[tor-commits] [tor-browser-bundle/master] Bug 22361: fix hardening of libraries built in linux/gitian-utils.yml

gk at torproject.org gk at torproject.org
Thu Jun 1 13:11:12 UTC 2017


commit 095845a8bc96997b50c5208d831ae32272ca6f85
Author: Nicolas Vigier <boklm at torproject.org>
Date:   Thu Jun 1 01:35:24 2017 +0200

    Bug 22361: fix hardening of libraries built in linux/gitian-utils.yml
    
    With the changes to integrate Selfrando (#20683), we are using our build
    of gcc and binutils to build other libraries in the linux/gitian-utils.yml
    descriptor, which removed the use of the hardening wrappers. We fix that
    by adding the hardening wrappers to our builds of gcc and binutils.
    Because we add the wrappers to gcc and binutils zip files, we don't need
    to add them anymore in the other descriptors where they are used.
---
 gitian/descriptors/linux/gitian-firefox.yml        | 19 ---------------
 .../linux/gitian-pluggable-transports.yml          | 17 --------------
 gitian/descriptors/linux/gitian-tor.yml            | 17 --------------
 gitian/descriptors/linux/gitian-utils.yml          | 27 ++++++++++++++++++++--
 gitian/descriptors/linux/gitian-webrtc.yml         | 17 --------------
 5 files changed, 25 insertions(+), 72 deletions(-)

diff --git a/gitian/descriptors/linux/gitian-firefox.yml b/gitian/descriptors/linux/gitian-firefox.yml
index ae0d14f..9edcb3a 100644
--- a/gitian/descriptors/linux/gitian-firefox.yml
+++ b/gitian/descriptors/linux/gitian-firefox.yml
@@ -64,26 +64,7 @@ script: |
   fi
   # Preparing Binutils and GCC for Tor Browser
   unzip -d $INSTDIR binutils-linux$GBUILD_BITS-utils.zip
-  # Make sure gold is used with the hardening wrapper for full RELRO, see
-  # #13031.
-  cd $INSTDIR/binutils/bin
-  rm ld
-  cp /usr/bin/hardened-ld ./
-  mv ld.gold ld.gold.real
-  ln -sf hardened-ld ld.gold
-  ln -sf ld.gold ld
-  cd ~/build
   unzip -d $INSTDIR gcc-linux$GBUILD_BITS-utils.zip
-  # Make sure we use the hardening wrapper when compiling Tor Browser.
-  cd $INSTDIR/gcc/bin
-  cp /usr/bin/hardened-cc ./
-  mv gcc gcc.real
-  mv c++ c++.real
-  mv g++ g++.real
-  ln -sf hardened-cc gcc
-  ln -sf hardened-cc c++
-  ln -sf hardened-cc g++
-  cd ~/build
   export PATH=$INSTDIR/gcc/bin:$INSTDIR/binutils/bin:$PATH
   ARCH=""
   if [ $GBUILD_BITS == "64" ];
diff --git a/gitian/descriptors/linux/gitian-pluggable-transports.yml b/gitian/descriptors/linux/gitian-pluggable-transports.yml
index cd936d5..207a7e5 100644
--- a/gitian/descriptors/linux/gitian-pluggable-transports.yml
+++ b/gitian/descriptors/linux/gitian-pluggable-transports.yml
@@ -94,24 +94,7 @@ script: |
 
   # Preparing Binutils and GCC for webrtc
   unzip -d $INSTDIR binutils-linux$GBUILD_BITS-utils.zip
-  # Make sure gold is used with the hardening wrapper for full RELRO, see
-  # #13031.
-  cd $INSTDIR/binutils/bin
-  rm ld
-  cp /usr/bin/hardened-ld ./
-  mv ld.gold ld.gold.real
-  ln -sf hardened-ld ld.gold
-  ln -sf ld.gold ld
-  cd ~/build
   unzip -d $INSTDIR gcc-linux$GBUILD_BITS-utils.zip
-  # Make sure we use the hardening wrapper when compiling Tor Browser.
-  cd $INSTDIR/gcc/bin
-  cp /usr/bin/hardened-cc ./
-  mv gcc gcc.real
-  mv c++ c++.real
-  ln -sf hardened-cc gcc
-  ln -sf hardened-cc c++
-  cd ~/build
   export PATH=$INSTDIR/gcc/bin:$INSTDIR/binutils/bin:$PATH
   # GN needs libatomic.so.1 here.
   export LD_LIBRARY_PATH=$INSTDIR/gcc/lib
diff --git a/gitian/descriptors/linux/gitian-tor.yml b/gitian/descriptors/linux/gitian-tor.yml
index c00b4e7..116dd84 100644
--- a/gitian/descriptors/linux/gitian-tor.yml
+++ b/gitian/descriptors/linux/gitian-tor.yml
@@ -49,24 +49,7 @@ script: |
 
   # Preparing Binutils and GCC for tor
   unzip -d $INSTDIR binutils-linux$GBUILD_BITS-utils.zip
-  # Make sure gold is used with the hardening wrapper for full RELRO, see
-  # #13031.
-  cd $INSTDIR/binutils/bin
-  rm ld
-  cp /usr/bin/hardened-ld ./
-  mv ld.gold ld.gold.real
-  ln -sf hardened-ld ld.gold
-  ln -sf ld.gold ld
-  cd ~/build
   unzip -d $INSTDIR gcc-linux$GBUILD_BITS-utils.zip
-  # Make sure we use the hardening wrapper when compiling tor.
-  cd $INSTDIR/gcc/bin
-  cp /usr/bin/hardened-cc ./
-  mv gcc gcc.real
-  mv c++ c++.real
-  ln -sf hardened-cc gcc
-  ln -sf hardened-cc c++
-  cd ~/build
   export PATH=$INSTDIR/gcc/bin:$INSTDIR/binutils/bin:$PATH
   ARCH=""
   if [ $GBUILD_BITS == "64" ];
diff --git a/gitian/descriptors/linux/gitian-utils.yml b/gitian/descriptors/linux/gitian-utils.yml
index eb340b8..2680f1b 100644
--- a/gitian/descriptors/linux/gitian-utils.yml
+++ b/gitian/descriptors/linux/gitian-utils.yml
@@ -104,6 +104,27 @@ script: |
   make install
   cd ..
 
+  # Make sure we use the hardening wrapper
+  pushd $INSTDIR/gcc/bin
+  cp /usr/bin/hardened-cc ./
+  mv gcc gcc.real
+  mv c++ c++.real
+  mv g++ g++.real
+  ln -sf hardened-cc gcc
+  ln -sf hardened-cc c++
+  ln -sf hardened-cc g++
+  popd
+
+  # Make sure gold is used with the hardening wrapper for full RELRO, see
+  # #13031.
+  pushd $INSTDIR/binutils/bin
+  rm ld
+  cp /usr/bin/hardened-ld ./
+  mv ld.gold ld.gold.real
+  ln -sf hardened-ld ld.gold
+  ln -sf ld.gold ld
+  popd
+
   export DEB_BUILD_HARDENING_FORMAT=1
   export PATH="$INSTDIR/binutils/bin:$INSTDIR/gcc/bin:$PATH"
   export LD_LIBRARY_PATH="$INSTDIR/gcc/lib$ARCH"
@@ -191,9 +212,11 @@ script: |
   # libevent archives are no longer reproducible. The main reason
   # is that they include some .a archives which include timestamps.
   # Those files are however not part of the files we ship.
+  # We use the --symlinks zip option for binutils and gcc for the
+  # hardening wrappers symlinks
   cd $INSTDIR
-  ~/build/dzip.sh binutils-$BINUTILS_VER-linux$GBUILD_BITS-utils.zip binutils
-  ~/build/dzip.sh gcc-$GCC_VER-linux$GBUILD_BITS-utils.zip gcc
+  ZIPOPTS='--symlinks' ~/build/dzip.sh binutils-$BINUTILS_VER-linux$GBUILD_BITS-utils.zip binutils
+  ZIPOPTS='--symlinks' ~/build/dzip.sh gcc-$GCC_VER-linux$GBUILD_BITS-utils.zip gcc
   ~/build/dzip.sh openssl-$OPENSSL_VER-linux$GBUILD_BITS-utils.zip openssl
   ~/build/dzip.sh libevent-${LIBEVENT_TAG#release-}-linux$GBUILD_BITS-utils.zip libevent
   ~/build/dzip.sh gmp-$GMP_VER-linux$GBUILD_BITS-utils.zip gmp
diff --git a/gitian/descriptors/linux/gitian-webrtc.yml b/gitian/descriptors/linux/gitian-webrtc.yml
index ccf2d4a..9e7808c 100644
--- a/gitian/descriptors/linux/gitian-webrtc.yml
+++ b/gitian/descriptors/linux/gitian-webrtc.yml
@@ -49,24 +49,7 @@ script: |
 
   # Preparing Binutils and GCC for webrtc
   unzip -d $INSTDIR binutils-linux$GBUILD_BITS-utils.zip
-  # Make sure gold is used with the hardening wrapper for full RELRO, see
-  # #13031.
-  cd $INSTDIR/binutils/bin
-  rm ld
-  cp /usr/bin/hardened-ld ./
-  mv ld.gold ld.gold.real
-  ln -sf hardened-ld ld.gold
-  ln -sf ld.gold ld
-  cd ~/build
   unzip -d $INSTDIR gcc-linux$GBUILD_BITS-utils.zip
-  # Make sure we use the hardening wrapper when compiling Tor Browser.
-  cd $INSTDIR/gcc/bin
-  cp /usr/bin/hardened-cc ./
-  mv gcc gcc.real
-  mv c++ c++.real
-  ln -sf hardened-cc gcc
-  ln -sf hardened-cc c++
-  cd ~/build
   export PATH=$INSTDIR/gcc/bin:$INSTDIR/binutils/bin:$PATH
   # GN needs libatomic.so.1 here.
   export LD_LIBRARY_PATH=$INSTDIR/gcc/lib



More information about the tor-commits mailing list