[oe-commits] [meta-openembedded] 03/62: meta_oe_security_flags: disable PIE for libdbus-c++

[git at git.openembedded.org]

This is an automated email from the git hooks/post-receive script.

martin_jansa pushed a commit to branch morty-next
in repository meta-openembedded.

commit 9aba5089bea7df72fff472641070a18c07cb7e5a
Author: André Draszik <adraszik at tycoint.com>
AuthorDate: Fri Nov 25 15:18:03 2016 +0000

    meta_oe_security_flags: disable PIE for libdbus-c++
    
    The short version - it ain't working.
    
    The long version:
    
    For shared libraries made from C++ sources, configure
    runs some code to determine how to link shared libraries
    (from libtool.m4) using g++. In particular, it calls
    g++ ${CFLAGS} -c conftest.c
    g++ ${CFLAGS} -nostdinc -shared -v conftest.o
    to then parse the gcc -v output.
    
    If CFLAGS contains -pie -fpie, g++ adds Scrt1.o to the
    objects being linked together to form the final output.
    
    Once Scrt1.o is pulled into a shared library, it becomes
    impossible to link this DSO against a final binary. I
    didn't investigate why, by I suspect because of
    -Wl,relro -Wl,now
    
    libtool takes note of Scrt1.o (and all other libraries
    added by gcc, but those don't matter here) and adds it
    everywhere a shared library is being created, see
    predep_objects= and postdep_objects= in the
    'LIBTOOL TAG CONFIG: CXX' section.
    
    In other words, the the shared library created during
    the build can't be linked against. This includes
    some applications that are part of the libdbus-c++
    source tree, but also any other external user.
    
    While I am not sure if the root of the issue is in
    - gcc (should it really add Scrt1.o despite -shared),
      or in
    - libtool (should it filter out -pie -fpie during the
      configure step), or even in
    - OE (should it really be adding -pie -fpie to
      everything, even shared libraries by default and
      unconditionally),
    we can make things work by using SECURITY_NO_PIE_CFLAGS
    instead.
    
    Signed-off-by: André Draszik <adraszik at tycoint.com>
    Signed-off-by: Martin Jansa <Martin.Jansa at gmail.com>
    Signed-off-by: Armin Kuster <akuster808 at gmail.com>
---
 meta-oe/conf/distro/include/meta_oe_security_flags.inc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta-oe/conf/distro/include/meta_oe_security_flags.inc b/meta-oe/conf/distro/include/meta_oe_security_flags.inc
index e57cc5b..42fedc2 100644
--- a/meta-oe/conf/distro/include/meta_oe_security_flags.inc
+++ b/meta-oe/conf/distro/include/meta_oe_security_flags.inc
@@ -1,4 +1,5 @@
 # Build errors with the pie options enabled
+SECURITY_CFLAGS_pn-libdbus-c++ = "${SECURITY_NO_PIE_CFLAGS}"
 SECURITY_CFLAGS_pn-lvm2 = "${SECURITY_NO_PIE_CFLAGS}"
 SECURITY_CFLAGS_pn-rrdtool = "${SECURITY_NO_PIE_CFLAGS}"
 

-- 
To stop receiving notification emails like this one, please contact
the administrator of this repository.