From: Jaroslav Kysela Date: Tue, 3 May 2016 14:04:01 +0000 (+0200) Subject: build system: add hardening by default X-Git-Tag: v4.2.1~598 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=9237d88dc713bdc87a0c19a3800d643e0c40e47b;p=thirdparty%2Ftvheadend.git build system: add hardening by default --- diff --git a/Makefile b/Makefile index 693e12cd7..46041e8ff 100644 --- a/Makefile +++ b/Makefile @@ -28,7 +28,7 @@ LANGUAGES ?= bg cs da de en_US en_GB es et fa fi fr he hr hu it lv nl pl pt ru s # Common compiler flags # -CFLAGS += -g -O2 +CFLAGS += -g -O2 -fPIE ifeq ($(CONFIG_W_UNUSED_RESULT),yes) CFLAGS += -Wunused-result endif @@ -41,10 +41,11 @@ CFLAGS += -fms-extensions -funsigned-char -fno-strict-aliasing CFLAGS += -D_FILE_OFFSET_BITS=64 CFLAGS += -I${BUILDDIR} -I${ROOTDIR}/src -I${ROOTDIR} ifeq ($(CONFIG_ANDROID),yes) -LDFLAGS += -ldl -lm -fPIE -pie +LDFLAGS += -ldl -lm else LDFLAGS += -ldl -lpthread -lm endif +LDFLAGS += -pie -Wl,-z,now ifeq ($(CONFIG_LIBICONV),yes) LDFLAGS += -liconv endif diff --git a/Makefile.ffmpeg b/Makefile.ffmpeg index d387eb665..ccd10a8d8 100644 --- a/Makefile.ffmpeg +++ b/Makefile.ffmpeg @@ -56,6 +56,7 @@ LIBX265 = x265_1.9 LIBX265_TB = $(LIBX265).tar.gz LIBX265_URL = http://ftp.videolan.org/pub/videolan/x265/$(LIBX265_TB) LIBX265_SHA1 = 8c9aa3b87b0f0a418bbb9782e9354d112d75e003 +LIBX265_DIFFS = libx265.pie.diff LIBVPX = libvpx-1.5.0 LIBVPX_TB = $(LIBVPX).tar.bz2 @@ -116,7 +117,7 @@ export PATH := $(LIB_ROOT)/build/ffmpeg/bin:$(PATH) EBUILDIR := $(LIB_ROOT)/build EPREFIX := $(EBUILDIR)/ffmpeg -ECFLAGS := -I$(EPREFIX)/include +ECFLAGS := -I$(EPREFIX)/include -fPIE ELIBS := -L$(EPREFIX)/lib -ldl CONFIGURE := FFMPEG_PREFIX=$(EPREFIX) \ @@ -175,6 +176,8 @@ $(LIB_ROOT)/$(LIBX264)/.tvh_build: \ $(LIB_ROOT)/$(YASM)/.tvh_build \ $(LIB_ROOT)/$(LIBX264)/.tvh_download cd $(LIB_ROOT)/$(LIBX264) && $(CONFIGURE) \ + --extra-asflags="-DPIC" \ + --extra-cflags="-fPIE" \ --disable-swscale \ --disable-lavf \ --disable-avs \ @@ -216,6 +219,7 @@ ifeq (yes,$(CONFIG_LIBX265_STATIC)) $(LIB_ROOT)/$(LIBX265)/.tvh_download: $(call DOWNLOAD,$(LIBX265_URL),$(LIB_ROOT)/$(LIBX265_TB),$(LIBX265_SHA1)) $(call UNTAR,$(LIBX265_TB),z) + $(call PATCH,$(LIBX265),$(LIBX265_DIFFS)) @touch $@ $(LIB_ROOT)/$(LIBX265)/.tvh_build: \ @@ -268,7 +272,9 @@ $(LIB_ROOT)/$(LIBVPX)/.tvh_download: $(LIB_ROOT)/$(LIBVPX)/.tvh_build: \ $(LIB_ROOT)/$(YASM)/.tvh_build \ $(LIB_ROOT)/$(LIBVPX)/.tvh_download - cd $(LIB_ROOT)/$(LIBVPX) && $(CONFIGURE) \ + cd $(LIB_ROOT)/$(LIBVPX) && \ + ASFLAGS="-DENABLE_PIC=1 -DPIC=1" $(CONFIGURE) \ + --extra-cflags="-fPIE" \ --disable-examples \ --disable-docs \ --disable-unit-tests \ @@ -304,7 +310,7 @@ $(LIB_ROOT)/$(LIBOGG)/.tvh_download: $(LIB_ROOT)/$(LIBOGG)/.tvh_build: \ $(LIB_ROOT)/$(YASM)/.tvh_build \ $(LIB_ROOT)/$(LIBOGG)/.tvh_download - cd $(LIB_ROOT)/$(LIBOGG) && $(CONFIGURE) + cd $(LIB_ROOT)/$(LIBOGG) && CFLAGS="-fPIE" $(CONFIGURE) DESTDIR=$(EBUILDIR) \ $(MAKE) -C $(LIB_ROOT)/$(LIBOGG) install @touch $@ @@ -341,7 +347,8 @@ $(LIB_ROOT)/$(LIBTHEORA)/.tvh_build: \ $(LIB_ROOT)/$(YASM)/.tvh_build \ $(LIB_ROOT)/$(LIBOGG)/.tvh_build \ $(LIB_ROOT)/$(LIBTHEORA)/.tvh_download - cd $(LIB_ROOT)/$(LIBTHEORA) && $(CONFIGURE) \ + cd $(LIB_ROOT)/$(LIBTHEORA) && \ + CFLAGS="-fPIE" $(CONFIGURE) \ --with-ogg=$(EPREFIX) \ --disable-examples \ $(LIBTHEORA_HOST) @@ -386,7 +393,8 @@ $(LIB_ROOT)/$(LIBVORBIS)/.tvh_build: \ $(LIB_ROOT)/$(YASM)/.tvh_build \ $(LIB_ROOT)/$(LIBOGG)/.tvh_build \ $(LIB_ROOT)/$(LIBVORBIS)/.tvh_download - cd $(LIB_ROOT)/$(LIBVORBIS) && $(CONFIGURE) \ + cd $(LIB_ROOT)/$(LIBVORBIS) && \ + CFLAGS="-fPIE" $(CONFIGURE) \ --with-ogg=$(EPREFIX) DESTDIR=$(EBUILDIR) \ $(MAKE) -C $(LIB_ROOT)/$(LIBVORBIS) install @@ -426,7 +434,8 @@ $(LIB_ROOT)/$(LIBFDKAAC)/.tvh_download: $(LIB_ROOT)/$(LIBFDKAAC)/.tvh_build: \ $(LIB_ROOT)/$(LIBFDKAAC)/.tvh_download - cd $(LIB_ROOT)/$(LIBFDKAAC) && $(CONFIGURE) + cd $(LIB_ROOT)/$(LIBFDKAAC) && \ + CXXFLAGS="-fPIE" CFLAGS="-fPIE" $(CONFIGURE) DESTDIR=$(EBUILDIR) \ $(MAKE) -C $(LIB_ROOT)/$(LIBFDKAAC) install @touch $@ @@ -479,7 +488,8 @@ $(LIB_ROOT)/$(LIBMFX)/.tvh_download: $(LIB_ROOT)/$(LIBMFX)/.tvh_build: \ $(LIB_ROOT)/$(LIBMFX)/.tvh_download - cd $(LIB_ROOT)/$(LIBMFX) && autoreconf -i && $(CONFIGURE) \ + cd $(LIB_ROOT)/$(LIBMFX) && autoreconf -i && \ + CXXFLAGS="-fPIE" CFLAGS="-fPIE" $(CONFIGURE) \ --with-libva_x11 \ --with-libva_drm DESTDIR=$(EBUILDIR) \ diff --git a/Makefile.hdhomerun b/Makefile.hdhomerun index daa16ca99..4722bbe28 100644 --- a/Makefile.hdhomerun +++ b/Makefile.hdhomerun @@ -63,7 +63,7 @@ export PATH := $(LIB_ROOT)/build/bin:$(PATH) OBJS := $(foreach file,$(LIBSRCS),$(LIB_ROOT)/$(LIBHDHR)/$(basename $(file)).o) $(LIB_ROOT)/$(LIBHDHR)/%.o: $(LIB_ROOT)/$(LIBHDHR)/%.c - $(CC) -MD -MP $(CFLAGS) -c -o $@ $< + $(CC) -MD -MP $(CFLAGS) -fPIE -c -o $@ $< $(LIB_ROOT)/$(LIBHDHR)/libhdhomerun.a: $(OBJS) $(AR) rcs $@ $^ diff --git a/support/patches/libx265.pie.diff b/support/patches/libx265.pie.diff new file mode 100644 index 000000000..0f4a93012 --- /dev/null +++ b/support/patches/libx265.pie.diff @@ -0,0 +1,33 @@ +--- source/CMakeLists.txt.old 2016-05-03 14:34:37.168396127 +0200 ++++ source/CMakeLists.txt 2016-05-03 14:35:35.551372285 +0200 +@@ -100,7 +100,7 @@ + endif(NO_ATOMICS) + endif(UNIX) + +-if(X64 AND NOT WIN32) ++if(X64NONONO AND NOT WIN32) + option(ENABLE_PIC "Enable Position Independent Code" ON) + else() + option(ENABLE_PIC "Enable Position Independent Code" OFF) +@@ -166,6 +166,8 @@ + add_definitions(-std=gnu++98) + if(ENABLE_PIC) + add_definitions(-fPIC) ++ else() ++ add_definitions(-fPIE) + endif(ENABLE_PIC) + if(NATIVE_BUILD) + if(INTEL_CXX) +--- source/cmake/CMakeASM_YASMInformation.cmake.old 2016-05-03 15:52:36.572122457 +0200 ++++ source/cmake/CMakeASM_YASMInformation.cmake 2016-05-03 15:53:18.939438179 +0200 +@@ -3,9 +3,7 @@ + + if(X64) + list(APPEND ASM_FLAGS -DARCH_X86_64=1) +- if(ENABLE_PIC) +- list(APPEND ASM_FLAGS -DPIC) +- endif() ++ list(APPEND ASM_FLAGS -DPIC) + if(APPLE) + set(ARGS -f macho64 -m amd64 -DPREFIX) + elseif(UNIX AND NOT CYGWIN)