commit 095845a8bc96997b50c5208d831ae32272ca6f85 Author: Nicolas Vigier boklm@torproject.org Date: Thu Jun 1 01:35:24 2017 +0200
Bug 22361: fix hardening of libraries built in linux/gitian-utils.yml
With the changes to integrate Selfrando (#20683), we are using our build of gcc and binutils to build other libraries in the linux/gitian-utils.yml descriptor, which removed the use of the hardening wrappers. We fix that by adding the hardening wrappers to our builds of gcc and binutils. Because we add the wrappers to gcc and binutils zip files, we don't need to add them anymore in the other descriptors where they are used. --- gitian/descriptors/linux/gitian-firefox.yml | 19 --------------- .../linux/gitian-pluggable-transports.yml | 17 -------------- gitian/descriptors/linux/gitian-tor.yml | 17 -------------- gitian/descriptors/linux/gitian-utils.yml | 27 ++++++++++++++++++++-- gitian/descriptors/linux/gitian-webrtc.yml | 17 -------------- 5 files changed, 25 insertions(+), 72 deletions(-)
diff --git a/gitian/descriptors/linux/gitian-firefox.yml b/gitian/descriptors/linux/gitian-firefox.yml index ae0d14f..9edcb3a 100644 --- a/gitian/descriptors/linux/gitian-firefox.yml +++ b/gitian/descriptors/linux/gitian-firefox.yml @@ -64,26 +64,7 @@ script: | fi # Preparing Binutils and GCC for Tor Browser unzip -d $INSTDIR binutils-linux$GBUILD_BITS-utils.zip - # Make sure gold is used with the hardening wrapper for full RELRO, see - # #13031. - cd $INSTDIR/binutils/bin - rm ld - cp /usr/bin/hardened-ld ./ - mv ld.gold ld.gold.real - ln -sf hardened-ld ld.gold - ln -sf ld.gold ld - cd ~/build unzip -d $INSTDIR gcc-linux$GBUILD_BITS-utils.zip - # Make sure we use the hardening wrapper when compiling Tor Browser. - cd $INSTDIR/gcc/bin - cp /usr/bin/hardened-cc ./ - mv gcc gcc.real - mv c++ c++.real - mv g++ g++.real - ln -sf hardened-cc gcc - ln -sf hardened-cc c++ - ln -sf hardened-cc g++ - cd ~/build export PATH=$INSTDIR/gcc/bin:$INSTDIR/binutils/bin:$PATH ARCH="" if [ $GBUILD_BITS == "64" ]; diff --git a/gitian/descriptors/linux/gitian-pluggable-transports.yml b/gitian/descriptors/linux/gitian-pluggable-transports.yml index cd936d5..207a7e5 100644 --- a/gitian/descriptors/linux/gitian-pluggable-transports.yml +++ b/gitian/descriptors/linux/gitian-pluggable-transports.yml @@ -94,24 +94,7 @@ script: |
# Preparing Binutils and GCC for webrtc unzip -d $INSTDIR binutils-linux$GBUILD_BITS-utils.zip - # Make sure gold is used with the hardening wrapper for full RELRO, see - # #13031. - cd $INSTDIR/binutils/bin - rm ld - cp /usr/bin/hardened-ld ./ - mv ld.gold ld.gold.real - ln -sf hardened-ld ld.gold - ln -sf ld.gold ld - cd ~/build unzip -d $INSTDIR gcc-linux$GBUILD_BITS-utils.zip - # Make sure we use the hardening wrapper when compiling Tor Browser. - cd $INSTDIR/gcc/bin - cp /usr/bin/hardened-cc ./ - mv gcc gcc.real - mv c++ c++.real - ln -sf hardened-cc gcc - ln -sf hardened-cc c++ - cd ~/build export PATH=$INSTDIR/gcc/bin:$INSTDIR/binutils/bin:$PATH # GN needs libatomic.so.1 here. export LD_LIBRARY_PATH=$INSTDIR/gcc/lib diff --git a/gitian/descriptors/linux/gitian-tor.yml b/gitian/descriptors/linux/gitian-tor.yml index c00b4e7..116dd84 100644 --- a/gitian/descriptors/linux/gitian-tor.yml +++ b/gitian/descriptors/linux/gitian-tor.yml @@ -49,24 +49,7 @@ script: |
# Preparing Binutils and GCC for tor unzip -d $INSTDIR binutils-linux$GBUILD_BITS-utils.zip - # Make sure gold is used with the hardening wrapper for full RELRO, see - # #13031. - cd $INSTDIR/binutils/bin - rm ld - cp /usr/bin/hardened-ld ./ - mv ld.gold ld.gold.real - ln -sf hardened-ld ld.gold - ln -sf ld.gold ld - cd ~/build unzip -d $INSTDIR gcc-linux$GBUILD_BITS-utils.zip - # Make sure we use the hardening wrapper when compiling tor. - cd $INSTDIR/gcc/bin - cp /usr/bin/hardened-cc ./ - mv gcc gcc.real - mv c++ c++.real - ln -sf hardened-cc gcc - ln -sf hardened-cc c++ - cd ~/build export PATH=$INSTDIR/gcc/bin:$INSTDIR/binutils/bin:$PATH ARCH="" if [ $GBUILD_BITS == "64" ]; diff --git a/gitian/descriptors/linux/gitian-utils.yml b/gitian/descriptors/linux/gitian-utils.yml index eb340b8..2680f1b 100644 --- a/gitian/descriptors/linux/gitian-utils.yml +++ b/gitian/descriptors/linux/gitian-utils.yml @@ -104,6 +104,27 @@ script: | make install cd ..
+ # Make sure we use the hardening wrapper + pushd $INSTDIR/gcc/bin + cp /usr/bin/hardened-cc ./ + mv gcc gcc.real + mv c++ c++.real + mv g++ g++.real + ln -sf hardened-cc gcc + ln -sf hardened-cc c++ + ln -sf hardened-cc g++ + popd + + # Make sure gold is used with the hardening wrapper for full RELRO, see + # #13031. + pushd $INSTDIR/binutils/bin + rm ld + cp /usr/bin/hardened-ld ./ + mv ld.gold ld.gold.real + ln -sf hardened-ld ld.gold + ln -sf ld.gold ld + popd + export DEB_BUILD_HARDENING_FORMAT=1 export PATH="$INSTDIR/binutils/bin:$INSTDIR/gcc/bin:$PATH" export LD_LIBRARY_PATH="$INSTDIR/gcc/lib$ARCH" @@ -191,9 +212,11 @@ script: | # libevent archives are no longer reproducible. The main reason # is that they include some .a archives which include timestamps. # Those files are however not part of the files we ship. + # We use the --symlinks zip option for binutils and gcc for the + # hardening wrappers symlinks cd $INSTDIR - ~/build/dzip.sh binutils-$BINUTILS_VER-linux$GBUILD_BITS-utils.zip binutils - ~/build/dzip.sh gcc-$GCC_VER-linux$GBUILD_BITS-utils.zip gcc + ZIPOPTS='--symlinks' ~/build/dzip.sh binutils-$BINUTILS_VER-linux$GBUILD_BITS-utils.zip binutils + ZIPOPTS='--symlinks' ~/build/dzip.sh gcc-$GCC_VER-linux$GBUILD_BITS-utils.zip gcc ~/build/dzip.sh openssl-$OPENSSL_VER-linux$GBUILD_BITS-utils.zip openssl ~/build/dzip.sh libevent-${LIBEVENT_TAG#release-}-linux$GBUILD_BITS-utils.zip libevent ~/build/dzip.sh gmp-$GMP_VER-linux$GBUILD_BITS-utils.zip gmp diff --git a/gitian/descriptors/linux/gitian-webrtc.yml b/gitian/descriptors/linux/gitian-webrtc.yml index ccf2d4a..9e7808c 100644 --- a/gitian/descriptors/linux/gitian-webrtc.yml +++ b/gitian/descriptors/linux/gitian-webrtc.yml @@ -49,24 +49,7 @@ script: |
# Preparing Binutils and GCC for webrtc unzip -d $INSTDIR binutils-linux$GBUILD_BITS-utils.zip - # Make sure gold is used with the hardening wrapper for full RELRO, see - # #13031. - cd $INSTDIR/binutils/bin - rm ld - cp /usr/bin/hardened-ld ./ - mv ld.gold ld.gold.real - ln -sf hardened-ld ld.gold - ln -sf ld.gold ld - cd ~/build unzip -d $INSTDIR gcc-linux$GBUILD_BITS-utils.zip - # Make sure we use the hardening wrapper when compiling Tor Browser. - cd $INSTDIR/gcc/bin - cp /usr/bin/hardened-cc ./ - mv gcc gcc.real - mv c++ c++.real - ln -sf hardened-cc gcc - ln -sf hardened-cc c++ - cd ~/build export PATH=$INSTDIR/gcc/bin:$INSTDIR/binutils/bin:$PATH # GN needs libatomic.so.1 here. export LD_LIBRARY_PATH=$INSTDIR/gcc/lib