From 784f75931d7809bbc7009584ac0a4c822cc675d9 Mon Sep 17 00:00:00 2001 From: Juan RP Date: Tue, 17 Nov 2015 17:13:12 +0100 Subject: [PATCH] xbps-src: move compiler/linker defaults to env/hardening.sh. The user can still set his/her defaults via etc/conf, and per package in the templates. --- common/environment/build/build-pie.sh | 1 - common/environment/build/hardening.sh | 1 + common/environment/configure/build-pie.sh | 8 -------- common/environment/configure/hardening.sh | 13 +++++++++++++ etc/defaults.conf | 8 +++----- 5 files changed, 17 insertions(+), 14 deletions(-) delete mode 120000 common/environment/build/build-pie.sh create mode 120000 common/environment/build/hardening.sh delete mode 100644 common/environment/configure/build-pie.sh create mode 100644 common/environment/configure/hardening.sh diff --git a/common/environment/build/build-pie.sh b/common/environment/build/build-pie.sh deleted file mode 120000 index e741766044a..00000000000 --- a/common/environment/build/build-pie.sh +++ /dev/null @@ -1 +0,0 @@ -../configure/build-pie.sh \ No newline at end of file diff --git a/common/environment/build/hardening.sh b/common/environment/build/hardening.sh new file mode 120000 index 00000000000..f043590b728 --- /dev/null +++ b/common/environment/build/hardening.sh @@ -0,0 +1 @@ +../configure/hardening.sh \ No newline at end of file diff --git a/common/environment/configure/build-pie.sh b/common/environment/configure/build-pie.sh deleted file mode 100644 index 708d3109d05..00000000000 --- a/common/environment/configure/build-pie.sh +++ /dev/null @@ -1,8 +0,0 @@ -_GCCSPECSDIR=${XBPS_COMMONDIR}/environment/configure/gccspecs - -if [ -z "$nopie" ]; then - CFLAGS+=" -specs=$_GCCSPECSDIR/hardened-cc1" - CXXFLAGS+=" -specs=$_GCCSPECSDIR/hardened-cc1" - # We pass -z relro -z now here too, because libtool drops -specs... - LDFLAGS+=" -specs=$_GCCSPECSDIR/hardened-ld -Wl,-z,relro -Wl,-z,now" -fi diff --git a/common/environment/configure/hardening.sh b/common/environment/configure/hardening.sh new file mode 100644 index 00000000000..591cf98ff53 --- /dev/null +++ b/common/environment/configure/hardening.sh @@ -0,0 +1,13 @@ +# Enable SSP and FORITFY_SOURCE=2 by default. +XBPS_CFLAGS+=" -fstack-protector-strong -D_FORTIFY_SOURCE=2" +XBPS_CXXFLAGS+=" ${XBPS_CFLAGS}" +# Enable as-needed and relro by default. +XBPS_LDFLAGS+=" -Wl,--as-needed -Wl,-z,relro" + +if [ -z "$nopie" ]; then + _GCCSPECSDIR=${XBPS_COMMONDIR}/environment/configure/gccspecs + XBPS_CFLAGS+=" -specs=${_GCCSPECSDIR}/hardened-cc1" + XBPS_CXXFLAGS+=" -specs=${_GCCSPECSDIR}/hardened-cc1" + # We pass -z relro -z now here too, because libtool drops -specs... + XBPS_LDFLAGS+=" -specs=${_GCCSPECSDIR}/hardened-ld -Wl,-z,relro -Wl,-z,now" +fi diff --git a/etc/defaults.conf b/etc/defaults.conf index d9d29d8a39a..500a16514f3 100644 --- a/etc/defaults.conf +++ b/etc/defaults.conf @@ -23,15 +23,13 @@ XBPS_INSTALL_ARGS="--repository=http://repo.voidlinux.eu/current --repository=ht # Native Compilation/Preprocessor flags for C and C++. Additional settings # for the target architecture are also declared in common/build-profiles/.sh. # -XBPS_CFLAGS="-O2 -pipe -fstack-protector-strong -D_FORTIFY_SOURCE=2" +XBPS_CFLAGS="-O2 -pipe" XBPS_CXXFLAGS="${XBPS_CFLAGS}" # [OPTIONAL] -# Linker flags passed to the compiler. By default we use --as-needed to -# avoid linking extra libraries into binaries. See the following link -# for info: http://www.gentoo.org/proj/en/qa/asneeded.xml +# Linker flags passed to the compiler. # -XBPS_LDFLAGS="-Wl,--as-needed -Wl,-z,relro" +#XBPS_LDFLAGS="" # [REQUIRED] # Command to execute to gain root privileges when using the `update-sys`