|
 |
5af5b2 |
Build binaries in this package as RELRO PIEs, libraries as partial RELRO,
|
|
|
5af5b2 |
and install shared libraries with the execute bit set on them. Prune out
|
|
|
5af5b2 |
the -L/usr/lib* and PIE flags where they might leak out and affect
|
|
|
5af5b2 |
apps which just want to link with the libraries. FIXME: needs to check and
|
|
|
5af5b2 |
not just assume that the compiler supports using these flags.
|
|
|
5af5b2 |
|
|
|
5af5b2 |
--- krb5/src/config/shlib.conf
|
|
|
5af5b2 |
+++ krb5/src/config/shlib.conf
|
|
|
5af5b2 |
@@ -419,7 +419,7 @@ mips-*-netbsd*)
|
|
|
5af5b2 |
SHLIBEXT=.so
|
|
|
5af5b2 |
# Linux ld doesn't default to stuffing the SONAME field...
|
|
|
5af5b2 |
# Use objdump -x to examine the fields of the library
|
|
|
5af5b2 |
- LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT),--no-undefined'
|
|
|
4be148 |
+ LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT),--no-undefined -Wl,-z,relro -Wl,--warn-shared-textrel'
|
|
|
5af5b2 |
#
|
|
|
5af5b2 |
LDCOMBINE_TAIL='-Wl,--version-script binutils.versions && $(PERL) -w $(top_srcdir)/util/export-check.pl $(SHLIB_EXPORT_FILE) $@'
|
|
|
5af5b2 |
SHLIB_EXPORT_FILE_DEP=binutils.versions
|
|
|
5af5b2 |
@@ -430,7 +430,8 @@
|
|
|
5af5b2 |
SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
|
|
|
5af5b2 |
PROFFLAGS=-pg
|
|
|
5af5b2 |
PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)'
|
|
|
5af5b2 |
- CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)'
|
|
|
5af5b2 |
+ CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) -pie -Wl,-z,relro -Wl,-z,now $(LDFLAGS)'
|
|
|
5af5b2 |
+ INSTALL_SHLIB='${INSTALL} -m755'
|
|
|
5af5b2 |
CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)'
|
|
|
5af5b2 |
CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)'
|
|
|
5af5b2 |
CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)'
|
|
|
4be148 |
--- krb5/src/build-tools/krb5-config.in
|
|
|
4be148 |
+++ krb5/src/build-tools/krb5-config.in
|
|
|
5af5b2 |
@@ -189,6 +189,13 @@ if test -n "$do_libs"; then
|
|
|
5af5b2 |
-e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \
|
|
|
5af5b2 |
-e 's#\$(CFLAGS)##'`
|
|
|
5af5b2 |
|
|
|
5af5b2 |
+ if test `dirname $libdir` = /usr ; then
|
|
|
5af5b2 |
+ lib_flags=`echo $lib_flags | sed -e "s#-L$libdir##" -e "s#$RPATH_FLAG$libdir##"`
|
|
|
5af5b2 |
+ fi
|
|
|
5af5b2 |
+ lib_flags=`echo $lib_flags | sed -e "s#-fPIE##g" -e "s#-pie##g"`
|
|
|
5af5b2 |
+ lib_flags=`echo $lib_flags | sed -e "s#-Wl,-z,relro##g"`
|
|
|
5af5b2 |
+ lib_flags=`echo $lib_flags | sed -e "s#-Wl,-z,now##g"`
|
|
|
5af5b2 |
+
|
|
|
5af5b2 |
if test $library = 'kdb'; then
|
|
|
5af5b2 |
lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB"
|
|
|
5af5b2 |
library=krb5
|
|
|
5af5b2 |
--- krb5/src/config/pre.in
|
|
|
5af5b2 |
+++ krb5/src/config/pre.in
|
|
|
5af5b2 |
@@ -188,7 +188,7 @@
|
|
|
5af5b2 |
INSTALL_SCRIPT=@INSTALL_PROGRAM@
|
|
|
5af5b2 |
INSTALL_DATA=@INSTALL_DATA@
|
|
|
5af5b2 |
INSTALL_SHLIB=@INSTALL_SHLIB@
|
|
|
5af5b2 |
-INSTALL_SETUID=$(INSTALL) $(INSTALL_STRIP) -m 4755 -o root
|
|
|
5af5b2 |
+INSTALL_SETUID=$(INSTALL) $(INSTALL_STRIP) -m 4755
|
|
|
5af5b2 |
## This is needed because autoconf will sometimes define @exec_prefix@ to be
|
|
|
5af5b2 |
## ${prefix}.
|
|
|
5af5b2 |
prefix=@prefix@
|