Blame SOURCES/downstream-Adjust-build-configuration.patch

10fa70
From 4e42a6786a06b7223f27536267492a463a700c76 Mon Sep 17 00:00:00 2001
afd354
From: Robbie Harwood <rharwood@redhat.com>
afd354
Date: Tue, 23 Aug 2016 16:45:26 -0400
10fa70
Subject: [PATCH] [downstream] Adjust build configuration
afd354
afd354
Build binaries in this package as RELRO PIEs, libraries as partial RELRO,
afd354
and install shared libraries with the execute bit set on them.  Prune out
afd354
the -L/usr/lib* and PIE flags where they might leak out and affect
afd354
apps which just want to link with the libraries. FIXME: needs to check and
afd354
not just assume that the compiler supports using these flags.
10fa70
10fa70
Last-updated: krb5-1.15-beta1
10fa70
(cherry picked from commit 92508996ed4c69fa6f5cf855fdf10f34cfa07ec9)
afd354
---
afd354
 src/build-tools/krb5-config.in | 7 +++++++
afd354
 src/config/pre.in              | 2 +-
afd354
 src/config/shlib.conf          | 5 +++--
afd354
 3 files changed, 11 insertions(+), 3 deletions(-)
afd354
afd354
diff --git a/src/build-tools/krb5-config.in b/src/build-tools/krb5-config.in
afd354
index c17cb5eb5..1891dea99 100755
afd354
--- a/src/build-tools/krb5-config.in
afd354
+++ b/src/build-tools/krb5-config.in
afd354
@@ -226,6 +226,13 @@ if test -n "$do_libs"; then
afd354
 	    -e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \
afd354
 	    -e 's#\$(CFLAGS)##'`
afd354
 
afd354
+    if test `dirname $libdir` = /usr ; then
afd354
+        lib_flags=`echo $lib_flags | sed -e "s#-L$libdir##" -e "s#$RPATH_FLAG$libdir##"`
afd354
+    fi
afd354
+    lib_flags=`echo $lib_flags | sed -e "s#-fPIE##g" -e "s#-pie##g"`
afd354
+    lib_flags=`echo $lib_flags | sed -e "s#-Wl,-z,relro##g"`
afd354
+    lib_flags=`echo $lib_flags | sed -e "s#-Wl,-z,now##g"`
afd354
+
afd354
     if test $library = 'kdb'; then
afd354
 	lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB"
afd354
 	library=krb5
afd354
diff --git a/src/config/pre.in b/src/config/pre.in
afd354
index 917357df9..a8540ae2a 100644
afd354
--- a/src/config/pre.in
afd354
+++ b/src/config/pre.in
afd354
@@ -185,7 +185,7 @@ INSTALL_PROGRAM=@INSTALL_PROGRAM@ $(INSTALL_STRIP)
afd354
 INSTALL_SCRIPT=@INSTALL_PROGRAM@
afd354
 INSTALL_DATA=@INSTALL_DATA@
afd354
 INSTALL_SHLIB=@INSTALL_SHLIB@
afd354
-INSTALL_SETUID=$(INSTALL) $(INSTALL_STRIP) -m 4755 -o root
afd354
+INSTALL_SETUID=$(INSTALL) $(INSTALL_STRIP) -m 4755
afd354
 ## This is needed because autoconf will sometimes define @exec_prefix@ to be
afd354
 ## ${prefix}.
afd354
 prefix=@prefix@
afd354
diff --git a/src/config/shlib.conf b/src/config/shlib.conf
afd354
index 3e4af6c02..2b20c3fda 100644
afd354
--- a/src/config/shlib.conf
afd354
+++ b/src/config/shlib.conf
afd354
@@ -423,7 +423,7 @@ mips-*-netbsd*)
afd354
 	# Linux ld doesn't default to stuffing the SONAME field...
afd354
 	# Use objdump -x to examine the fields of the library
afd354
 	# UNDEF_CHECK is suppressed by --enable-asan
afd354
-	LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT) $(UNDEF_CHECK)'
afd354
+	LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT) $(UNDEF_CHECK)  -Wl,-z,relro -Wl,--warn-shared-textrel'
afd354
 	UNDEF_CHECK='-Wl,--no-undefined'
afd354
 	# $(EXPORT_CHECK) runs export-check.pl when in maintainer mode.
afd354
 	LDCOMBINE_TAIL='-Wl,--version-script binutils.versions $(EXPORT_CHECK)'
afd354
@@ -435,7 +435,8 @@ mips-*-netbsd*)
afd354
 	SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
afd354
 	PROFFLAGS=-pg
afd354
 	PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)'
afd354
-	CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)'
afd354
+	CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) -pie -Wl,-z,relro -Wl,-z,now $(LDFLAGS)'
afd354
+	INSTALL_SHLIB='${INSTALL} -m755'
afd354
 	CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)'
afd354
 	CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)'
afd354
 	CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)'