commit d8e92e2f4d362216dfff1790026309e6c0a51b58 Author: Georg Koppen gk@torproject.org Date: Fri Aug 29 15:32:35 2014 -0700
Bug 12103: Adding RELRO back to browser binaries.
We removed the build-id from browser binaries in bug 11042 as it turned out that despite the contents being exactly the same the build-id was not occasionally. But doing that with bjcopy destroyed RELRO protections as well. Having the build-id non-deterministic seems to be an ld issue as switching to gold solves this. --- gitian/descriptors/linux/gitian-firefox.yml | 6 ++++-- gitian/descriptors/linux/gitian-utils.yml | 20 ++++++++++++++++++++ gitian/mkbundle-linux.sh | 8 +++++++- 3 files changed, 31 insertions(+), 3 deletions(-)
diff --git a/gitian/descriptors/linux/gitian-firefox.yml b/gitian/descriptors/linux/gitian-firefox.yml index 90958c2..0cd4b28 100644 --- a/gitian/descriptors/linux/gitian-firefox.yml +++ b/gitian/descriptors/linux/gitian-firefox.yml @@ -29,6 +29,8 @@ remotes: - "url": "https://git.torproject.org/tor-browser.git" "dir": "tor-browser" files: +- "binutils-linux32-utils.zip" +- "binutils-linux64-utils.zip" - "python-linux32-utils.zip" - "python-linux64-utils.zip" - "re-dzip.sh" @@ -62,6 +64,8 @@ script: | ln -sf $INSTDIR/python/bin/python2.7 $INSTDIR/python/bin/python export PATH=$INSTDIR/python/bin:$PATH # + unzip -d $INSTDIR binutils-linux$GBUILD_BITS-utils.zip + export PATH=$INSTDIR/binutils/bin:$PATH mkdir -p $INSTDIR/Browser/ mkdir -p $INSTDIR/Debug/Browser/components # @@ -100,8 +104,6 @@ script: | cd $INSTDIR for LIB in Browser/*.so Browser/webapprt-stub Browser/mozilla-xremote-client Browser/firefox Browser/plugin-container Browser/components/*.so # Browser/updater do - # Build-ID is sometimes non-deterministic, and we use debuglink anyway - objcopy --remove-section=.note.gnu.build-id $LIB objcopy --only-keep-debug $LIB Debug/$LIB strip $LIB objcopy --add-gnu-debuglink=./Debug/$LIB $LIB diff --git a/gitian/descriptors/linux/gitian-utils.yml b/gitian/descriptors/linux/gitian-utils.yml index 34b1672..ea122db 100644 --- a/gitian/descriptors/linux/gitian-utils.yml +++ b/gitian/descriptors/linux/gitian-utils.yml @@ -15,6 +15,8 @@ packages: - "faketime" - "libtool" - "hardening-wrapper" +# Needed for compiling gold. +- "bison" # These packages are needed for Python due to HTTPS-Everywhere >= 3.5. - "libsqlite3-dev" - "zlib1g-dev" @@ -25,6 +27,7 @@ remotes: - "url": "https://github.com/libevent/libevent.git" "dir": "libevent" files: +- "binutils.tar.bz2" - "openssl.tar.gz" - "python.tar.bz2" - "lxml.tar.gz" @@ -47,6 +50,22 @@ script: | export DEB_BUILD_HARDENING_FORMAT=1 export DEB_BUILD_HARDENING_PIE=1
+ # Building Binutils + tar xjf binutils.tar.bz2 + cd binutils* + # We want to use gold as the linker in our toolchain mainly as it is way + # faster when linking Tor Browser code (especially libxul). But apart from + # that it fixes #12103 and issues with ESR 31 and our Gitian setup as well + # (see bug #12743). + ./configure --prefix=$INSTDIR/binutils --disable-multilib --enable-gold + make $MAKEOPTS + make install + # Make sure gold is used and not ld. + cd $INSTDIR/binutils/bin + rm ld + ln -sf ld.gold ld + cd ~/build + # Building Libevent cd libevent ./autogen.sh @@ -104,6 +123,7 @@ script: |
# Grabbing the remaining results cd $INSTDIR + ~/build/dzip.sh binutils-$BINUTILS_VER-linux$GBUILD_BITS-utils.zip binutils ~/build/dzip.sh openssl-$OPENSSL_VER-linux$GBUILD_BITS-utils.zip openssl ~/build/dzip.sh libevent-${LIBEVENT_TAG#release-}-linux$GBUILD_BITS-utils.zip libevent ~/build/dzip.sh python-$PYTHON_VER-linux$GBUILD_BITS-utils.zip python diff --git a/gitian/mkbundle-linux.sh b/gitian/mkbundle-linux.sh index 7e90165..dd8e00a 100755 --- a/gitian/mkbundle-linux.sh +++ b/gitian/mkbundle-linux.sh @@ -98,7 +98,9 @@ fi
cd $GITIAN_DIR
-if [ ! -f inputs/openssl-$OPENSSL_VER-linux32-utils.zip -o \ +if [ ! -f inputs/binutils-$BINUTILS_VER-linux32-utils.zip -o \ + ! -f inputs/binutils-$BINUTILS_VER-linux64-utils.zip -o \ + ! -f inputs/openssl-$OPENSSL_VER-linux32-utils.zip -o \ ! -f inputs/openssl-$OPENSSL_VER-linux64-utils.zip -o \ ! -f inputs/libevent-${LIBEVENT_TAG_ORIG#release-}-linux32-utils.zip -o \ ! -f inputs/libevent-${LIBEVENT_TAG_ORIG#release-}-linux64-utils.zip -o \ @@ -122,6 +124,8 @@ then
cd inputs cp -a ../build/out/*-utils.zip . + ln -sf binutils-$BINUTILS_VER-linux32-utils.zip binutils-linux32-utils.zip + ln -sf binutils-$BINUTILS_VER-linux64-utils.zip binutils-linux64-utils.zip ln -sf openssl-$OPENSSL_VER-linux32-utils.zip openssl-linux32-utils.zip ln -sf openssl-$OPENSSL_VER-linux64-utils.zip openssl-linux64-utils.zip ln -sf libevent-${LIBEVENT_TAG_ORIG#release-}-linux32-utils.zip libevent-linux32-utils.zip @@ -141,6 +145,8 @@ else # We might have built the utilities in the past but maybe the links are # pointing to the wrong version. Refresh them. cd inputs + ln -sf binutils-$BINUTILS_VER-linux32-utils.zip binutils-linux32-utils.zip + ln -sf binutils-$BINUTILS_VER-linux64-utils.zip binutils-linux64-utils.zip ln -sf openssl-$OPENSSL_VER-linux32-utils.zip openssl-linux32-utils.zip ln -sf openssl-$OPENSSL_VER-linux64-utils.zip openssl-linux64-utils.zip ln -sf libevent-${LIBEVENT_TAG_ORIG#release-}-linux32-utils.zip libevent-linux32-utils.zip