r141 - in trunk/text: chapter02 chapter06

robert at linuxfromscratch.org robert at linuxfromscratch.org
Thu Feb 3 02:54:17 PST 2005


Author: robert
Date: 2005-02-03 03:54:16 -0700 (Thu, 03 Feb 2005)
New Revision: 141

Modified:
   trunk/text/chapter02/06-pie.txt
   trunk/text/chapter06/14-coreutils.txt
   trunk/text/chapter06/16-mktemp.txt
   trunk/text/chapter06/18-findutils.txt
   trunk/text/chapter06/19-gawk.txt
   trunk/text/chapter06/20-ncurses.txt
   trunk/text/chapter06/22-vim.txt
Log:
fpie updates

Modified: trunk/text/chapter02/06-pie.txt
===================================================================
--- trunk/text/chapter02/06-pie.txt	2005-02-03 05:41:58 UTC (rev 140)
+++ trunk/text/chapter02/06-pie.txt	2005-02-03 10:54:16 UTC (rev 141)
@@ -4,7 +4,7 @@
 creates an executable which is something between a shared library and a normal
 executable. Programs compiled with these features appear as "shared object"
 with the file(1) command. This allows the executable to behave like a shared
-library so base addresses can be randomized. The PIE program must be linked to
+library so base addresses can be relocatable. The PIE program must be linked to
 Scrt1.o. Scrt1.o is available from the newer versions of Libc. Furthermore
 these programs must be linked with the -pie ld(1) command from a Binutils
 version 2.15 or later. GCC supports this natively with the -fPIE switch in
@@ -31,39 +31,48 @@
 
 It is possible for TEXTREL to be present in both executable programs and
 libraries. Further debugging is needed to find the specific code that is
-not position independent, it is most often assembly.
+not position independent, it is most often assembly. If a program errors at
+compile time with with 'ASM' and 'BREG' in the message, this is non-pic
+assembly.
 
-The coreutils uname patch also uses assembly code which is not position
-independent. This uname patch is important for the sanity of the system, so
-it is suggested the uname program be statically linked.
+The coreutils uname patch from LFS also uses assembly code which is not position
+independent.
 
-The man page for ld has a description for -pie
-man 1 ld
+The man page for ld has a description for -pie. See: 'man 1 ld'.
  
 Use the "NOELFRELOCS" in PaX or Grsec kernel options to disable text
 relocation.
 
-Libraries can not be compiled with -fPIE or linked with -pie, the key word is
-'executable'. The specs modifications adds filters to the link_command spec
-to distinguish executables from libraries, so the ld -pie switch is only passed
-when linking executables. The same filters can not be used for cc1, so the
-cc1 spec passes -fPIC instead of -fPIE to everything unless the -static or
--no-pie flags are used. Using 'gcc -fPIC' with 'ld -pie' works fairly well,
-but to take full advantage of the tool chain features it is ideal to use the
--fPIE option, but only when compiling program executables. fPIE is known to
-cause text relocation in some programs, so it must be used with care. In this
-book we set CC="-pie -fPIE" with packages that can use it properly. Beyond
-this book you are safe not using -fPIE, but if you want to you will have to
-use 'readelf -d' to check for TEXTREL. This is only a minor detail of how
-programs are compiled, and the PaX/Grsec kernel features will work equally
-well using fPIC as with using fPIE.
+The fPIE flag can only be passed to executables, not libraries. The fPIE flag
+gives some advantages over fPIC in that the compiler can assume the code will
+stay local to the program. This translates into optimizations having a greater
+effect; non-static functions can be inlined at -O3, etc. The hardened-specs used
+in the book adds filters to the GCC link_command spec to distinguish executables
+from libraries, so the ld -pie switch is only passed when linking executables.
+The same filters can not be used for cc1, so the cc1 spec passes -fPIC instead
+of -fPIE to everything unless the -static or -no-pie flags are used. Using
+'gcc -fPIC' with 'ld -pie' works fairly well, all the PaX/Grsec kernel features
+will be able to have full advantages. fPIE is known to cause text relocation
+in some programs, so it must be used with care. In this book we patch some
+programs, and use sed(1) commands on others, to add 'gcc -pie -fpie' on program
+executables. fPIE must be added surgically, and not to environment cflags. The
+hardened-specs preserves the vanilla 'gcc -pie' behaviour, meaning if you use
+'gcc -pie' neither -fpic nor -fpie will be automatically added, so both
+'-pie -fpie' must be used together (as per the gcc man page). 'gcc -pie' affects
+which startfiles are used (Scrt.o), so it must be used in conjuction with
+'ld -pie'. Almost all packages use GCC to do linking, so setting environment
+ldflags is almost never needed.
 
-On x86 systems -fPIC and -fpic are exactly the same.
-Ditto with -fPIE and -fpie.
+Beyond the packages in this book the hardened-specs will work perfectly fine
+with -fPIC. If you wish to use -fPIE to have greater optimization be sure
+to use 'readelf -d' to check for TEXTREL. If -fPIE is passed to one object in
+a library it will cause a TEXTREL section in that library, and it will not
+work correctly.
+
+On x86 systems -fPIC and -fpic are exactly the same. Ditto with -fPIE and -fpie.
  
 Also see:
-http://pax.grsecurity.net/
-http://www.grsecurity.net/
+http://pax.grsecurity.net/docs/index.html
 http://netbsd.gw.com/cgi-bin/man-cgi?link+5+NetBSD-current
 http://gcc.gnu.org/ml/gcc-patches/2003-06/msg00140.html
 http://sources.redhat.com/ml/binutils/2003-05/msg00832.html

Modified: trunk/text/chapter06/14-coreutils.txt
===================================================================
--- trunk/text/chapter06/14-coreutils.txt	2005-02-03 05:41:58 UTC (rev 140)
+++ trunk/text/chapter06/14-coreutils.txt	2005-02-03 10:54:16 UTC (rev 141)
@@ -5,6 +5,10 @@
 
 patch -Np1 -i ../coreutils-5.2.1-suppress_uptime_kill_su-1.patch
 
+# Add -fpie to the programs.
+
+sed -e 's/^CFLAGS.*$/& -pie -fpie/' -i src/Makefile.in
+
 # Configure and make Coreutils.
 
 env DEFAULT_POSIX2_VERSION=199209 \

Modified: trunk/text/chapter06/16-mktemp.txt
===================================================================
--- trunk/text/chapter06/16-mktemp.txt	2005-02-03 05:41:58 UTC (rev 140)
+++ trunk/text/chapter06/16-mktemp.txt	2005-02-03 10:54:16 UTC (rev 141)
@@ -2,6 +2,7 @@
 
 # Use /dev/erandom as for the random device.
 
+sed -e 's/^CFLAGS.*$/& -pie -fpie/' -i Makefile.in &&
 patch -Np1 -i ../mktemp-1.5-add_tempfile-1.patch &&
 ./configure --prefix=/usr --with-libc \
 	--with-random=/dev/erandom ${disable_nls} &&

Modified: trunk/text/chapter06/18-findutils.txt
===================================================================
--- trunk/text/chapter06/18-findutils.txt	2005-02-03 05:41:58 UTC (rev 140)
+++ trunk/text/chapter06/18-findutils.txt	2005-02-03 10:54:16 UTC (rev 141)
@@ -1,5 +1,6 @@
 - Chapter 6 - Installing Findutils 4.2.11
 
+sed -e 's/^CFLAGS.*$/& -pie -fpie/' -i {find,locate,xargs}/Makefile.in &&
 ./configure --prefix=/usr --libexecdir=/usr/lib/locate \
 	--localstatedir=/var/lib/locate ${disable_nls} &&
 make

Modified: trunk/text/chapter06/19-gawk.txt
===================================================================
--- trunk/text/chapter06/19-gawk.txt	2005-02-03 05:41:58 UTC (rev 140)
+++ trunk/text/chapter06/19-gawk.txt	2005-02-03 10:54:16 UTC (rev 141)
@@ -1,6 +1,6 @@
 - Chapter 6 - Installing Gawk 3.1.4
 
-env CC="gcc -pie -fPIE" \
+sed -e 's/^CFLAGS.*$/& -pie -fpie/' -i Makefile.in &&
 ./configure --prefix=/usr --libexecdir=/usr/lib \
 	${disable_nls} &&
 make

Modified: trunk/text/chapter06/20-ncurses.txt
===================================================================
--- trunk/text/chapter06/20-ncurses.txt	2005-02-03 05:41:58 UTC (rev 140)
+++ trunk/text/chapter06/20-ncurses.txt	2005-02-03 10:54:16 UTC (rev 141)
@@ -1,5 +1,6 @@
 - Chapter 6 - Installing Ncurses 5.4
 
+sed -e 's/^CFLAGS.*$/& -pie -fpie/' -i {progs,tack}/Makefile.in &&
 ./configure --prefix=/usr --with-shared --without-debug \
 	--without-normal ${disable_nls} &&
 make &&

Modified: trunk/text/chapter06/22-vim.txt
===================================================================
--- trunk/text/chapter06/22-vim.txt	2005-02-03 05:41:58 UTC (rev 140)
+++ trunk/text/chapter06/22-vim.txt	2005-02-03 10:54:16 UTC (rev 141)
@@ -13,8 +13,8 @@
 
 # Configure and make Vim.
 
-env CC="gcc -pie -fPIE" \
-	./configure --prefix=/usr --enable-multibyte \
+sed -e 's/^CFLAGS.*$/& -pie -fpie/' -i src/config.mk.in &&
+./configure --prefix=/usr --enable-multibyte \
 	${disable_nls} &&
 make
 




More information about the hlfs-dev mailing list