[tor-commits] [tor-browser-bundle/master] Bug 12103: Adding RELRO back to browser binaries.

mikeperry at torproject.org mikeperry at torproject.org
Fri Aug 29 22:33:03 UTC 2014


commit d8e92e2f4d362216dfff1790026309e6c0a51b58
Author: Georg Koppen <gk at torproject.org>
Date:   Fri Aug 29 15:32:35 2014 -0700

    Bug 12103: Adding RELRO back to browser binaries.
    
    We removed the build-id from browser binaries in bug 11042 as it turned
    out that despite the contents being exactly the same the build-id was
    not occasionally. But doing that with bjcopy destroyed RELRO protections
    as well. Having the build-id non-deterministic seems to be an ld issue
    as switching to gold solves this.
---
 gitian/descriptors/linux/gitian-firefox.yml |    6 ++++--
 gitian/descriptors/linux/gitian-utils.yml   |   20 ++++++++++++++++++++
 gitian/mkbundle-linux.sh                    |    8 +++++++-
 3 files changed, 31 insertions(+), 3 deletions(-)

diff --git a/gitian/descriptors/linux/gitian-firefox.yml b/gitian/descriptors/linux/gitian-firefox.yml
index 90958c2..0cd4b28 100644
--- a/gitian/descriptors/linux/gitian-firefox.yml
+++ b/gitian/descriptors/linux/gitian-firefox.yml
@@ -29,6 +29,8 @@ remotes:
 - "url": "https://git.torproject.org/tor-browser.git"
   "dir": "tor-browser"
 files:
+- "binutils-linux32-utils.zip"
+- "binutils-linux64-utils.zip"
 - "python-linux32-utils.zip"
 - "python-linux64-utils.zip"
 - "re-dzip.sh"
@@ -62,6 +64,8 @@ script: |
   ln -sf $INSTDIR/python/bin/python2.7 $INSTDIR/python/bin/python
   export PATH=$INSTDIR/python/bin:$PATH
   #
+  unzip -d $INSTDIR binutils-linux$GBUILD_BITS-utils.zip
+  export PATH=$INSTDIR/binutils/bin:$PATH
   mkdir -p $INSTDIR/Browser/
   mkdir -p $INSTDIR/Debug/Browser/components
   #
@@ -100,8 +104,6 @@ script: |
   cd $INSTDIR
   for LIB in Browser/*.so Browser/webapprt-stub Browser/mozilla-xremote-client Browser/firefox Browser/plugin-container Browser/components/*.so # Browser/updater
   do
-    # Build-ID is sometimes non-deterministic, and we use debuglink anyway
-    objcopy --remove-section=.note.gnu.build-id $LIB
     objcopy --only-keep-debug $LIB Debug/$LIB
     strip $LIB
     objcopy --add-gnu-debuglink=./Debug/$LIB $LIB
diff --git a/gitian/descriptors/linux/gitian-utils.yml b/gitian/descriptors/linux/gitian-utils.yml
index 34b1672..ea122db 100644
--- a/gitian/descriptors/linux/gitian-utils.yml
+++ b/gitian/descriptors/linux/gitian-utils.yml
@@ -15,6 +15,8 @@ packages:
 - "faketime"
 - "libtool"
 - "hardening-wrapper"
+# Needed for compiling gold.
+- "bison"
 # These packages are needed for Python due to HTTPS-Everywhere >= 3.5.
 - "libsqlite3-dev"
 - "zlib1g-dev"
@@ -25,6 +27,7 @@ remotes:
 - "url": "https://github.com/libevent/libevent.git"
   "dir": "libevent"
 files:
+- "binutils.tar.bz2"
 - "openssl.tar.gz"
 - "python.tar.bz2"
 - "lxml.tar.gz"
@@ -47,6 +50,22 @@ script: |
   export DEB_BUILD_HARDENING_FORMAT=1
   export DEB_BUILD_HARDENING_PIE=1
 
+  # Building Binutils
+  tar xjf binutils.tar.bz2
+  cd binutils*
+  # We want to use gold as the linker in our toolchain mainly as it is way
+  # faster when linking Tor Browser code (especially libxul). But apart from
+  # that it fixes #12103 and issues with ESR 31 and our Gitian setup as well
+  # (see bug #12743).
+  ./configure --prefix=$INSTDIR/binutils --disable-multilib --enable-gold
+  make $MAKEOPTS
+  make install
+  # Make sure gold is used and not ld.
+  cd $INSTDIR/binutils/bin
+  rm ld
+  ln -sf ld.gold ld
+  cd ~/build
+
   # Building Libevent
   cd libevent
   ./autogen.sh
@@ -104,6 +123,7 @@ script: |
 
   # Grabbing the remaining results
   cd $INSTDIR
+  ~/build/dzip.sh binutils-$BINUTILS_VER-linux$GBUILD_BITS-utils.zip binutils
   ~/build/dzip.sh openssl-$OPENSSL_VER-linux$GBUILD_BITS-utils.zip openssl
   ~/build/dzip.sh libevent-${LIBEVENT_TAG#release-}-linux$GBUILD_BITS-utils.zip libevent
   ~/build/dzip.sh python-$PYTHON_VER-linux$GBUILD_BITS-utils.zip python
diff --git a/gitian/mkbundle-linux.sh b/gitian/mkbundle-linux.sh
index 7e90165..dd8e00a 100755
--- a/gitian/mkbundle-linux.sh
+++ b/gitian/mkbundle-linux.sh
@@ -98,7 +98,9 @@ fi
 
 cd $GITIAN_DIR
 
-if [ ! -f inputs/openssl-$OPENSSL_VER-linux32-utils.zip -o \
+if [ ! -f inputs/binutils-$BINUTILS_VER-linux32-utils.zip -o \
+     ! -f inputs/binutils-$BINUTILS_VER-linux64-utils.zip -o \
+     ! -f inputs/openssl-$OPENSSL_VER-linux32-utils.zip -o \
      ! -f inputs/openssl-$OPENSSL_VER-linux64-utils.zip -o \
      ! -f inputs/libevent-${LIBEVENT_TAG_ORIG#release-}-linux32-utils.zip -o \
      ! -f inputs/libevent-${LIBEVENT_TAG_ORIG#release-}-linux64-utils.zip -o \
@@ -122,6 +124,8 @@ then
 
   cd inputs
   cp -a ../build/out/*-utils.zip .
+  ln -sf binutils-$BINUTILS_VER-linux32-utils.zip binutils-linux32-utils.zip
+  ln -sf binutils-$BINUTILS_VER-linux64-utils.zip binutils-linux64-utils.zip
   ln -sf openssl-$OPENSSL_VER-linux32-utils.zip openssl-linux32-utils.zip
   ln -sf openssl-$OPENSSL_VER-linux64-utils.zip openssl-linux64-utils.zip
   ln -sf libevent-${LIBEVENT_TAG_ORIG#release-}-linux32-utils.zip libevent-linux32-utils.zip
@@ -141,6 +145,8 @@ else
   # We might have built the utilities in the past but maybe the links are
   # pointing to the wrong version. Refresh them.
   cd inputs
+  ln -sf binutils-$BINUTILS_VER-linux32-utils.zip binutils-linux32-utils.zip
+  ln -sf binutils-$BINUTILS_VER-linux64-utils.zip binutils-linux64-utils.zip
   ln -sf openssl-$OPENSSL_VER-linux32-utils.zip openssl-linux32-utils.zip
   ln -sf openssl-$OPENSSL_VER-linux64-utils.zip openssl-linux64-utils.zip
   ln -sf libevent-${LIBEVENT_TAG_ORIG#release-}-linux32-utils.zip libevent-linux32-utils.zip



More information about the tor-commits mailing list