From 4e42a6786a06b7223f27536267492a463a700c76 Mon Sep 17 00:00:00 2001

From: Robbie Harwood <rharwood@redhat.com>

Date: Tue, 23 Aug 2016 16:45:26 -0400

Subject: [PATCH] [downstream] Adjust build configuration

Build binaries in this package as RELRO PIEs, libraries as partial RELRO,

and install shared libraries with the execute bit set on them.  Prune out

the -L/usr/lib* and PIE flags where they might leak out and affect

apps which just want to link with the libraries. FIXME: needs to check and

not just assume that the compiler supports using these flags.

Last-updated: krb5-1.15-beta1

(cherry picked from commit 92508996ed4c69fa6f5cf855fdf10f34cfa07ec9)

---

 src/build-tools/krb5-config.in | 7 +++++++

 src/config/pre.in              | 2 +-

 src/config/shlib.conf          | 5 +++--

 3 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/src/build-tools/krb5-config.in b/src/build-tools/krb5-config.in

index c17cb5eb5..1891dea99 100755

--- a/src/build-tools/krb5-config.in

+++ b/src/build-tools/krb5-config.in

@@ -226,6 +226,13 @@ if test -n "$do_libs"; then

 	    -e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \

 	    -e 's#\$(CFLAGS)##'`

+    if test `dirname $libdir` = /usr ; then

+        lib_flags=`echo $lib_flags | sed -e "s#-L$libdir##" -e "s#$RPATH_FLAG$libdir##"`

+    fi

+    lib_flags=`echo $lib_flags | sed -e "s#-fPIE##g" -e "s#-pie##g"`

+    lib_flags=`echo $lib_flags | sed -e "s#-Wl,-z,relro##g"`

+    lib_flags=`echo $lib_flags | sed -e "s#-Wl,-z,now##g"`

+

     if test $library = 'kdb'; then

 	lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB"

 	library=krb5

diff --git a/src/config/pre.in b/src/config/pre.in

index 917357df9..a8540ae2a 100644

--- a/src/config/pre.in

+++ b/src/config/pre.in

@@ -185,7 +185,7 @@ INSTALL_PROGRAM=@INSTALL_PROGRAM@ $(INSTALL_STRIP)

 INSTALL_SCRIPT=@INSTALL_PROGRAM@

 INSTALL_DATA=@INSTALL_DATA@

 INSTALL_SHLIB=@INSTALL_SHLIB@

-INSTALL_SETUID=$(INSTALL) $(INSTALL_STRIP) -m 4755 -o root

+INSTALL_SETUID=$(INSTALL) $(INSTALL_STRIP) -m 4755

 ## This is needed because autoconf will sometimes define @exec_prefix@ to be

 ## ${prefix}.

 prefix=@prefix@

diff --git a/src/config/shlib.conf b/src/config/shlib.conf

index 3e4af6c02..2b20c3fda 100644

--- a/src/config/shlib.conf

+++ b/src/config/shlib.conf

@@ -423,7 +423,7 @@ mips-*-netbsd*)

 	# Linux ld doesn't default to stuffing the SONAME field...

 	# Use objdump -x to examine the fields of the library

 	# UNDEF_CHECK is suppressed by --enable-asan

-	LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT) $(UNDEF_CHECK)'

+	LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT) $(UNDEF_CHECK)  -Wl,-z,relro -Wl,--warn-shared-textrel'

 	UNDEF_CHECK='-Wl,--no-undefined'

 	# $(EXPORT_CHECK) runs export-check.pl when in maintainer mode.

 	LDCOMBINE_TAIL='-Wl,--version-script binutils.versions $(EXPORT_CHECK)'

@@ -435,7 +435,8 @@ mips-*-netbsd*)

 	SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'

 	PROFFLAGS=-pg

 	PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)'

-	CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)'

+	CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) -pie -Wl,-z,relro -Wl,-z,now $(LDFLAGS)'

+	INSTALL_SHLIB='${INSTALL} -m755'

 	CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)'

 	CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)'

 	CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)'