Various updates suggested by vapier, some work still in progress

svn path=/; revision=186

4 files changed, 55 insertions, 114 deletions

diff --git a/hardened/toolchain/branches/pieworld/eclass/flag-o-matic.eclass b/hardened/toolchain/branches/pieworld/eclass/flag-o-matic.eclass
index 5f642e6..7dfb2f6 100644
--- a/hardened/toolchain/branches/pieworld/eclass/flag-o-matic.eclass
+++ b/hardened/toolchain/branches/pieworld/eclass/flag-o-matic.eclass
@@ -124,7 +124,7 @@ setup-allowed-flags() {
 _manage-hardened() {
 	local newspec=$1
 	[[ -z $2 ]] && die "Internal flag-o-matic error ($*) - please report"
-	if gcc-specs-exists ${newspec}.specs; then
+	if _gcc-specs-exists ${newspec}.specs; then
 		[[ -z ${GCC_SPECS} ]] || newspec=":${newspec}"
 		export GCC_SPECS="${GCC_SPECS}${newspec}.specs"
 		einfo "Hardened compiler filtered $2 - GCC_SPECS set to ${GCC_SPECS}"
@@ -154,7 +154,7 @@ _manage-hardened() {
 				;;
 		esac
 		if [[ -n ${newspec} ]]; then
-			if gcc-specs-exists ${newspec}; then
+			if _gcc-specs-exists ${newspec}; then
 				export GCC_SPECS="${newspec}"
 				einfo "Hardened compiler filtered $2 - GCC_SPECS set to ${GCC_SPECS}"
 			fi
@@ -232,29 +232,29 @@ append-lfs-flags() {
 
 # Append flag if the compiler doesn't barf it
 _raw_append_flag() {
-	test-flag-CC $1 &&
+	test-flag-CC "$1" &&
 		export CFLAGS="${CFLAGS} $1"
-	test-flag-CXX $1 &&
+	test-flag-CXX "$1" &&
 		export CXXFLAGS="${CXXFLAGS} $1"
 }
 
 # Special case: -fno-stack-protector-all needs special management
 # on hardened gcc-4.
 _append-flag() {
-	[[ -z $1 ]] && return 0
-	case $1 in
+	[[ -z "$1" ]] && return 0
+	case "$1" in
 	-fno-stack-protector-all)
 		_manage-hardened nosspall.specs -fno-stack-protector-all ;;
 	*)
-		_raw_append_flag $1
+		_raw_append_flag "$1"
 	esac
 }
 
 append-flags() {
 	local f
-	[[ -z $* ]] && return 0
-	for f in $*; do
-		_append-flag ${f}
+	[[ -z "$@" ]] && return 0
+	for f in "$@"; do
+		_append-flag "${f}"
 	done
 	return 0
 }
diff --git a/hardened/toolchain/branches/pieworld/eclass/toolchain-funcs.eclass b/hardened/toolchain/branches/pieworld/eclass/toolchain-funcs.eclass
index 1774151..be4261f 100644
--- a/hardened/toolchain/branches/pieworld/eclass/toolchain-funcs.eclass
+++ b/hardened/toolchain/branches/pieworld/eclass/toolchain-funcs.eclass
@@ -172,14 +172,6 @@ tc-arch() {
 	tc-ninja_magic_to_arch portage $@
 }
 
-# Returns the version number, n.m...
-ld-fullversion() {
-	$(tc-getLD "$@") -v | grep version | sed -e 's/^.*version //'
-}
-# Returns the <major>.<minor> version
-ld-version() {
-	ld-fullversion "$@" | cut -f1,2 -d.
-}
 
 # Returns the version as by `$CC -dumpversion`
 gcc-fullversion() {
@@ -201,14 +193,16 @@ gcc-minor-version() {
 gcc-micro-version() {
 	gcc-fullversion "$@" | cut -f3 -d. | cut -f1 -d-
 }
-# Returns the installation directory
-gcc-install-dir() {
+# Returns the installation directory - internal toolchain
+# function for use by _gcc-specs-exists (for flag-o-matic).
+_gcc-install-dir() {
 	echo "$($(tc-getCC) -print-search-dirs 2> /dev/null |\
 		awk '$1=="install:" {print $2}')"
 }
-# Returns true if the indicated specs file exists
-gcc-specs-exists() {
-	[[ -f $(gcc-install-dir)/$1 ]]
+# Returns true if the indicated specs file exists - internal toolchain
+# function for use by flag-o-matic.
+_gcc-specs-exists() {
+	[[ -f $(_gcc-install-dir)/$1 ]]
 }
 
 # Returns requested gcc specs directive
@@ -332,77 +326,3 @@ _tc_gen_usr_ldscript() {
 }
 gen_usr_ldscript() { _tc_gen_usr_ldscript "$@" ; }
 
-
-# Much assembly code is written conditional on preprocessor macro
-# PIC, which is a libtool convention and not something the toolchain
-# itself sets.  GCC has set __PIC__ for the longest time when buildling
-# position-independent code (either -fPIC or -fPIE), so using __PIC__
-# is reliable.  The hardened compiler switches on PIE by default, so
-# any code for applications that has position-independent versions
-# enabled via -DPIC don't get triggered when building -fPIE, even
-# though it would be necessary.
-# One easy option would be to have the compiler define PIC when
-# building -fPIE - however it would break code that contains PIC as
-# a word anywhere in it's source.  A purer solution is to modify
-# preprocessor conditionals to accept __PIC__ in addition to PIC.
-# This function is provided to perform such modifications, to avoid
-# duplicating complex modifications throughout the tree.
-#
-# Syntax:
-#     fixup_DPIC [-style edit|prepend] <directory> <filename match>
-#
-# Default is to try all files recursively from ${S}
-#
-# With -style prepend, it prepends the following:
-#   #if (defined __PIC__ && !defined PIC)
-#   # define PIC
-#   #endif
-# to the top of any source file containing /#[[:space:]]*if.*PIC/
-#
-# With -style edit, replaces:
-#   #ifdef PIC  ->  #if defined PIC || defined __PIC__
-#   #ifndef PIC  ->  #if !defined PIC && !defined __PIC__
-#   #if ... defined PIC ... -> #if ... (defined PIC || defined __PIC__) ...
-#   #if ... !defined PIC ... -> #if ... (!defined PIC && !defined __PIC__) ...
-#
-# -prepend is the default.
-fixup_DPIC() {
-	local style="prepend"
-	while [[ ${1:0:1} == "-" ]]; do
-		case ${1} in
-		"-style") shift; [[ -z $1 ]] && die "fixup_PIC syntax error"; style=${1} ;;
-		*) die "Unknown fixup_DPIC option ${1}"
-		esac
-		shift
-	done
-	local sourceroot="$1"
-	local findmatch="$2"
-	local findop="-name"
-	[[ -z ${sourceroot} ]] && sourceroot="${S}"
-	[[ -z ${findmatch} ]] && findop=""
-
-	case ${style} in
-	"prepend")
-		einfo "Prepending PIC fixup"
-		find "${sourceroot}" ${findop} "${findmatch}" | \
-		xargs grep -l '^[[:space:]]*#[[:space:]]*if.*\bPIC\b' | \
-		xargs sed -i -e '1i#if defined __PIC__ && !defined PIC\
-# define PIC\
-#endif\
-'
-		;;
-	"edit") # this path untested
-		find "${sourceroot}" ${findop} "${findmatch}" | \
-		xargs grep -l '^[[:space:]]*#[[:space:]]*if.*\bPIC\b' | \
-		xargs sed -s -i -n \
-		-e 's/\(#[[:space:]]+\)ifdef[[:space:]]+PIC\b/\1if (defined PIC || defined __PIC__)/' \
-		-e 's/\(#[[:space:]]+\)ifndef[[:space:]]+PIC\b/\1if (!defined PIC && !defined __PIC__)/' \
-		-e 's/\(#[[:space:]]+if[[:space:]]+.*\)defined[[:space:]]+PIC\b\(.*$\)/\1(defined PIC || defined __PIC__)/' \
-		-e 's/\(#[[:space:]]+if[[:space:]]+.*\)![[:space:]]*defined[[:space:]]+PIC\b/\1(!defined PIC && !defined __PIC__)/'
-		;;
-	*)
-		die "Unknown DPIC fixup style ${style}"
-		;;
-	esac
-}
-
diff --git a/hardened/toolchain/branches/pieworld/sys-libs/glibc/Manifest b/hardened/toolchain/branches/pieworld/sys-libs/glibc/Manifest
index 2d04672..45ed949 100644
--- a/hardened/toolchain/branches/pieworld/sys-libs/glibc/Manifest
+++ b/hardened/toolchain/branches/pieworld/sys-libs/glibc/Manifest
@@ -35,10 +35,10 @@ DIST glibc-2.5.tar.bz2 15321839 RMD160 25a0a460c0db1e5b7c570e5087461696f2096fd2
 DIST glibc-libidn-2.5.tar.bz2 102330 RMD160 e10e85e0ee7cdab2e5518a93978cb688ccabee88 SHA1 ee7e019e01aa338e28db1eeb34abb2cb09d2f30a SHA256 de77e49e0beee6061d4c6e480f322566ba25d4e5e018c456a18ea4a8da5c0ede
 DIST glibc-linuxthreads-2.5.tar.bz2 242445 RMD160 788484d035d53ac39aac18f6e3409a912eea1cfa SHA1 eb7765e5c0a14c7475f1c8b92cbe1f625a8fd76f SHA256 ee27aeba6124a8b351c720eb898917f0f8874d9a384cc2f17aa111a3d679bd2c
 DIST glibc-ports-2.5.tar.bz2 409372 RMD160 e7e29df135a5f0f72760d10e5ad46de038e40725 SHA1 7da6257e641759ed29c4d316700fce6f604bc812 SHA256 80c38a005325e7539012bd665fb8e06af9ee9bfc74efb236ebff121265bfd463
-EBUILD glibc-2.5.ebuild 40048 RMD160 8301182ff0deb3444cdbeacdecb3d59070dce2c4 SHA1 b089e7b045b31382d81368b23140ffb5828d69af SHA256 100f0acd53305090e338d8375c728b521e1940bf6512189a82e1b3cde2cd818b
-MD5 60ab7cab96377028dc9635493cbaf55f glibc-2.5.ebuild 40048
-RMD160 8301182ff0deb3444cdbeacdecb3d59070dce2c4 glibc-2.5.ebuild 40048
-SHA256 100f0acd53305090e338d8375c728b521e1940bf6512189a82e1b3cde2cd818b glibc-2.5.ebuild 40048
+EBUILD glibc-2.5.ebuild 40687 RMD160 d362b490fa31d6a5b88ea5e560212c142f837a35 SHA1 7e09b38e071b1743ddc6bad581329fd73a0770f4 SHA256 d36a6269eaa0be2000e7f13730066a2f833446af33351ded268529642b8b4d76
+MD5 960673c487d64542ca473f4861893979 glibc-2.5.ebuild 40687
+RMD160 d362b490fa31d6a5b88ea5e560212c142f837a35 glibc-2.5.ebuild 40687
+SHA256 d36a6269eaa0be2000e7f13730066a2f833446af33351ded268529642b8b4d76 glibc-2.5.ebuild 40687
 MD5 5b7e320e8b8b1a96ace60aa95385c122 files/digest-glibc-2.5 1286
 RMD160 6302561abceb3a88449dfe74bd6f2e373f00dec3 files/digest-glibc-2.5 1286
 SHA256 c20b8f42085597085e3589fbfd2dc5351f0c63a5492a55f82b59a1481b2a28f3 files/digest-glibc-2.5 1286
diff --git a/hardened/toolchain/branches/pieworld/sys-libs/glibc/glibc-2.5.ebuild b/hardened/toolchain/branches/pieworld/sys-libs/glibc/glibc-2.5.ebuild
index 5a03986..6f8463b 100644
--- a/hardened/toolchain/branches/pieworld/sys-libs/glibc/glibc-2.5.ebuild
+++ b/hardened/toolchain/branches/pieworld/sys-libs/glibc/glibc-2.5.ebuild
@@ -16,7 +16,7 @@
 #  CHOST = CTARGET  - install into /
 #  CHOST != CTARGET - install into /usr/CTARGET/
 
-KEYWORDS="-* alpha amd64 arm ia64 ~mips ppc ppc64 sh sparc x86"
+KEYWORDS="-* ~alpha ~amd64 ~arm ~ia64 ~mips ~ppc ~ppc64 ~sh ~sparc ~x86"
 
 BRANCH_UPDATE=""
 
@@ -236,8 +236,7 @@ toolchain-glibc_src_unpack() {
 
 		if use debug; then
 			# When using Hardened Gentoo stack handler, have smashes dump core for
-			# analysis - debug only, as core could be an information leak
-			# (paranoia).
+			# analysis - debug only, as core could be an information leak.
 			sed -i -e '/^CFLAGS-backtrace.c/ iCFLAGS-stack_chk_fail.c = -DSSP_SMASH_DUMPS_CORE' \
 				${S}/debug/Makefile ||
 				die "Failed to modify debug/Makefile for debug stack handler"
@@ -247,9 +246,17 @@ toolchain-glibc_src_unpack() {
 		sed -i -e 's:-fstack-protector$:-fstack-protector-all:' ${S}/nscd/Makefile ||
 			die "Failed to ensure nscd builds with ssp-all"
 
-		# Fix all ifdef PIC to accept also __PIC__, in header and
-		# un-pre-processed assembler source files.
-		fixup_DPIC -style prepend ${S} "*.[h|S]"
+		# Fixup use of PIC to choose PIC variants when built -fPIE.
+		# Prepends all files that have "#ifdef PIC" or similar, with
+		# preprocessor macros to define PIC if the compiler has
+		# defined __PIC__.
+		find ${S} -name '*.[h|S]' | \
+			xargs grep -l '^[[:space:]]*#[[:space:]]*if.*\bPIC\b' | \
+			xargs sed -i -e '1i#if defined __PIC__ && !defined PIC\
+# define PIC\
+#endif\
+'
+
 	fi
 
 	gnuconfig_update
@@ -732,6 +739,23 @@ setup_flags() {
 
 	# Don't let the compiler automatically build PIEs unless USE=hardened.
 	use hardened || filter-flags -fPIE
+
+	# When building hardened, define PIC always as many files use libtool-style
+	# macro PIC rather than the builtin macro __PIC__ to differentiate.
+#1	if use hardened; then
+#1		mkdir -p ${T}/include
+#1		[[ -f ${T}/include/define-pic.h ]] ||
+#1		cat > ${T}/include/define-pic.h <<-EOF
+#1			#if defined __PIC__ && !defined PIC
+#1			# define PIC
+#1			#endif
+#1		EOF
+#1		append-flags "-I${T}/include -imacrosdefine-pic.h"
+#1		# Note; the glibc build process filters out -I* from CFLAGS -
+#1		# define-pic.h will be moved to the build directory in
+#1		# the configure phase.
+#1	fi
+#2	#use hardened && append-flags -DPIC
 }
 
 check_kheader_version() {
@@ -930,6 +954,9 @@ glibc_do_configure() {
 	local GBUILDDIR=${WORKDIR}/build-${ABI}-${CTARGET}-$1
 	mkdir -p "${GBUILDDIR}"
 	cd "${GBUILDDIR}"
+#1	# Copy define-pic.h into the build directory, where glibc's build process
+#1	# will find it.
+#1	use hardened && cp ${T}/include/define-pic.h .
 	einfo "Configuring GLIBC for $1 with: ${myconf// /\n\t\t}"
 	"${S}"/configure ${myconf} || die "failed to configure glibc"
 }
@@ -1091,15 +1118,9 @@ pkg_setup() {
 		die "install pax-utils"
 	fi
 
-	# Building glibc with the default-PIE compiler requires binutils-2.17.  The
-	# dependency is brought in conditional on USE=hardened.
 	if gcc-specs-pie && ! use hardened; then
 		eerror "USE=hardened must be set to build glibc with a hardened compiler"
-		die "set USE=hardened (or gcc-config to gcc/vanilla)"
-	fi
-	if use hardened && ! version_is_at_least $(ld-version) "2.17"; then
-		eerror "Need binutils-2.17 or higher active to build glibc hardened"
-		die "install >=sys-devel/binutils-2.17 (or binutils-config to it)"
+		die "set USE=hardened (or gcc-config to gcc-vanilla)"
 	fi
 }