[tor-commits] [tor-browser-bundle/master] Bug 22361: fix hardening of libraries built in linux/gitian-utils.yml
gk at torproject.org
gk at torproject.org
Thu Jun 1 13:11:12 UTC 2017
commit 095845a8bc96997b50c5208d831ae32272ca6f85
Author: Nicolas Vigier <boklm at torproject.org>
Date: Thu Jun 1 01:35:24 2017 +0200
Bug 22361: fix hardening of libraries built in linux/gitian-utils.yml
With the changes to integrate Selfrando (#20683), we are using our build
of gcc and binutils to build other libraries in the linux/gitian-utils.yml
descriptor, which removed the use of the hardening wrappers. We fix that
by adding the hardening wrappers to our builds of gcc and binutils.
Because we add the wrappers to gcc and binutils zip files, we don't need
to add them anymore in the other descriptors where they are used.
---
gitian/descriptors/linux/gitian-firefox.yml | 19 ---------------
.../linux/gitian-pluggable-transports.yml | 17 --------------
gitian/descriptors/linux/gitian-tor.yml | 17 --------------
gitian/descriptors/linux/gitian-utils.yml | 27 ++++++++++++++++++++--
gitian/descriptors/linux/gitian-webrtc.yml | 17 --------------
5 files changed, 25 insertions(+), 72 deletions(-)
diff --git a/gitian/descriptors/linux/gitian-firefox.yml b/gitian/descriptors/linux/gitian-firefox.yml
index ae0d14f..9edcb3a 100644
--- a/gitian/descriptors/linux/gitian-firefox.yml
+++ b/gitian/descriptors/linux/gitian-firefox.yml
@@ -64,26 +64,7 @@ script: |
fi
# Preparing Binutils and GCC for Tor Browser
unzip -d $INSTDIR binutils-linux$GBUILD_BITS-utils.zip
- # Make sure gold is used with the hardening wrapper for full RELRO, see
- # #13031.
- cd $INSTDIR/binutils/bin
- rm ld
- cp /usr/bin/hardened-ld ./
- mv ld.gold ld.gold.real
- ln -sf hardened-ld ld.gold
- ln -sf ld.gold ld
- cd ~/build
unzip -d $INSTDIR gcc-linux$GBUILD_BITS-utils.zip
- # Make sure we use the hardening wrapper when compiling Tor Browser.
- cd $INSTDIR/gcc/bin
- cp /usr/bin/hardened-cc ./
- mv gcc gcc.real
- mv c++ c++.real
- mv g++ g++.real
- ln -sf hardened-cc gcc
- ln -sf hardened-cc c++
- ln -sf hardened-cc g++
- cd ~/build
export PATH=$INSTDIR/gcc/bin:$INSTDIR/binutils/bin:$PATH
ARCH=""
if [ $GBUILD_BITS == "64" ];
diff --git a/gitian/descriptors/linux/gitian-pluggable-transports.yml b/gitian/descriptors/linux/gitian-pluggable-transports.yml
index cd936d5..207a7e5 100644
--- a/gitian/descriptors/linux/gitian-pluggable-transports.yml
+++ b/gitian/descriptors/linux/gitian-pluggable-transports.yml
@@ -94,24 +94,7 @@ script: |
# Preparing Binutils and GCC for webrtc
unzip -d $INSTDIR binutils-linux$GBUILD_BITS-utils.zip
- # Make sure gold is used with the hardening wrapper for full RELRO, see
- # #13031.
- cd $INSTDIR/binutils/bin
- rm ld
- cp /usr/bin/hardened-ld ./
- mv ld.gold ld.gold.real
- ln -sf hardened-ld ld.gold
- ln -sf ld.gold ld
- cd ~/build
unzip -d $INSTDIR gcc-linux$GBUILD_BITS-utils.zip
- # Make sure we use the hardening wrapper when compiling Tor Browser.
- cd $INSTDIR/gcc/bin
- cp /usr/bin/hardened-cc ./
- mv gcc gcc.real
- mv c++ c++.real
- ln -sf hardened-cc gcc
- ln -sf hardened-cc c++
- cd ~/build
export PATH=$INSTDIR/gcc/bin:$INSTDIR/binutils/bin:$PATH
# GN needs libatomic.so.1 here.
export LD_LIBRARY_PATH=$INSTDIR/gcc/lib
diff --git a/gitian/descriptors/linux/gitian-tor.yml b/gitian/descriptors/linux/gitian-tor.yml
index c00b4e7..116dd84 100644
--- a/gitian/descriptors/linux/gitian-tor.yml
+++ b/gitian/descriptors/linux/gitian-tor.yml
@@ -49,24 +49,7 @@ script: |
# Preparing Binutils and GCC for tor
unzip -d $INSTDIR binutils-linux$GBUILD_BITS-utils.zip
- # Make sure gold is used with the hardening wrapper for full RELRO, see
- # #13031.
- cd $INSTDIR/binutils/bin
- rm ld
- cp /usr/bin/hardened-ld ./
- mv ld.gold ld.gold.real
- ln -sf hardened-ld ld.gold
- ln -sf ld.gold ld
- cd ~/build
unzip -d $INSTDIR gcc-linux$GBUILD_BITS-utils.zip
- # Make sure we use the hardening wrapper when compiling tor.
- cd $INSTDIR/gcc/bin
- cp /usr/bin/hardened-cc ./
- mv gcc gcc.real
- mv c++ c++.real
- ln -sf hardened-cc gcc
- ln -sf hardened-cc c++
- cd ~/build
export PATH=$INSTDIR/gcc/bin:$INSTDIR/binutils/bin:$PATH
ARCH=""
if [ $GBUILD_BITS == "64" ];
diff --git a/gitian/descriptors/linux/gitian-utils.yml b/gitian/descriptors/linux/gitian-utils.yml
index eb340b8..2680f1b 100644
--- a/gitian/descriptors/linux/gitian-utils.yml
+++ b/gitian/descriptors/linux/gitian-utils.yml
@@ -104,6 +104,27 @@ script: |
make install
cd ..
+ # Make sure we use the hardening wrapper
+ pushd $INSTDIR/gcc/bin
+ cp /usr/bin/hardened-cc ./
+ mv gcc gcc.real
+ mv c++ c++.real
+ mv g++ g++.real
+ ln -sf hardened-cc gcc
+ ln -sf hardened-cc c++
+ ln -sf hardened-cc g++
+ popd
+
+ # Make sure gold is used with the hardening wrapper for full RELRO, see
+ # #13031.
+ pushd $INSTDIR/binutils/bin
+ rm ld
+ cp /usr/bin/hardened-ld ./
+ mv ld.gold ld.gold.real
+ ln -sf hardened-ld ld.gold
+ ln -sf ld.gold ld
+ popd
+
export DEB_BUILD_HARDENING_FORMAT=1
export PATH="$INSTDIR/binutils/bin:$INSTDIR/gcc/bin:$PATH"
export LD_LIBRARY_PATH="$INSTDIR/gcc/lib$ARCH"
@@ -191,9 +212,11 @@ script: |
# libevent archives are no longer reproducible. The main reason
# is that they include some .a archives which include timestamps.
# Those files are however not part of the files we ship.
+ # We use the --symlinks zip option for binutils and gcc for the
+ # hardening wrappers symlinks
cd $INSTDIR
- ~/build/dzip.sh binutils-$BINUTILS_VER-linux$GBUILD_BITS-utils.zip binutils
- ~/build/dzip.sh gcc-$GCC_VER-linux$GBUILD_BITS-utils.zip gcc
+ ZIPOPTS='--symlinks' ~/build/dzip.sh binutils-$BINUTILS_VER-linux$GBUILD_BITS-utils.zip binutils
+ ZIPOPTS='--symlinks' ~/build/dzip.sh gcc-$GCC_VER-linux$GBUILD_BITS-utils.zip gcc
~/build/dzip.sh openssl-$OPENSSL_VER-linux$GBUILD_BITS-utils.zip openssl
~/build/dzip.sh libevent-${LIBEVENT_TAG#release-}-linux$GBUILD_BITS-utils.zip libevent
~/build/dzip.sh gmp-$GMP_VER-linux$GBUILD_BITS-utils.zip gmp
diff --git a/gitian/descriptors/linux/gitian-webrtc.yml b/gitian/descriptors/linux/gitian-webrtc.yml
index ccf2d4a..9e7808c 100644
--- a/gitian/descriptors/linux/gitian-webrtc.yml
+++ b/gitian/descriptors/linux/gitian-webrtc.yml
@@ -49,24 +49,7 @@ script: |
# Preparing Binutils and GCC for webrtc
unzip -d $INSTDIR binutils-linux$GBUILD_BITS-utils.zip
- # Make sure gold is used with the hardening wrapper for full RELRO, see
- # #13031.
- cd $INSTDIR/binutils/bin
- rm ld
- cp /usr/bin/hardened-ld ./
- mv ld.gold ld.gold.real
- ln -sf hardened-ld ld.gold
- ln -sf ld.gold ld
- cd ~/build
unzip -d $INSTDIR gcc-linux$GBUILD_BITS-utils.zip
- # Make sure we use the hardening wrapper when compiling Tor Browser.
- cd $INSTDIR/gcc/bin
- cp /usr/bin/hardened-cc ./
- mv gcc gcc.real
- mv c++ c++.real
- ln -sf hardened-cc gcc
- ln -sf hardened-cc c++
- cd ~/build
export PATH=$INSTDIR/gcc/bin:$INSTDIR/binutils/bin:$PATH
# GN needs libatomic.so.1 here.
export LD_LIBRARY_PATH=$INSTDIR/gcc/lib
More information about the tor-commits
mailing list