hardened xorg

Robert Connolly robert at linuxfromscratch.org
Wed Feb 16 18:56:11 PST 2005


Hi. I just sent two patches for xorg to build the modules and server position 
independent. A third patch will be needed because the modules can't use -z 
now; I took -z now out of the specs for my test. This is tested on uClibc, 
Glibc should work too. Tested on xorg/X11R6.8.2

These are to get rid of text relocation (first one is from Debian, second from 
Gentoo):
patch -Np1 -i ../xorg-6.8.2-libGL_PIC-1.patch
patch -Np1 -i ../xorg-6.8.2-BUSmemcpy_PIC-1.patch

This is for stack protector:
patch -Np1 -i ../XFree86-4.3.0-ssp-1.patch

For uClibc:
sed -i -e "s/-DNEEDCEILF//g" lib/GLU/libnurbs/internals/Imakefile
sed -i -e 's:GLXCLIENTDIRS = glxinfo glxgears:GLXCLIENTDIRS = :' \
        programs/Imakefile

Add this to config/cf/host.def:
#define MakeDllModules		YES

For uClibc:
#define HasLibCrypt		YES
#define HasBasename		YES

This may or may not be needed for Glibc, I needed it for uClibc:
#define TermcapLibrary		-lncurses

And that's it, the rest is like blfs. I'll make a hardened_cflags patch and I 
think I'll add this to the book soon, and run it on my desktop :-) Don't 
expect a few apps to work, like mplayer, but qt/kde is expected to work.

robert



More information about the hlfs-dev mailing list