Browse code
Fixing secure gcc compiling and dist flag bugs
Divya Thaluru authored on 2015/06/08 08:45:15Showing 5 changed files
- support/package-builder/PackageBuilder.py
- support/package-builder/SpecStructures.py
- support/package-builder/Specutils.py
- support/package-builder/ToolChainUtils.py
- support/package-builder/adjust-gcc-specs.sh
| ... | ... |
@@ -152,7 +152,7 @@ class PackageBuilder(object): |
| 152 | 152 |
shutil.copy2(self.adjustGCCSpecScript, chrootID+"/tmp/"+self.adjustGCCSpecScript) |
| 153 | 153 |
cmdUtils=CommandUtils() |
| 154 | 154 |
cmd = "/tmp/"+self.adjustGCCSpecScript+opt |
| 155 |
- logFile = logPath+"adjustGCCSpecScript.log" |
|
| 155 |
+ logFile = logPath+"/adjustGCCSpecScript.log" |
|
| 156 | 156 |
chrootCmd=self.runInChrootCommand+" "+chrootID |
| 157 | 157 |
returnVal = cmdUtils.runCommandInShell(cmd, logFile, chrootCmd) |
| 158 | 158 |
if not returnVal: |
| ... | ... |
@@ -73,6 +73,12 @@ class Package(object): |
| 73 | 73 |
if content.find("%{version}") != -1:
|
| 74 | 74 |
content = content.replace('%{version}',self.version)
|
| 75 | 75 |
|
| 76 |
+ if content.find("%{?dist}") != -1:
|
|
| 77 |
+ content = content.replace('%{?dist}',self.distribution)
|
|
| 78 |
+ |
|
| 79 |
+ if content.find("%{dist}") != -1:
|
|
| 80 |
+ content = content.replace('%{dist}',self.distribution)
|
|
| 81 |
+ |
|
| 76 | 82 |
return content |
| 77 | 83 |
|
| 78 | 84 |
def updatePackageMacro(self,macro): |
| ... | ... |
@@ -92,6 +92,12 @@ class Package(object): |
| 92 | 92 |
|
| 93 | 93 |
if content.find("%{version}") != -1:
|
| 94 | 94 |
content = content.replace('%{version}',self.version)
|
| 95 |
+ |
|
| 96 |
+ if content.find("%{?dist}") != -1:
|
|
| 97 |
+ content = content.replace('%{?dist}',self.distribution)
|
|
| 98 |
+ |
|
| 99 |
+ if content.find("%{dist}") != -1:
|
|
| 100 |
+ content = content.replace('%{dist}',self.distribution)
|
|
| 95 | 101 |
|
| 96 | 102 |
return content |
| 97 | 103 |
|
| ... | ... |
@@ -4,6 +4,7 @@ from Logger import Logger |
| 4 | 4 |
from PackageUtils import PackageUtils |
| 5 | 5 |
from constants import constants |
| 6 | 6 |
import subprocess |
| 7 |
+import os.path |
|
| 7 | 8 |
|
| 8 | 9 |
class ToolChainUtils(object): |
| 9 | 10 |
__built_successfull=False |
| ... | ... |
@@ -93,16 +94,23 @@ class ToolChainUtils(object): |
| 93 | 93 |
try: |
| 94 | 94 |
pkgUtils=PackageUtils(self.logName,self.logPath) |
| 95 | 95 |
for package in constants.listCoreToolChainRPMPackages: |
| 96 |
+ rpmPkg=pkgUtils.findRPMFileForGivenPackage(package) |
|
| 97 |
+ if rpmPkg is not None: |
|
| 98 |
+ continue |
|
| 96 | 99 |
chrUtils = ChrootUtils(self.logName,self.logPath) |
| 97 | 100 |
chrootName="build-core-toolchain" |
| 101 |
+ destLogPath=constants.logPath+"/build-"+package |
|
| 102 |
+ if not os.path.isdir(destLogPath): |
|
| 103 |
+ cmdUtils = CommandUtils() |
|
| 104 |
+ cmdUtils.runCommandInShell("mkdir -p "+destLogPath)
|
|
| 98 | 105 |
returnVal,chrootID = chrUtils.createChroot(chrootName) |
| 99 | 106 |
if not returnVal: |
| 100 | 107 |
self.logger.error("Creating chroot failed")
|
| 101 | 108 |
raise Exception("creating chroot failed")
|
| 102 | 109 |
self.prepareBuildEnvironmentChroot(chrootID) |
| 103 |
- rpmPkg=pkgUtils.findRPMFileForGivenPackage(package) |
|
| 104 |
- if rpmPkg is None: |
|
| 105 |
- pkgUtils.buildRPMSForGivenPackage(package, chrootID) |
|
| 110 |
+ #rpmPkg=pkgUtils.findRPMFileForGivenPackage(package) |
|
| 111 |
+ #if rpmPkg is None: |
|
| 112 |
+ pkgUtils.buildRPMSForGivenPackage(package, chrootID,destLogPath) |
|
| 106 | 113 |
chrUtils.destroyChroot(chrootID) |
| 107 | 114 |
chrootID=None |
| 108 | 115 |
self.logger.info("Successfully built toolchain")
|
| ... | ... |
@@ -133,17 +141,17 @@ class ToolChainUtils(object): |
| 133 | 133 |
self.logger.error("Unable to find rpm "+ package +" in current and previous versions")
|
| 134 | 134 |
raise "Input Error" |
| 135 | 135 |
self.logger.debug("Installing rpm:"+rpmFile)
|
| 136 |
- cmd="rpm -i --nodeps --root "+chrootID+" --define \'_dbpath /var/lib/rpm\' "+ rpmFile |
|
| 136 |
+ cmd="rpm -i --nodeps --force --root "+chrootID+" --define \'_dbpath /var/lib/rpm\' "+ rpmFile |
|
| 137 | 137 |
process = subprocess.Popen("%s" %cmd,shell=True,stdout=subprocess.PIPE)
|
| 138 | 138 |
retval = process.wait() |
| 139 | 139 |
if retval != 0: |
| 140 | 140 |
self.logger.error("Installing tool chain package "+package+" failed")
|
| 141 | 141 |
raise "RPM installation failed" |
| 142 |
- |
|
| 142 |
+ |
|
| 143 | 143 |
cmdUtils.runCommandInShell("mkdir -p "+chrootID+constants.topDirPath+"/RPMS")
|
| 144 | 144 |
cmdUtils.runCommandInShell("mkdir -p "+chrootID+constants.topDirPath+"/RPMS/x86_64")
|
| 145 | 145 |
cmdUtils.runCommandInShell("mkdir -p "+chrootID+constants.topDirPath+"/RPMS/noarch")
|
| 146 | 146 |
cmdUtils.runCommandInShell("mkdir -p "+chrootID+constants.topDirPath+"/SOURCES")
|
| 147 | 147 |
cmdUtils.runCommandInShell("mkdir -p "+chrootID+constants.topDirPath+"/SPECS")
|
| 148 | 148 |
self.logger.info("Successfully prepared chroot:"+chrootID)
|
| 149 |
- |
|
| 150 | 149 |
\ No newline at end of file |
| 150 |
+ |
| ... | ... |
@@ -6,22 +6,28 @@ if [ $# -eq 1 -a "x$1" = "xclean" ]; then |
| 6 | 6 |
fi |
| 7 | 7 |
|
| 8 | 8 |
cat <<EOF > `dirname $(gcc --print-libgcc-file-name)`/../specs |
| 9 |
+# add sec hardening flags for cc1. |
|
| 9 | 10 |
*cc1: |
| 10 | 11 |
+ %{!fno-stack-protector:-fstack-protector} %{fno-pie|fno-PIE|fpic|fPIC|shared:;:-fPIE -fpie}
|
| 11 | 12 |
|
| 13 |
+# add sec hardening flags for cc1. |
|
| 12 | 14 |
*cc1plus: |
| 13 | 15 |
+ %{!fno-stack-protector:-fstack-protector} %{fno-pie|fno-PIE|fpic|fPIC|shared:;:-fPIE -fpie}
|
| 14 | 16 |
|
| 17 |
+# add -D_FORTIFY_SOURCE=2 for preprocessor. |
|
| 15 | 18 |
*cpp: |
| 16 | 19 |
+ %{O1|O2|O3|Os|Ofast:-D_FORTIFY_SOURCE=2}
|
| 17 | 20 |
|
| 21 |
+# add sec hardening flags for linker. |
|
| 18 | 22 |
*link: |
| 19 |
-+ %{r|fno-pie|fno-PIE|fpic|fPIC|fno-pic|fno-PIC|shared:;:-pie} %{!norelro:-z relro} %{!nonow:-z now}
|
|
| 23 |
++ %{r|nostdlib|fno-pie|fno-PIE|fno-pic|fno-PIC|shared:;:-pie} %{!norelro:-z relro} %{!nonow:-z now}
|
|
| 20 | 24 |
|
| 25 |
+# sec hardening flags require shared libgcc_s during linking. |
|
| 21 | 26 |
*libgcc: |
| 22 | 27 |
+ -lgcc_s |
| 23 | 28 |
|
| 29 |
+# replace default startfile rules to use crt that PIE code requires. |
|
| 24 | 30 |
*startfile: |
| 25 |
-%{!mandroid|tno-android-ld:%{!shared: %{pg|p|profile:gcrt1.o%s;:Scrt1.o%s}} crti.o%s %{static:crtbeginT.o%s;:crtbeginS.o%s};:%{shared: crtbegin_so%O%s;: %{static: crtbegin_static%O%s;: crtbegin_dynamic%O%s}}}
|
|
| 31 |
+%{!shared: %{pg|p|profile:gcrt1.o%s;:Scrt1.o%s}} crti.o%s %{static:crtbeginT.o%s;:crtbeginS.o%s}
|
|
| 26 | 32 |
|
| 27 | 33 |
EOF |