[tor-commits] [tor-browser-bundle/master] Bug 12103: Adding RELRO back to browser binaries.
mikeperry at torproject.org
mikeperry at torproject.org
Fri Aug 29 22:33:03 UTC 2014
commit d8e92e2f4d362216dfff1790026309e6c0a51b58
Author: Georg Koppen <gk at torproject.org>
Date: Fri Aug 29 15:32:35 2014 -0700
Bug 12103: Adding RELRO back to browser binaries.
We removed the build-id from browser binaries in bug 11042 as it turned
out that despite the contents being exactly the same the build-id was
not occasionally. But doing that with bjcopy destroyed RELRO protections
as well. Having the build-id non-deterministic seems to be an ld issue
as switching to gold solves this.
---
gitian/descriptors/linux/gitian-firefox.yml | 6 ++++--
gitian/descriptors/linux/gitian-utils.yml | 20 ++++++++++++++++++++
gitian/mkbundle-linux.sh | 8 +++++++-
3 files changed, 31 insertions(+), 3 deletions(-)
diff --git a/gitian/descriptors/linux/gitian-firefox.yml b/gitian/descriptors/linux/gitian-firefox.yml
index 90958c2..0cd4b28 100644
--- a/gitian/descriptors/linux/gitian-firefox.yml
+++ b/gitian/descriptors/linux/gitian-firefox.yml
@@ -29,6 +29,8 @@ remotes:
- "url": "https://git.torproject.org/tor-browser.git"
"dir": "tor-browser"
files:
+- "binutils-linux32-utils.zip"
+- "binutils-linux64-utils.zip"
- "python-linux32-utils.zip"
- "python-linux64-utils.zip"
- "re-dzip.sh"
@@ -62,6 +64,8 @@ script: |
ln -sf $INSTDIR/python/bin/python2.7 $INSTDIR/python/bin/python
export PATH=$INSTDIR/python/bin:$PATH
#
+ unzip -d $INSTDIR binutils-linux$GBUILD_BITS-utils.zip
+ export PATH=$INSTDIR/binutils/bin:$PATH
mkdir -p $INSTDIR/Browser/
mkdir -p $INSTDIR/Debug/Browser/components
#
@@ -100,8 +104,6 @@ script: |
cd $INSTDIR
for LIB in Browser/*.so Browser/webapprt-stub Browser/mozilla-xremote-client Browser/firefox Browser/plugin-container Browser/components/*.so # Browser/updater
do
- # Build-ID is sometimes non-deterministic, and we use debuglink anyway
- objcopy --remove-section=.note.gnu.build-id $LIB
objcopy --only-keep-debug $LIB Debug/$LIB
strip $LIB
objcopy --add-gnu-debuglink=./Debug/$LIB $LIB
diff --git a/gitian/descriptors/linux/gitian-utils.yml b/gitian/descriptors/linux/gitian-utils.yml
index 34b1672..ea122db 100644
--- a/gitian/descriptors/linux/gitian-utils.yml
+++ b/gitian/descriptors/linux/gitian-utils.yml
@@ -15,6 +15,8 @@ packages:
- "faketime"
- "libtool"
- "hardening-wrapper"
+# Needed for compiling gold.
+- "bison"
# These packages are needed for Python due to HTTPS-Everywhere >= 3.5.
- "libsqlite3-dev"
- "zlib1g-dev"
@@ -25,6 +27,7 @@ remotes:
- "url": "https://github.com/libevent/libevent.git"
"dir": "libevent"
files:
+- "binutils.tar.bz2"
- "openssl.tar.gz"
- "python.tar.bz2"
- "lxml.tar.gz"
@@ -47,6 +50,22 @@ script: |
export DEB_BUILD_HARDENING_FORMAT=1
export DEB_BUILD_HARDENING_PIE=1
+ # Building Binutils
+ tar xjf binutils.tar.bz2
+ cd binutils*
+ # We want to use gold as the linker in our toolchain mainly as it is way
+ # faster when linking Tor Browser code (especially libxul). But apart from
+ # that it fixes #12103 and issues with ESR 31 and our Gitian setup as well
+ # (see bug #12743).
+ ./configure --prefix=$INSTDIR/binutils --disable-multilib --enable-gold
+ make $MAKEOPTS
+ make install
+ # Make sure gold is used and not ld.
+ cd $INSTDIR/binutils/bin
+ rm ld
+ ln -sf ld.gold ld
+ cd ~/build
+
# Building Libevent
cd libevent
./autogen.sh
@@ -104,6 +123,7 @@ script: |
# Grabbing the remaining results
cd $INSTDIR
+ ~/build/dzip.sh binutils-$BINUTILS_VER-linux$GBUILD_BITS-utils.zip binutils
~/build/dzip.sh openssl-$OPENSSL_VER-linux$GBUILD_BITS-utils.zip openssl
~/build/dzip.sh libevent-${LIBEVENT_TAG#release-}-linux$GBUILD_BITS-utils.zip libevent
~/build/dzip.sh python-$PYTHON_VER-linux$GBUILD_BITS-utils.zip python
diff --git a/gitian/mkbundle-linux.sh b/gitian/mkbundle-linux.sh
index 7e90165..dd8e00a 100755
--- a/gitian/mkbundle-linux.sh
+++ b/gitian/mkbundle-linux.sh
@@ -98,7 +98,9 @@ fi
cd $GITIAN_DIR
-if [ ! -f inputs/openssl-$OPENSSL_VER-linux32-utils.zip -o \
+if [ ! -f inputs/binutils-$BINUTILS_VER-linux32-utils.zip -o \
+ ! -f inputs/binutils-$BINUTILS_VER-linux64-utils.zip -o \
+ ! -f inputs/openssl-$OPENSSL_VER-linux32-utils.zip -o \
! -f inputs/openssl-$OPENSSL_VER-linux64-utils.zip -o \
! -f inputs/libevent-${LIBEVENT_TAG_ORIG#release-}-linux32-utils.zip -o \
! -f inputs/libevent-${LIBEVENT_TAG_ORIG#release-}-linux64-utils.zip -o \
@@ -122,6 +124,8 @@ then
cd inputs
cp -a ../build/out/*-utils.zip .
+ ln -sf binutils-$BINUTILS_VER-linux32-utils.zip binutils-linux32-utils.zip
+ ln -sf binutils-$BINUTILS_VER-linux64-utils.zip binutils-linux64-utils.zip
ln -sf openssl-$OPENSSL_VER-linux32-utils.zip openssl-linux32-utils.zip
ln -sf openssl-$OPENSSL_VER-linux64-utils.zip openssl-linux64-utils.zip
ln -sf libevent-${LIBEVENT_TAG_ORIG#release-}-linux32-utils.zip libevent-linux32-utils.zip
@@ -141,6 +145,8 @@ else
# We might have built the utilities in the past but maybe the links are
# pointing to the wrong version. Refresh them.
cd inputs
+ ln -sf binutils-$BINUTILS_VER-linux32-utils.zip binutils-linux32-utils.zip
+ ln -sf binutils-$BINUTILS_VER-linux64-utils.zip binutils-linux64-utils.zip
ln -sf openssl-$OPENSSL_VER-linux32-utils.zip openssl-linux32-utils.zip
ln -sf openssl-$OPENSSL_VER-linux64-utils.zip openssl-linux64-utils.zip
ln -sf libevent-${LIBEVENT_TAG_ORIG#release-}-linux32-utils.zip libevent-linux32-utils.zip
More information about the tor-commits
mailing list