Blame SOURCES/krb5-1.15-beta1-buildconf.patch

1d2312
From 90bf9e3c4a80e7e46e6e00b9d541c6144968cad4 Mon Sep 17 00:00:00 2001
c41359
From: Robbie Harwood <rharwood@redhat.com>
c41359
Date: Tue, 23 Aug 2016 16:45:26 -0400
c41359
Subject: [PATCH] krb5-1.15-beta1-buildconf.patch
c41359
c41359
Build binaries in this package as RELRO PIEs, libraries as partial RELRO,
c41359
and install shared libraries with the execute bit set on them.  Prune out
c41359
the -L/usr/lib* and PIE flags where they might leak out and affect
c41359
apps which just want to link with the libraries. FIXME: needs to check and
c41359
not just assume that the compiler supports using these flags.
c41359
---
c41359
 src/build-tools/krb5-config.in | 7 +++++++
c41359
 src/config/pre.in              | 2 +-
c41359
 src/config/shlib.conf          | 5 +++--
c41359
 3 files changed, 11 insertions(+), 3 deletions(-)
c41359
c41359
diff --git a/src/build-tools/krb5-config.in b/src/build-tools/krb5-config.in
c41359
index c17cb5eb5..1891dea99 100755
c41359
--- a/src/build-tools/krb5-config.in
c41359
+++ b/src/build-tools/krb5-config.in
c41359
@@ -226,6 +226,13 @@ if test -n "$do_libs"; then
c41359
 	    -e 's#\$(PTHREAD_CFLAGS)#'"$PTHREAD_CFLAGS"'#' \
c41359
 	    -e 's#\$(CFLAGS)##'`
c41359
 
c41359
+    if test `dirname $libdir` = /usr ; then
c41359
+        lib_flags=`echo $lib_flags | sed -e "s#-L$libdir##" -e "s#$RPATH_FLAG$libdir##"`
c41359
+    fi
c41359
+    lib_flags=`echo $lib_flags | sed -e "s#-fPIE##g" -e "s#-pie##g"`
c41359
+    lib_flags=`echo $lib_flags | sed -e "s#-Wl,-z,relro##g"`
c41359
+    lib_flags=`echo $lib_flags | sed -e "s#-Wl,-z,now##g"`
c41359
+
c41359
     if test $library = 'kdb'; then
c41359
 	lib_flags="$lib_flags -lkdb5 $KDB5_DB_LIB"
c41359
 	library=krb5
c41359
diff --git a/src/config/pre.in b/src/config/pre.in
1d2312
index 917357df9..a8540ae2a 100644
c41359
--- a/src/config/pre.in
c41359
+++ b/src/config/pre.in
c41359
@@ -185,7 +185,7 @@ INSTALL_PROGRAM=@INSTALL_PROGRAM@ $(INSTALL_STRIP)
c41359
 INSTALL_SCRIPT=@INSTALL_PROGRAM@
c41359
 INSTALL_DATA=@INSTALL_DATA@
c41359
 INSTALL_SHLIB=@INSTALL_SHLIB@
c41359
-INSTALL_SETUID=$(INSTALL) $(INSTALL_STRIP) -m 4755 -o root
c41359
+INSTALL_SETUID=$(INSTALL) $(INSTALL_STRIP) -m 4755
c41359
 ## This is needed because autoconf will sometimes define @exec_prefix@ to be
c41359
 ## ${prefix}.
c41359
 prefix=@prefix@
c41359
diff --git a/src/config/shlib.conf b/src/config/shlib.conf
c41359
index 3e4af6c02..2b20c3fda 100644
c41359
--- a/src/config/shlib.conf
c41359
+++ b/src/config/shlib.conf
c41359
@@ -423,7 +423,7 @@ mips-*-netbsd*)
c41359
 	# Linux ld doesn't default to stuffing the SONAME field...
c41359
 	# Use objdump -x to examine the fields of the library
c41359
 	# UNDEF_CHECK is suppressed by --enable-asan
c41359
-	LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT) $(UNDEF_CHECK)'
c41359
+	LDCOMBINE='$(CC) -shared -fPIC -Wl,-h,$(LIBPREFIX)$(LIBBASE)$(SHLIBSEXT) $(UNDEF_CHECK)  -Wl,-z,relro -Wl,--warn-shared-textrel'
c41359
 	UNDEF_CHECK='-Wl,--no-undefined'
c41359
 	# $(EXPORT_CHECK) runs export-check.pl when in maintainer mode.
c41359
 	LDCOMBINE_TAIL='-Wl,--version-script binutils.versions $(EXPORT_CHECK)'
c41359
@@ -435,7 +435,8 @@ mips-*-netbsd*)
c41359
 	SHLIB_EXPFLAGS='$(SHLIB_RPATH_FLAGS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
c41359
 	PROFFLAGS=-pg
c41359
 	PROG_RPATH_FLAGS='$(RPATH_FLAG)$(PROG_RPATH)'
c41359
-	CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) $(LDFLAGS)'
c41359
+	CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CFLAGS) -pie -Wl,-z,relro -Wl,-z,now $(LDFLAGS)'
c41359
+	INSTALL_SHLIB='${INSTALL} -m755'
c41359
 	CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) $(CFLAGS) $(LDFLAGS)'
c41359
 	CXX_LINK_SHARED='$(CXX) $(PROG_LIBPATH) $(PROG_RPATH_FLAGS) $(CXXFLAGS) $(LDFLAGS)'
c41359
 	CXX_LINK_STATIC='$(CXX) $(PROG_LIBPATH) $(CXXFLAGS) $(LDFLAGS)'