fno-PIE/" \ -i elf/Makefile # Build nscd with -fstack-protector-all, instead of -fstack-protector: cd $(DIR_APP) && sed -e "s/fstack-protector/&-all/" -i nscd/Makefile # We don't need to set -march=i?86 in confparams because GCC was built with # --with-arch=i?86. ifeq "$(MACHINE)" "i686" cd $(DIR_APP) && patch -Np0 -i $(DIR_PATCHES)/$(THISAPP)-undefine-__i686.patch endif # Replace a direct call of a i686 function (Not able to compile at i586) cd $(DIR_APP) && patch -Np1 -i $(DIR_PATCHES)/$(THISAPP)-d_tlsdec.patch # --sbindir=$(TOOLS_DIR)/bin does not work... anyone want to fix this? # We don't need Glibc's sbin programs, but still. # --enable-stackguard-randomization could be added here, but this is primarily # for attacks by local users, and we shouldn't have those in the rebooted # system. Adding this will empty the /dev/random entropy pool (via # /dev/urandom), unless the system is running a Random Number Gathering Daemon # (rngd). This version of Glibc uses high precision timing with SSP, so the # canary value changes at run-time. This is not as good as /dev/urandom, but # it's better than nothing and has very good performance. ifeq "$(STAGE)" "toolchain" # Glibc uses a hard coded path for /etc/ld.so.preload. To keep Glibc from # preloading libraries from the host machine perform the following command: cd $(DIR_APP) && sed -e "s@/etc/ld.so.preload@$(TOOLS_DIR)@" -i elf/rtld.c -mkdir -v $(TOOLS_DIR)/etc touch $(TOOLS_DIR)/etc/ld.so.conf cd $(DIR_SRC)/glibc-build && \ ../$(THISAPP)/configure \ $(CONFIGURE_ARCH) \ --prefix=$(TOOLS_DIR) \ --libexecdir=$(TOOLS_DIR)/lib/$(PKG_NAME) \ --with-headers=$(TOOLS_DIR)/include \ --with-binutils=$(TOOLS_DIR)/bin \ --disable-profile \ --enable-add-ons \ --enable-kernel=2.6.0 \ --without-selinux \ --without-gd \ --enable-bind-now \ --enable-stackguard-randomization endif ifeq "$(STAGE)" "base" if [ ! -e /bin/pwd ]; then ln -sfn $(TOOLS_DIR)/bin/pwd /bin/pwd; fi cd $(DIR_APP) && sed 's/-nostdlib/& -fno-stack-protector/g' -i.orig configure cd $(DIR_APP) && sed -i 's|libs -o|libs -L/usr/lib -Wl,-dynamic-linker=$(LINKER) -o|' \ scripts/test-installation.pl touch /etc/ld.so.conf cd $(DIR_SRC)/glibc-build && \ ../$(THISAPP)/configure \ $(CONFIGURE_ARCH) \ --prefix=/usr \ --libexecdir=/usr/lib/glibc \ --disable-profile \ --enable-add-ons \ --enable-kernel=2.6.0 \ --without-selinux \ --disable-werror \ --enable-bind-now \ --enable-stackguard-randomization endif # Our GCC is already passing -fPIC, and that's all we want for the libraries. # LDFLAGS.so is appended to so we don't build shared libraries with # DT_TEXTREL (and to tell us if something goes wrong). For now we only build # the libraries, not the programs: echo "build-programs=no" \ >> $(DIR_SRC)/glibc-build/configparms echo "CC = gcc -fPIC -fno-stack-protector -U_FORTIFY_SOURCE -nonow -nopie" \ >> $(DIR_SRC)/glibc-build/configparms echo "CXX = g++ -fPIC -fno-stack-protector -U_FORTIFY_SOURCE -nonow -nopie" \ >> $(DIR_SRC)/glibc-build/configparms echo "LDFLAGS.so += -Wl,--warn-shared-textrel,--fatal-warnings" \ >> $(DIR_SRC)/glibc-build/configparms cd $(DIR_SRC)/glibc-build && make PARALLELMFLAGS=$(PARALLELISMFLAGS) # Then build the programs with hardening, so everything possible in # $(TOOLS_DIR) is hardened: @rm -f $(DIR_SRC)/glibc-build/configparms echo "CC = gcc -fPIE -fstack-protector-all -D_FORTIFY_SOURCE=2" \ >> $(DIR_SRC)/glibc-build/configparms echo "CXX = g++ -fPIE -fstack-protector-all -D_FORTIFY_SOURCE=2" \ >> $(DIR_SRC)/glibc-build/configparms echo "CFLAGS-sln.c += -fno-PIC -fno-PIE" \ >> $(DIR_SRC)/glibc-build/configparms echo "+link = \$$(CC) -nostdlib -nostartfiles -fPIE -pie -o \$$@ \\" \ >> $(DIR_SRC)/glibc-build/configparms echo " \$$(sysdep-LDFLAGS) \$$(config-LDFLAGS) \$$(LDFLAGS) \$$(LDFLAGS-\$$(@F)) \\" \ >> $(DIR_SRC)/glibc-build/configparms echo " -Wl,-z,combreloc -Wl,-z,relro -Wl,-z,now \$$(hashstyle-LDFLAGS) \\" \ >> $(DIR_SRC)/glibc-build/configparms echo " -Wl,--warn-shared-textrel,--fatal-warnings \\" \ >> $(DIR_SRC)/glibc-build/configparms echo " \$$(addprefix \$$(csu-objpfx),S\$$(start-installed-name)) \\" \ >> $(DIR_SRC)/glibc-build/configparms echo " \$$(+preinit) `\$$(CC) --print-file-name=crtbeginS.o` \\" \ >> $(DIR_SRC)/glibc-build/configparms echo " \$$(filter-out \$$(addprefix \$$(csu-objpfx),start.o \\" \ >> $(DIR_SRC)/glibc-build/configparms echo " \$$(start-installed-name))\\" \ >> $(DIR_SRC)/glibc-build/configparms echo " \$$(+preinit) \$$(link-extra-libs) \\" \ >> $(DIR_SRC)/glibc-build/configparms echo " \$$(common-objpfx)libc% \$$(+postinit),\$$^) \\" \ >> $(DIR_SRC)/glibc-build/configparms echo " \$$(link-extra-libs) \$$(link-libc) `\$$(CC) --print-file-name=crtendS.o` \$$(+postinit)" \ >> $(DIR_SRC)/glibc-build/configparms cd $(DIR_SRC)/glibc-build && make PARALLELMFLAGS=$(PARALLELISMFLAGS) cd $(DIR_SRC)/glibc-build && make install ifeq "$(STAGE)" "base" install -vd /usr/lib/static/ mv -v /usr/lib/{libbsd-compat,libg,libieee,libmcheck}.a /usr/lib/static/ mv -v /usr/lib/{libBrokenLocale,libanl,libcrypt}.a /usr/lib/static/ mv -v /usr/lib/{libm,libnsl,libpthread,libresolv}.a /usr/lib/static/ mv -v /usr/lib/{librpcsvc,librt,libutil}.a /usr/lib/static/ # Locales -mkdir -pv /usr/lib/locale # This would install all locales that are supported, but we do only # install a minimal set of them #cd $(DIR_SRC)/glibc-build && make localedata/install-locales cd $(DIR_SRC)/glibc-build && localedef -i de_DE -f UTF-8 de_DE.UTF-8 cd $(DIR_SRC)/glibc-build && localedef -i en_US -f UTF-8 en_US.UTF-8 cd $(DIR_SRC)/glibc-build && localedef -i da_DK -f UTF-8 da_DK.UTF-8 # Timezone cp -v --remove-destination /usr/share/zoneinfo/GMT /etc/localtime # Set up ld.so.conf echo -e "# Begin /etc/ld.so.conf\n" >> /etc/ld.so.conf echo -e "/usr/local/lib\n" >> /etc/ld.so.conf echo "# End /etc/ld.so.conf" >> /etc/ld.so.conf if [ -h /bin/pwd ]; then rm -f /bin/pwd; fi endif @rm -rf $(DIR_APP) $(DIR_SRC)/glibc-build @$(POSTBUILD)