r51 - in trunk: BOOK text/chapter01 text/chapter02 text/chapter03 text/chapter05 text/chapter05/06-libc text/chapter06 text/chapter06/10-libc

robert at linuxfromscratch.org robert at linuxfromscratch.org
Wed Jan 5 02:43:14 PST 2005


Author: robert
Date: 2005-01-05 03:43:12 -0700 (Wed, 05 Jan 2005)
New Revision: 51

Modified:
   trunk/BOOK/general.ent
   trunk/text/chapter01/changelog.txt
   trunk/text/chapter02/05-ssp.txt
   trunk/text/chapter02/06-pie.txt
   trunk/text/chapter03/packages.txt
   trunk/text/chapter05/02-kernel-headers.txt
   trunk/text/chapter05/06-libc/06-glibc.txt
   trunk/text/chapter05/07-adjusting.txt
   trunk/text/chapter05/11-binutils-native.txt
   trunk/text/chapter05/12-gcc-native.txt
   trunk/text/chapter05/13-gawk.txt
   trunk/text/chapter05/14-coreutils.txt
   trunk/text/chapter05/15-diffutils.txt
   trunk/text/chapter05/16-findutils.txt
   trunk/text/chapter05/17-make.txt
   trunk/text/chapter05/18-grep.txt
   trunk/text/chapter05/19-sed.txt
   trunk/text/chapter05/20-gettext.txt
   trunk/text/chapter05/22-patch.txt
   trunk/text/chapter05/23-tar.txt
   trunk/text/chapter05/24-bzip2.txt
   trunk/text/chapter05/25-gzip.txt
   trunk/text/chapter05/26-texinfo.txt
   trunk/text/chapter05/27-bash.txt
   trunk/text/chapter05/28-m4.txt
   trunk/text/chapter05/31-util-linux.txt
   trunk/text/chapter05/32-perl.txt
   trunk/text/chapter06/01-kernfs.txt
   trunk/text/chapter06/02-chroot.txt
   trunk/text/chapter06/10-libc/10-glibc.txt
   trunk/text/chapter06/57-udev.txt
Log:
more unfinished updates

Modified: trunk/BOOK/general.ent
===================================================================
--- trunk/BOOK/general.ent	2005-01-05 04:47:44 UTC (rev 50)
+++ trunk/BOOK/general.ent	2005-01-05 10:43:12 UTC (rev 51)
@@ -17,10 +17,10 @@
 <!ENTITY diskspace "Required disk space">
 
 <!ENTITY autoconf-version "2.59">
-<!ENTITY automake-version "1.9.3">
+<!ENTITY automake-version "1.9.4">
 <!ENTITY bash-version "3.0">
-<!ENTITY binutils-version "2.15.94.0.1">
-<!ENTITY bison-version "1.875a">
+<!ENTITY binutils-version "2.15.94.0.2">
+<!ENTITY bison-version "2.0">
 <!ENTITY bzip2-version "1.0.2">
 <!ENTITY coreutils-version "5.2.1">
 <!ENTITY dejagnu-version "1.4.4">
@@ -32,9 +32,7 @@
 <!ENTITY flex-version "2.5.31">
 <!ENTITY gawk-version "3.1.4">
 <!ENTITY gcc-version "3.4.3">
-<!--
 <!ENTITY gettext-version "0.14.1">
--->
 <!ENTITY grep-version "2.5.1a">
 <!ENTITY groff-version "1.19.1">
 <!ENTITY grub-version "0.95">
@@ -49,12 +47,12 @@
 <!ENTITY lfs-bootscripts-version "3.0-rc1">
 <!ENTITY libol-version "0.3.14">
 <!ENTITY libtool-version "1.5.10">
-<!ENTITY linux-version "2.6.7">
-<!ENTITY linux-libc-headers-version "2.6.7.0">
+<!ENTITY linux-version "2.6.10">
+<!ENTITY linux-libc-headers-version "2.6.9.1">
 <!ENTITY m4-version "1.4.2">
 <!ENTITY make-version "3.80">
 <!ENTITY man-version "1.5o1">
-<!ENTITY man-pages-version "1.70">
+<!ENTITY man-pages-version "2.01">
 <!ENTITY mktemp-version "1.5">
 <!ENTITY module-init-tools-version "3.1">
 <!ENTITY ncurses-version "5.4">
@@ -67,13 +65,15 @@
 <!ENTITY shadow-version "4.0.6">
 <!ENTITY syslog-ng-version "1.6.5">
 <!ENTITY sysvinit-version "2.85">
-<!ENTITY tar-version "1.14">
+<!ENTITY tar-version "1.15.1">
 <!ENTITY tcl-version "8.4.9">
 <!ENTITY texinfo-version "4.7">
-<!ENTITY uclibc-version "20041202">
-<!ENTITY uclibc-patch-version "20041128">
+<!ENTITY uclibc-version "20041227">
+<!ENTITY uclibc-patch-version "20041227">
+<!--
 <!ENTITY uclibc-locale-version "030818">
-<!ENTITY udev-version "047">
-<!ENTITY util-linux-version "2.12j">
+-->
+<!ENTITY udev-version "050">
+<!ENTITY util-linux-version "2.12p">
 <!ENTITY vim-version "6.3">
 <!ENTITY zlib-version "1.2.2">

Modified: trunk/text/chapter01/changelog.txt
===================================================================
--- trunk/text/chapter01/changelog.txt	2005-01-05 04:47:44 UTC (rev 50)
+++ trunk/text/chapter01/changelog.txt	2005-01-05 10:43:12 UTC (rev 51)
@@ -74,5 +74,7 @@
 January 4rth, 2005 [robert]
 Made patches.txt alphabetical, and added links to new hlfs patch directory.
 Upgrade to kernel 2.6.10, added secrity fix patch; added security patch for
-Vim. Added util-linux-2.12p cramfs patch.
+Vim. Added util-linux-2.12p cramfs patch. Removed sspspecs and piespecs
+patches, replaced with perl and echo commands. Up to automake-1.9.4. Up to
+udev-050.
 

Modified: trunk/text/chapter02/05-ssp.txt
===================================================================
--- trunk/text/chapter02/05-ssp.txt	2005-01-05 04:47:44 UTC (rev 50)
+++ trunk/text/chapter02/05-ssp.txt	2005-01-05 10:43:12 UTC (rev 51)
@@ -10,7 +10,7 @@
 and can be easily overcome by optimizations.
 
 The patch for GCC adds -fstack-protector-all, -fstack-protector, and
--fno-stack-protector to extensions for C and C++. -Wstack-protector is also
+-fno-stack-protector* to extensions for C and C++. -Wstack-protector is also
 available to warn when SSP is not used. The patch for Libc adds __guard_setup
 and __stack_smash_handler to libc.so and libc.a. __guard_setup is a function
 used to create a unique and random value for __guard each runtime. The Frandom
@@ -30,13 +30,10 @@
 
 -fstack-protector only protects functions with arrays of length seven of less.
 -fstack-protector-all protects all functions regardless of array size.
--fstack-protector-all should be used only on program executables, not libraries.
--fstack-protector can be used on libraries but this is usually not suggested.
-The SSP specs patch adds -fstack-protector-all to GCC's C and C++ default
-behaviour, with filters. If the filters match "-nostdlib" and alike then the
-SSP flag is not passed. The "-nostdlib" GCC switch means libc.so is not
-being linked, and so SSP won't be able to work. This switch is often used
-when building libraries.
+Because the __guard_setup function is in Libc anything compiled with
+-fstack-protector* will need to preload libc.so (or libc.a). Most applications
+already do this. libc.so itself, ld.so, libbsd-compat.so, etc, are exceptions
+which do not preload libc.so, and so they can not be built with this protection.
  
 There is an entry in the GCC man page for fstack-protector.
 man 1 gcc
@@ -46,7 +43,7 @@
 http://frandom.sourceforge.net/
 http://www.immunix.org/stackguard.html
 
-Operating system vendors using SSP:
+Operating system distributors using SSP (there are many more):
 http://www.adamantix.org/
 http://www.debian-hardened.org/
 http://www.gentoo.org/

Modified: trunk/text/chapter02/06-pie.txt
===================================================================
--- trunk/text/chapter02/06-pie.txt	2005-01-05 04:47:44 UTC (rev 50)
+++ trunk/text/chapter02/06-pie.txt	2005-01-05 10:43:12 UTC (rev 51)
@@ -7,22 +7,16 @@
 library so base addresses can be randomized. The PIE program must be linked to
 Scrt1.o. Scrt1.o is available from the newer versions of Libc. Furthermore
 these programs must be linked with the -pie ld(1) command from a Binutils
-version 2.15 or newer. GCC supports this natively wit the -fPIE switch in
-version 3.4 or newer, although this switch is not always needed.
+version 2.15 or later. GCC supports this natively with the -fPIE switch in
+version 3.4 or later.
 
-The PIE specs patch is added to GCC so the compiler links to Scrt1.o, linking
-is done with ld -pie, and so -fPIC is always passed. The filters are only
-for static and kernel compiling, when the PIE switches are not desirable. For
-developers the -no-pie switch is added so normal behaviour can be used; this
-is needed for Grub if it is not compiled statically.
-
 When all of the object code is position independent the kernel can disallow
 text relocation. This dramatically increases the security of the system with
 little preformance loss. PaX and Grsec kernels have this option available
 though very few systems have been able to take advantage of it. The entire
 base system can be built position independent with the exception of the Grub
-boot loader. This program will still function if it is dynamically linked,
-although for consistancy it is better to statically link Grub. Other exceptions
+boot loader, and Glibc's utilities due to non-pic assembly code. These
+programs will still function if they are dynamically linked. Other exceptions
 are X11 windowing system, Mplayer, and a few other graphical programs which
 were not programed with PIE in mind, this should come in time. Gzip uses
 assembly code which is not position independent, but this can be ommited
@@ -32,7 +26,7 @@
 Space Layout Randomization (ASLR). This can prevent security bugs from being
 taken advantage of by attackers.
 
-You can search for text relocation bugs in programs with the following command:
+You can search for text relocation in programs with the following command:
 readelf -d /path/to/object | grep TEXTREL
 
 It is possible for TEXTREL to be present in both executable programs and
@@ -48,6 +42,24 @@
  
 Use the "NOELFRELOCS" in PaX or Grsec kernel options to disable text
 relocation.
+
+Libraries can not be compiled with -fPIE or linked with -pie, the key word is
+'executable'. The specs modifications adds filters to the link_command spec
+to disinguish executables from libraries, so the ld -pie switch is only passed
+when linking executables. The same filters can not be used for cc1, so the
+cc1 spec passes -fPIC instead of -fPIE to everything unless the -static or
+-no-pie flags are used. Using 'gcc -fPIC' with 'ld -pie' works fairly well,
+but to take full advantage of the toolchain features it is ideal to use the
+-fPIE option, but only when compiling program executables. fPIE is known to
+cause text relocation in some programs, so it must be used with care. In this
+book we set CC="-pie -fPIE" with packages that can use it properly. Beyond
+this book you are safe not using -fPIE, but if you want to you will have to
+use 'readelf -d' to check for TEXTREL. This is only a minor detail of how
+programs are compiled, and the PaX/Grsec kernel features will work equally
+well using fPIC as with using fPIE.
+
+On x86 systems -fPIC and -fpic are exactly the same.
+Ditto with -fPIE and -fpie.
  
 Also see:
 http://pax.grsecurity.net/

Modified: trunk/text/chapter03/packages.txt
===================================================================
--- trunk/text/chapter03/packages.txt	2005-01-05 04:47:44 UTC (rev 50)
+++ trunk/text/chapter03/packages.txt	2005-01-05 10:43:12 UTC (rev 51)
@@ -1,7 +1,6 @@
-http://www.uclibc.org/downloads/snapshots/uClibc-20041202.tar.bz2
-http://www.uclibc.org/downloads/uClibc-locale-030818.tgz
-http://ep09.pld-linux.org/~mmazur/linux-libc-headers/linux-libc-headers-2.6.7.0.tar.bz2
-ftp://ftp.kernel.org/pub/linux/devel/binutils/binutils-2.15.94.0.1.tar.bz2
+http://www.uclibc.org/downloads/snapshots/uClibc-20041227.tar.bz2
+http://ep09.pld-linux.org/~mmazur/linux-libc-headers/linux-libc-headers-2.6.9.1.tar.bz2
+ftp://ftp.kernel.org/pub/linux/devel/binutils/binutils-2.15.94.0.2.tar.bz2
 ftp://ftp.gnu.org/pub/gnu/gcc/gcc-3.4.3/gcc-core-3.4.3.tar.bz2
 ftp://ftp.gnu.org/pub/gnu/gcc/gcc-3.4.3/gcc-g++-3.4.3.tar.bz2
 ftp://ftp.gnu.org/pub/gnu/gcc/gcc-3.4.3/gcc-testsuite-3.4.3.tar.bz2
@@ -17,17 +16,17 @@
 ftp://ftp.gnu.org/gnu/sed/sed-4.1.2.tar.gz
 ftp://ftp.gnu.org/pub/gnu/ncurses/ncurses-5.4.tar.gz
 ftp://alpha.gnu.org/pub/gnu/diffutils/patch-2.5.9.tar.gz
-ftp://ftp.gnu.org/pub/gnu/tar/tar-1.14.tar.bz2
+ftp://ftp.gnu.org/pub/gnu/tar/tar-1.15.1.tar.bz2
 ftp://sources.redhat.com/pub/bzip2/v102/bzip2-1.0.2.tar.gz
 ftp://alpha.gnu.org/gnu/gzip/gzip-1.3.5.tar.gz
 ftp://ftp.gnu.org/gnu/texinfo/texinfo-4.7.tar.bz2
 ftp://ftp.gnu.org/pub/gnu/bash/bash-3.0.tar.gz
 ftp://ftp.gnu.org/pub/gnu/m4/m4-1.4.2.tar.gz
-http://ftp.tuniv.szczecin.pl/pub/Linux/alpha-gnu/bison/bison-1.875a.tar.bz2
+ftp://alpha.gnu.org/pub/gnu/bison/bison-2.0.tar.gz
 http://umn.dl.sourceforge.net/sourceforge/lex/flex-2.5.31.tar.bz2
-ftp://ftp.win.tue.nl/pub/home/aeb/linux-local/utils/util-linux/util-linux-2.12j.tar.gz
+ftp://ftp.win.tue.nl/pub/home/aeb/linux-local/utils/util-linux/util-linux-2.12p.tar.gz
 http://www.cpan.org/src/perl-5.8.6.tar.bz2
-ftp://ftp.kernel.org/pub/linux/docs/manpages/man-pages-1.70.tar.bz2
+ftp://ftp.kernel.org/pub/linux/docs/manpages/man-pages-2.01.tar.bz2
 http://www.zlib.net/zlib-1.2.2.tar.gz
 ftp://ftp.mktemp.org/pub/mktemp/mktemp-1.5.tar.gz
 http://www.sethwklein.net/projects/iana-etc/downloads/iana-etc-1.03.tar.bz2
@@ -38,7 +37,7 @@
 ftp://ftp.gnu.org/pub/gnu/inetutils/inetutils-1.4.2.tar.gz
 http://developer.osdl.org/dev/iproute2/download/iproute2-2.6.9-ss040831.tar.gz
 ftp://ftp.gnu.org/pub/gnu/autoconf/autoconf-2.59.tar.bz2
-ftp://ftp.gnu.org/pub/gnu/automake/automake-1.9.3.tar.bz2
+ftp://ftp.gnu.org/pub/gnu/automake/automake-1.9.4.tar.bz2
 ftp://ftp.astron.com/pub/file/file-4.12.tar.gz
 ftp://ftp.gnu.org/gnu/libtool/libtool-1.5.10.tar.gz
 ftp://ftp.win.tue.nl/pub/linux-local/utils/kbd/kbd-1.12.tar.gz
@@ -53,10 +52,10 @@
 http://www.balabit.com/downloads/syslog-ng/libol/0.3/libol-0.3.14.tar.gz
 http://www.balabit.com/downloads/syslog-ng/1.6/src/syslog-ng-1.6.5.tar.gz
 ftp://ftp.cistron.nl/pub/people/miquels/sysvinit/sysvinit-2.85.tar.gz
-ftp://ftp.kernel.org/pub/linux/utils/kernel/hotplug/udev-047.tar.bz2
+ftp://ftp.kernel.org/pub/linux/utils/kernel/hotplug/udev-050.tar.bz2
 http://downloads.linuxfromscratch.org/udev-config-2.permissions
 http://downloads.linuxfromscratch.org/udev-config-1.rules
-http://www.linuxfromscratch.org/~nathan/lfs-bootscripts/lfs-bootscripts-3.0.tar.bz2
-http://www.linuxfromscratch.org/blfs/downloads/svn/blfs-bootscripts-20041203.tar.bz2
-ftp://ftp.kernel.org/pub/linux/kernel/v2.6/linux-2.6.7.tar.bz2
+http://www.linuxfromscratch.org/~nathan/lfs-bootscripts/lfs-bootscripts-3.1.0.tar.bz2
+http://www.linuxfromscratch.org/blfs/downloads/svn/blfs-bootscripts-20041227.tar.bz2
+ftp://ftp.kernel.org/pub/linux/kernel/v2.6/linux-2.6.10.tar.bz2
 

Modified: trunk/text/chapter05/02-kernel-headers.txt
===================================================================
--- trunk/text/chapter05/02-kernel-headers.txt	2005-01-05 04:47:44 UTC (rev 50)
+++ trunk/text/chapter05/02-kernel-headers.txt	2005-01-05 10:43:12 UTC (rev 51)
@@ -2,7 +2,7 @@
 
 # The --no-backup-if-mismatch option prevents Patch from creating .orig files,
 # so they don't get installed to /tools/include. .orig files might be named
-# something else depending on the version of Patch, and modifications to it.
+# something else depending on the version of Patch.
 
 patch --no-backup-if-mismatch -Np1 -i \
 	../linux-libc-headers-2.6-frandom-2.patch &&

Modified: trunk/text/chapter05/06-libc/06-glibc.txt
===================================================================
--- trunk/text/chapter05/06-libc/06-glibc.txt	2005-01-05 04:47:44 UTC (rev 50)
+++ trunk/text/chapter05/06-libc/06-glibc.txt	2005-01-05 10:43:12 UTC (rev 51)
@@ -37,10 +37,7 @@
 
 # If you want to install locales, then the following commands are suggested.
 # If you want to install them all then replace the following commands with
-# 'make localedata/install-locales'. English users usually do not need any
-# of this. They can be installed later in chapter 6 because GCC and others
-# need some locales to run tests. If you want to run GCC tests in this chapter
-# then these need to be installed.
+# 'make localedata/install-locales'.
 
 install -d /tools/lib/locale &&
 localedef -i de_DE -f ISO-8859-1 de_DE &&

Modified: trunk/text/chapter05/07-adjusting.txt
===================================================================
--- trunk/text/chapter05/07-adjusting.txt	2005-01-05 04:47:44 UTC (rev 50)
+++ trunk/text/chapter05/07-adjusting.txt	2005-01-05 10:43:12 UTC (rev 51)
@@ -4,9 +4,9 @@
 
 make -C ld install
 
-# The normal test we do here won't work because our ${target}-gcc is
-# only building with static linking. If the next package builds then
-# everything should be going well.
+# The normal link test we do here won't work because our ${target}-gcc is
+# only building with static linking. We can do this test later in this
+# chapter.
 
 # Now you can remove the binutils source and build directories.
 

Modified: trunk/text/chapter05/11-binutils-native.txt
===================================================================
--- trunk/text/chapter05/11-binutils-native.txt	2005-01-05 04:47:44 UTC (rev 50)
+++ trunk/text/chapter05/11-binutils-native.txt	2005-01-05 10:43:12 UTC (rev 51)
@@ -15,12 +15,13 @@
 	--enable-shared --with-lib-path=/tools/lib &&
 make
 
-# Run the tests if you want. There are no expected failures with Glibc. There
-# are 27 known failures with uClibc.
+# Run the tests if you want. There are no expected failures with Glibc,
+# except for 3 unresolved tests due to missing g++. There are 27 known
+# failures with uClibc. For uClibc use 'make -k check'.
 
 make check
 
-# Then install Binutils.
+# Then install Binutils and rebuild a new linker for use later in chapter 6.
 
 make install &&
 make -C ld clean &&

Modified: trunk/text/chapter05/12-gcc-native.txt
===================================================================
--- trunk/text/chapter05/12-gcc-native.txt	2005-01-05 04:47:44 UTC (rev 50)
+++ trunk/text/chapter05/12-gcc-native.txt	2005-01-05 10:43:12 UTC (rev 51)
@@ -9,17 +9,12 @@
 patch -Np1 -i ../gcc-3.4.3-uclibc_libstdc++-1.patch &&
 patch -Np1 -i ../gcc-3.4.3-uclibc_locale-1.patch
 
-# These patches add hardened toolchain features. The ssp patches add
-# functions and default specs for smashing stack protector. The piespecs
-# patch makes 'ld -pie -z now -z relro' and 'gcc -fPIC' the default
-# behaviour, and links to Scrt.o. The sed command modifies the version
-# and help string for future reference.
+# This patch adds the stack protector code for GCC. The bugs URL and version
+# strings are modified as the comments in version.c recommends.
 
 patch -Np1 -i ../gcc-3.4.3-ssp-3.patch &&
-patch -Np1 -i ../gcc-3.4.3-sspspecs-5.patch &&
-patch -Np1 -i ../gcc-3.4.3-piespecs_x86-2.patch &&
 sed -e 's at gcc.gnu.org/bugs.html at bugs.linuxfromscratch.org/@' \
-        -e 's/3.4.3/3.4.3 ssp - pie/' -i gcc/version.c
+        -e 's/3.4.3/3.4.3 (ssp)/' -i gcc/version.c
 
 # Then compile the new shared compiler.
 
@@ -37,36 +32,66 @@
 	--with-dynamic-linker=${ldso} --with-nostdinc &&
 make
 
-# If you plan to run GCC, Binutils, or Libc tests now or in chapter 6 then you
-# will need vanilla GCC specs. Run this to install a copy.
-
-sed -e 's/3.4.2/3.4.3/' -e "s:/tools/lib/ld-linux.so.2:${ldso}:" \
-        < ../gcc-3.4.3/gcc/gcc-3.4.2-generic_i686-specs_chap5-pass2 \
-        > $(gcc/xgcc --print-file specs)-generic
-
 # Run the tests if you like. Using Glibc there should only be a few failures.
 # Consult the LFS GCC test notes for details on GCC's test results. With
 # uClibc there will be many failures.
 
-install -m444 gcc/specs gcc/specs.orig &&
-install -m644 $(gcc/xgcc --print-file specs)-generic gcc/specs &&
 make -k check
 
-# After the tests, restore the specs file.
-
-install -m644 gcc/specs.orig gcc/specs
-
 # Then install GCC.
 
 make install &&
 ln -s gcc /tools/bin/cc
 
+# Adding hardened specs:
+# These commands depend on Perl. If you do not have Perl installed on your
+# host system then you can skip this, and testing, and return here after
+# Perl is installed later in this chapter.
+#
+# These commands will add -fstack-protector-all to the default for gcc and
+# g++. The only filter is for -fno-stack-protector*.
+
+perl -pi -e 's@\*cc1:\n@$_%(cc1_pie) %(cc1_ssp) @;' \
+	$(gcc --print-file specs) &&
+perl -pi -e 's@\*cc1plus:\n@$_%(cc1_pie) %(cc1_ssp) @;' \
+	$(gcc --print-file specs) &&
+echo '*cc1_ssp:
+%{!fno-stack-protector*: -fstack-protector-all}
+' >> $(gcc --print-file specs)
+
+# These commands will make 'gcc -fPIC', 'ld -pie', and 'cpp -D__PIC__ -DPIC'
+# the default. The exact default behaviour for 'gcc -pie' will be preserved.
+# If -pie, -no-pie, or -static are used then the vanilla behaviour will be
+# used instead. Additional filters are added to the link_command spec to
+# prevent libraries from recieving the -pie option.
+# Read ../chapter02/06-pie.txt for more information on this.
+
+# The last echo command in this group must have its line pasted as a single
+# line, sorry. Make sure of this or else gcc will not work.
+
+perl -pi -e 's@%{pie:-pie}@%(link_pie)@;' \
+                $(gcc --print-file specs) &&
+perl -pi -e 's at pie:@!no-pie|pie:@g;' $(gcc --print-file specs) &&
+perl -pi -e 's@\*cpp:\n@$_%(cpp_pie) @;' $(gcc --print-file specs) &&
+echo '*cpp_pie:
+%{!static:%{!no-pie:%{!pie: -D__PIC__ -DPIC}}}
+' >> $(gcc --print-file specs) &&
+echo '*cc1_pie:
+%{!static:%{!no-pie:%{!pie: -fPIC}}}
+' >> $(gcc --print-file specs) &&
+echo '*link_pie:
+%{pie:-pie} %{!pie:%{!static:%{!Bstatic:%{!shared:%{!Bshareable:%{!i:%{!r:%{!no-pie: -pie -z now -z relro}}}}}}}}
+' >> $(gcc --print-file specs)
+
+# You can restore the vanilla gcc specs at any time with
+# 'gcc -dumpspecs > $(gcc --print-file specs)'.
+
 # Testing:
-# Now we can run the test to check that the new GCC is working as expected.
+# Now we can run tests to check that the new GCC is working as expected.
 
 # This program will create a buffer overflow with an array length 7. This
 # will test that -fstack-protector-all is working. It will also print the
-# __guard[] value; this value should change with each runtime.
+# __guard[] value. The __guard value should change with each runtime.
 
 cat > test.c << "EOF"
 #include <stdio.h>
@@ -94,29 +119,28 @@
 # ./test: stack smashing attack in function overflow()
 # Aborted
 
-# Then test g++.
+# Then test g++. The "-pie -fPIE" are added to check they work too.
 
-rm -f test &&
-g++ -o test test.c &&
+g++ -pie -fPIE -o test2 test.c &&
 ./test
 
 # The g++ test should return something very similiar. The __guard value
 # should change, and both tests should recieve an abort signal. Your host
 # system Syslog daemon should also log these events.
 
-# Then make sure it's linking to tools and is creating position independent
+# Then make sure gcc is linking to tools and is creating position independent
 # executables.
 
-readelf -l test | grep -e ': /tools' -e 'Shared'
+readelf -l test{,2} | grep -e ': /tools' -e 'Shared'
 
-# This should return:
+# This should return (twice):
 # Elf file type is DYN (Shared object file)
-#      [Requesting program interpreter: /tools/lib/ld-something]
+#      [Requesting program interpreter: /tools/lib/ld-something.so]
 
 # This test should not return anything, this will ensure the program is
 # position independent. Checking for both 'Shared object' above, and checking
 # that there is no text relocation (TEXTREL), will make sure we will be able
 # to take full advantage of PaX kernel features.
 
-readelf -d test | grep TEXTREL
+readelf -d test{,2} | grep TEXTREL
 

Modified: trunk/text/chapter05/13-gawk.txt
===================================================================
--- trunk/text/chapter05/13-gawk.txt	2005-01-05 04:47:44 UTC (rev 50)
+++ trunk/text/chapter05/13-gawk.txt	2005-01-05 10:43:12 UTC (rev 51)
@@ -1,5 +1,6 @@
 - Chapter 5 - Installing Gawk 3.1.4
 
+env CC="gcc -pie -fPIE" \
 ./configure --prefix=/tools ${disable_nls} &&
 make &&
 make install

Modified: trunk/text/chapter05/14-coreutils.txt
===================================================================
--- trunk/text/chapter05/14-coreutils.txt	2005-01-05 04:47:44 UTC (rev 50)
+++ trunk/text/chapter05/14-coreutils.txt	2005-01-05 10:43:12 UTC (rev 51)
@@ -1,6 +1,6 @@
 - Chapter 5 - Installing Coreutils 5.2.1
 
-env DEFAULT_POSIX2_VERSION=199209 \
+env DEFAULT_POSIX2_VERSION=199209 CC="gcc -pie -fPIE" \
 ./configure --prefix=/tools ${disable_nls} &&
 make &&
 make install

Modified: trunk/text/chapter05/15-diffutils.txt
===================================================================
--- trunk/text/chapter05/15-diffutils.txt	2005-01-05 04:47:44 UTC (rev 50)
+++ trunk/text/chapter05/15-diffutils.txt	2005-01-05 10:43:12 UTC (rev 51)
@@ -1,5 +1,6 @@
 - Chapter 5 - Installing Diffutils 2.8.1
 
+env CC="gcc -pie -fPIE" \
 ./configure --prefix=/tools ${disable_nls} &&
 make &&
 make install

Modified: trunk/text/chapter05/16-findutils.txt
===================================================================
--- trunk/text/chapter05/16-findutils.txt	2005-01-05 04:47:44 UTC (rev 50)
+++ trunk/text/chapter05/16-findutils.txt	2005-01-05 10:43:12 UTC (rev 51)
@@ -1,5 +1,6 @@
 - Chapter 5 - Installing Findutils 4.2.10
 
+env CC="gcc -pie -fPIE" \
 ./configure --prefix=/tools ${disable_nls} &&
 make &&
 make install

Modified: trunk/text/chapter05/17-make.txt
===================================================================
--- trunk/text/chapter05/17-make.txt	2005-01-05 04:47:44 UTC (rev 50)
+++ trunk/text/chapter05/17-make.txt	2005-01-05 10:43:12 UTC (rev 51)
@@ -1,5 +1,6 @@
 - Chapter 5 - Installing Make 3.80
 
+env CC="gcc -pie -fPIE" \
 ./configure --prefix=/tools ${disable_nls} &&
 make &&
 make install

Modified: trunk/text/chapter05/18-grep.txt
===================================================================
--- trunk/text/chapter05/18-grep.txt	2005-01-05 04:47:44 UTC (rev 50)
+++ trunk/text/chapter05/18-grep.txt	2005-01-05 10:43:12 UTC (rev 51)
@@ -1,5 +1,6 @@
 - Chapter 5 - Installing Grep 2.5.1a
 
+env CC="gcc -pie -fPIE" \
 ./configure --prefix=/tools ${disable_nls} \
 	--disable-perl-regexp --with-included-regex &&
 make &&

Modified: trunk/text/chapter05/19-sed.txt
===================================================================
--- trunk/text/chapter05/19-sed.txt	2005-01-05 04:47:44 UTC (rev 50)
+++ trunk/text/chapter05/19-sed.txt	2005-01-05 10:43:12 UTC (rev 51)
@@ -1,5 +1,6 @@
 - Chapter 5 - Installing Sed 4.1.2
 
+env CC="gcc -pie -fPIE" \
 ./configure --prefix=/tools ${disable_nls} &&
 make &&
 make install

Modified: trunk/text/chapter05/20-gettext.txt
===================================================================
--- trunk/text/chapter05/20-gettext.txt	2005-01-05 04:47:44 UTC (rev 50)
+++ trunk/text/chapter05/20-gettext.txt	2005-01-05 10:43:12 UTC (rev 51)
@@ -1,7 +1,8 @@
 - Chapter 5 - Gettext 0.14.1
 
 # If you are using 'disable_nls=--disable-nls' and/or uClibc then the Gettext
-# package can be skipped.
+# package can be skipped. Gettext includes several libraries, so -fPIE will
+# not be used.
 
 ./configure --prefix=/tools ${disable_nls} \
 	--disable-libasprintf --disable-csharp &&

Modified: trunk/text/chapter05/22-patch.txt
===================================================================
--- trunk/text/chapter05/22-patch.txt	2005-01-05 04:47:44 UTC (rev 50)
+++ trunk/text/chapter05/22-patch.txt	2005-01-05 10:43:12 UTC (rev 51)
@@ -1,5 +1,6 @@
 - Chapter 5 - Installing Patch 2.5.9
 
+env CC="gcc -pie -fPIE" \
 ./configure --prefix=/tools ${disable_nls} &&
 make &&
 make install

Modified: trunk/text/chapter05/23-tar.txt
===================================================================
--- trunk/text/chapter05/23-tar.txt	2005-01-05 04:47:44 UTC (rev 50)
+++ trunk/text/chapter05/23-tar.txt	2005-01-05 10:43:12 UTC (rev 51)
@@ -1,5 +1,6 @@
 - Chapter 5 - Installing Tar 1.15.1
 
+env CC="gcc -pie -fPIE" \
 ./configure --prefix=/tools ${disable_nls} &&
 make &&
 make install

Modified: trunk/text/chapter05/24-bzip2.txt
===================================================================
--- trunk/text/chapter05/24-bzip2.txt	2005-01-05 04:47:44 UTC (rev 50)
+++ trunk/text/chapter05/24-bzip2.txt	2005-01-05 10:43:12 UTC (rev 51)
@@ -1,6 +1,6 @@
 - Chapter 5 - Installing Bzip2 1.0.2
 
-# This is installed late to work around the uClibc bug in Tar which may
+# This is installed late to work around the uClibc bug in Tar-1.14* which may
 # exist on the host system.
 
 make &&

Modified: trunk/text/chapter05/25-gzip.txt
===================================================================
--- trunk/text/chapter05/25-gzip.txt	2005-01-05 04:47:44 UTC (rev 50)
+++ trunk/text/chapter05/25-gzip.txt	2005-01-05 10:43:12 UTC (rev 51)
@@ -5,7 +5,7 @@
 # is disallowed by options in PaX/Grsec kernels. To use only C code instead we
 # set the DEFS enviroment variable.
 
-env DEFS=NO_ASM \
+env DEFS=NO_ASM CC="gcc -pie -fPIE" \
 ./configure --prefix=/tools ${disable_nls} &&
 make &&
 make install

Modified: trunk/text/chapter05/26-texinfo.txt
===================================================================
--- trunk/text/chapter05/26-texinfo.txt	2005-01-05 04:47:44 UTC (rev 50)
+++ trunk/text/chapter05/26-texinfo.txt	2005-01-05 10:43:12 UTC (rev 51)
@@ -1,5 +1,6 @@
 - Chapter 5 - Installing Texinfo 4.7
 
+env CC="gcc -pie -fPIE" \
 ./configure --prefix=/tools ${disable_nls} &&
 make &&
 make install

Modified: trunk/text/chapter05/27-bash.txt
===================================================================
--- trunk/text/chapter05/27-bash.txt	2005-01-05 04:47:44 UTC (rev 50)
+++ trunk/text/chapter05/27-bash.txt	2005-01-05 10:43:12 UTC (rev 51)
@@ -6,6 +6,7 @@
 
 # Then build and install Bash.
 
+env CC="gcc -pie -fPIE" \
 ./configure --prefix=/tools ${disable_nls} \
 	--without-bash-malloc &&
 make &&

Modified: trunk/text/chapter05/28-m4.txt
===================================================================
--- trunk/text/chapter05/28-m4.txt	2005-01-05 04:47:44 UTC (rev 50)
+++ trunk/text/chapter05/28-m4.txt	2005-01-05 10:43:12 UTC (rev 51)
@@ -1,5 +1,6 @@
 - Chapter 5 - Installing M4 1.4.2
 
+env CC="gcc -pie -fPIE" \
 ./configure --prefix=/tools ${disable_nls} &&
 make &&
 make install

Modified: trunk/text/chapter05/31-util-linux.txt
===================================================================
--- trunk/text/chapter05/31-util-linux.txt	2005-01-05 04:47:44 UTC (rev 50)
+++ trunk/text/chapter05/31-util-linux.txt	2005-01-05 10:43:12 UTC (rev 51)
@@ -6,7 +6,7 @@
 sed -i 's@/usr/include@/tools/include at g' configure &&
 ./configure &&
 make -C lib &&
-make -C mount mount umount &&
-make -C text-utils more &&
-cp mount/{,u}mount text-utils/more /tools/bin
+make -C mount mount umount CC="gcc -pie -fPIE" &&
+make -C text-utils more CC="gcc -pie -fPIE" &&
+install mount/{,u}mount text-utils/more /tools/bin
 

Modified: trunk/text/chapter05/32-perl.txt
===================================================================
--- trunk/text/chapter05/32-perl.txt	2005-01-05 04:47:44 UTC (rev 50)
+++ trunk/text/chapter05/32-perl.txt	2005-01-05 10:43:12 UTC (rev 51)
@@ -1,9 +1,11 @@
 - Chapter 5 - Installing Perl 5.8.6
 
-# Perl needs a small patch to compile against uClibc, and a second patch
-# to link to /tools.
+# This patch is only needed if you are using uClibc.
 
-patch -Np1 -i ../perl-5.8.6-uclibc-1.patch &&
+patch -Np1 -i ../perl-5.8.6-uclibc-1.patch
+
+# This patch is needed to tell Perl where to find our libc.so (in $prefix).
+
 patch -Np1 -i ../perl-5.8.6-libc-1.patch &&
 ./configure.gnu --prefix=/tools -Dstatic_ext='IO Fcntl POSIX' &&
 make perl utilities &&

Modified: trunk/text/chapter06/01-kernfs.txt
===================================================================
--- trunk/text/chapter06/01-kernfs.txt	2005-01-05 04:47:44 UTC (rev 50)
+++ trunk/text/chapter06/01-kernfs.txt	2005-01-05 10:43:12 UTC (rev 51)
@@ -5,6 +5,8 @@
 whoami &&
 echo $LFS
 
+# Then create some directories.
+
 install -d $LFS/{proc,sys} &&
 mount -t proc proc $LFS/proc &&
 mount -t sysfs sysfs $LFS/sys &&

Modified: trunk/text/chapter06/02-chroot.txt
===================================================================
--- trunk/text/chapter06/02-chroot.txt	2005-01-05 04:47:44 UTC (rev 50)
+++ trunk/text/chapter06/02-chroot.txt	2005-01-05 10:43:12 UTC (rev 51)
@@ -1,7 +1,7 @@
 - Chapter 6 - Entering the chroot environment
 
 chroot "$LFS" /tools/bin/env -i \
-    HOME=/root TERM="$TERM" PS1='\u:\w\$ ' \
-    PATH=/bin:/usr/bin:/sbin:/usr/sbin:/tools/bin \
-    /tools/bin/bash --login +h
+	HOME=/root TERM="$TERM" PS1='\u:\w\$ ' \
+	PATH=/bin:/usr/bin:/sbin:/usr/sbin:/tools/bin \
+	/tools/bin/bash --login +h
 

Modified: trunk/text/chapter06/10-libc/10-glibc.txt
===================================================================
--- trunk/text/chapter06/10-libc/10-glibc.txt	2005-01-05 04:47:44 UTC (rev 50)
+++ trunk/text/chapter06/10-libc/10-glibc.txt	2005-01-05 10:43:12 UTC (rev 51)
@@ -1,31 +1,42 @@
 - Chapter 6 - Installing Glibc 20041220
 
-# Glibc has test failures if it is built with 'gcc -pie'. This command
-# installs the generic GCC specs.
+# The fstack_protector patch adds -fstack-protector-all to selected utilities
+# and libraries. libc.so, ld.so, libbsd-compat.so, and other libraries which
+# do not preload libc.so are skipped. This patch will work to override the
+# -fno-stack-protector option used in the CC envrioment variable below.
 
-install $(gcc --print-file specs)-generic $(gcc --print-file specs)
+# While Glibc can be built with -pie and -fPIC (with a small patch) all of
+# Glibc's utilities have non-pic assembly code in them. If they're linked
+# with -pie they will not be able to run on a kernel disallowing text
+# relocation. Hence, there is no advantage to using PIE in Glibc's build, but
+# there are disadvantages. For this reason the -no-pie option is added for
+# Glibc so the applications will be dynamically linked, this way they will
+# be able to run on a kernel disallowing text relocation. Glibc is aware of
+# ld '-z now' and '-z relro' options and it uses them where they are
+# appropriate.
 
-# Then build Glibc.
+# The --enable-bind-now configure option enables a new linker option
+# (ld -z now) for non-lazy runtime binding. See these URL's for more details:
+# http://sources.redhat.com/ml/libc-alpha/2004-03/msg00075.html
+# http://elfsh.segfault.net/papers/elf-rtld.txt
 
+patch -Np1 -i ../glibc-2.3.4-fstack_protector-1.patch &&
 patch -Np1 -i ../glibc-2.3.4-ssp_frandom-6.patch &&
 patch -Np1 -i ../glibc-2.3.4-pt_pax-1.patch &&
 patch -Np1 -i ../glibc-2.3.4-dl_execstack_PaX-1.patch &&
 mkdir ../glibc-build &&
 cd ../glibc-build &&
+env CC="gcc -fno-stack-protector -no-pie" \
 ../glibc-20041220/configure --prefix=/usr \
 	--disable-profile --enable-add-ons \
 	--enable-kernel=2.6.0 --without-cvs \
 	--libexecdir=/usr/lib/glibc --enable-bind-now &&
 make
 
-# Run the tests if you want.
+# Run the tests if you want. They should all pass.
 
 make check
 
-# Restore the GCC specs before installing Glibc.
-
-gcc -dumpspecs > $(gcc --print-file specs)
-
 # Then install Glibc.
 
 touch /etc/ld.so.conf &&

Modified: trunk/text/chapter06/57-udev.txt
===================================================================
--- trunk/text/chapter06/57-udev.txt	2005-01-05 04:47:44 UTC (rev 50)
+++ trunk/text/chapter06/57-udev.txt	2005-01-05 10:43:12 UTC (rev 51)
@@ -1,4 +1,4 @@
-- Chapter 6 - Installing Udev 047
+- Chapter 6 - Installing Udev 050
 
 # Udev is used to populate /dev. If you would like to link Udev statically
 # use the following command.




More information about the hlfs-dev mailing list