From bf86a0e10d65377dea53319d98f75e06b368a093 Mon Sep 17 00:00:00 2001 From: Michael Tremer Date: Tue, 21 Mar 2023 18:13:50 +0000 Subject: [PATCH] glibc: Make this package confirm to FHS/Hardening This patch changes many things about glibc in one go. Sorry. We move glibc out of /lib so that we no longer install any files where they should not be according to our FHS. We also enable SSP-all and ensure that everything is properly hardened. Signed-off-by: Michael Tremer --- glibc/glibc.nm | 137 ++++++++++++++++++++----------------------------- 1 file changed, 55 insertions(+), 82 deletions(-) diff --git a/glibc/glibc.nm b/glibc/glibc.nm index f7fa98b62..a58a826c8 100644 --- a/glibc/glibc.nm +++ b/glibc/glibc.nm @@ -5,7 +5,7 @@ name = glibc version = 2.37 -release = 3 +release = 4 maintainer = Michael Tremer groups = System/Base @@ -27,6 +27,9 @@ source_dl = https://ftp.gnu.org/gnu/glibc/ sources = %{thisapp}.tar.xz build + # Build in a separate directory + DIR_BUILD = %{DIR_SRC}/glibc-build + # Optimize glibc for kernel OPTIMIZED_KERNEL = 5.10 @@ -45,115 +48,86 @@ build texinfo end - # Build glibc with custom cflags - GLIBC_FLAGS = -O2 -g -DNDEBUG -pipe - - if "%{DISTRO_ARCH}" == "x86_64" - GLIBC_FLAGS += -mtune=generic - end - - export CFLAGS = %{GLIBC_FLAGS} - export CXXFLAGS = %{GLIBC_FLAGS} - - prepare_cmds - # In the vi_VN.TCVN locale, bash enters an infinite loop at startup. It is - # unknown whether this is a bash bug or a Glibc problem. Disable - # installation of this locale in order to avoid the problem. - sed -i '/vi_VN.TCVN/d' localedata/SUPPORTED - - # The ldd shell script contains Bash-specific syntax. Change its default - # program interpreter to /bin/bash in case another /bin/sh is installed. - sed -i 's|@BASH@|/bin/bash|' elf/ldd.bash.in - - # We don't install pt_chown(1) on the final system - sed -e "/^install.*pt_chown/d" -i login/Makefile - - # Build nscd with -fstack-protector-all, instead of -fstack-protector: - sed -e "s/fstack-protector/&-strong/" -i nscd/Makefile - - # Use gnu hash style - sed -i Makeconfig \ - -e "s/-Wl,--hash-style=both/-Wl,--hash-style=gnu -Wl,-O1/" - - # http://sourceware.org/ml/libc-ports/2011-09/msg00018.html - sed -e "s/PIC/SHARED/g" -i sysdeps/arm/{set,__long}jmp.S - end + # Disable LTO + LTO_CFLAGS = configure_options = \ --build=%{DISTRO_BUILDTARGET} \ --prefix=/usr \ + --libdir=%{libdir} \ --libexecdir=%{libdir}/glibc \ - --disable-profile \ - --enable-add-ons \ + --sbindir=%{sbindir} \ + --enable-multi-arch \ --enable-kernel=%{OPTIMIZED_KERNEL} \ + --enable-add-ons \ --disable-werror \ + --disable-profile \ --disable-crypt \ - --enable-stack-protector=strong \ + --enable-stack-protector=all \ --enable-bind-now \ - --enable-obsolete-rpc \ --with-bugurl=https://bugtracker.ipfire.org \ - --enable-lock-elision \ - --enable-cet --disable-build-nscd \ --disable-nscd - build - mkdir -p %{DIR_SRC}/glibc-build - cd %{DIR_SRC}/glibc-build - - CFLAGS="${CFLAGS} -fno-asynchronous-unwind-tables" \ - ../%{thisapp}/configure \ - %{configure_options} + if "%{DISTRO_ARCH}" == "aarch64" + configure_options += \ + --enable-memory-tagging + end - make PARALLELMFLAGS=%{PARALLELISMFLAGS} \ - CFLAGS="%{CFLAGS}" CXXFLAGS="%{CXXFLAGS}" + if "%{DISTRO_ARCH}" == "x86_64" + configure_options += \ + --enable-cet end install - cd %{DIR_SRC}/glibc-build - make install install_root=%{BUILDROOT} + # Install everything + make install install_root=%{BUILDROOT} \ + rtlddir=%{libdir} rootsbindir=%{sbindir} slibdir=%{libdir} + + if [ "%{DISTRO_ARCH}" = "aarch64" ]; then + # On aarch64, we did link various binaries against + # an incorrect linker in /lib. In order to migrate + # away from this, we are creating a symlink which + # can hopefully go after we drop the bootstrap repositories. + mkdir -pv %{BUILDROOT}%{prefix}/lib + ln -svf --relative \ + %{BUILDROOT}%{libdir}/ld-linux-aarch64.so.1 \ + %{BUILDROOT}%{prefix}/lib/ld-linux-aarch64.so.1 + fi # Locales mkdir -pv %{BUILDROOT}/usr/lib/locale # This would install all locales that are supported make localedata/install-locales install_root=%{BUILDROOT} - # Configuration - cp -vf %{DIR_SOURCE}/{ld.so.conf,nsswitch.conf} %{BUILDROOT}/etc - mkdir -pv %{BUILDROOT}/etc/{default,ld.so.conf.d} - - # Remove unused binaries - rm -vf %{BUILDROOT}/sbin/sln \ - %{BUILDROOT}/usr/bin/rpcinfo + # Install runtime linker configuration + install -v -m 644 %{DIR_SOURCE}/ld.so.conf %{BUILDROOT}%{sysconfdir} + mkdir -pv %{BUILDROOT}%{sysconfdir}/ld.so.conf.d # Don't distribute linker cache - rm -vf %{BUILDROOT}/etc/ld.so.cache + rm -vf %{BUILDROOT}%{sysconfdir}/ld.so.cache + + # Install nsswitch.conf + install -v -m 644 %{DIR_SOURCE}/nsswitch.conf %{BUILDROOT}%{sysconfdir} + + # Remove unused statically linked binaries + rm -vf %{BUILDROOT}%{sbindir}/sln # Include /usr/lib/gconv/gconv-modules.cache > %{BUILDROOT}%{libdir}/gconv/gconv-modules.cache chmod 644 %{BUILDROOT}%{libdir}/gconv/gconv-modules.cache - strip -g %{BUILDROOT}%{libdir}/*.o - - # Move some libs to correct place - mv -v %{BUILDROOT}/%{lib}/lib{memusage,pcprofile}.so %{BUILDROOT}%{libdir} - - # Fix library permissions. - chmod 755 %{BUILDROOT}%{libdir}/lib*.so* - - # rquota.x and rquota.h are now provided by quota - rm -vf %{BUILDROOT}%{includedir}/rpcsvc/rquota.[hx] - end - - keep_libraries - %{libdir}/libc_nonshared.a - %{libdir}/libmvec_nonshared.a - %{libdir}/libpthread_nonshared.a + # Strip any object files + strip --strip-debug %{BUILDROOT}%{libdir}/*.o end end packages package glibc + if "%{DISTRO_ARCH}" == "aarch64" + provides += /lib/ld-linux-aarch64.so.1 + end + requires tzdata end @@ -188,20 +162,19 @@ packages end package %{name}-utils - summary = Development utilities from GNU C library. + summary = Development utilities from GNU C library description The glibc-utils package contains memusage, a memory usage profiler, mtrace, a memory leak tracer and xtrace, a function call tracer which can be helpful during program debugging. end - group = Development/Tools files - /usr/bin/memusage - /usr/bin/memusagestat - /usr/bin/mtrace - /usr/bin/pcprofiledump - /usr/bin/xtrace + %{bindir}/memusage + %{bindir}/memusagestat + %{bindir}/mtrace + %{bindir}/pcprofiledump + %{bindir}/xtrace %{libdir}/libmemusage.so %{libdir}/libpcprofile.so end -- 2.47.3