Version bump.

(Portage version: 2.2.10/cvs/Linux x86_64, signed Manifest commit with key D2E96200)
author: Mike Frysinger <vapier@gentoo.org> 2014-09-10 05:49:03 +0000
committer: Mike Frysinger <vapier@gentoo.org> 2014-09-10 05:49:03 +0000
commit: 344b07bc001b1eb83631f94422b867f482eb64c5 (patch)
tree: 22773d95e0b8711bea7658d7cf35b0c54567b5dc /sys-libs
parent: Version bump. (diff)
download: gentoo-2-344b07bc001b1eb83631f94422b867f482eb64c5.tar.gz
gentoo-2-344b07bc001b1eb83631f94422b867f482eb64c5.tar.bz2
gentoo-2-344b07bc001b1eb83631f94422b867f482eb64c5.zip
6 files changed, 505 insertions, 6 deletions
diff --git a/sys-libs/glibc/ChangeLog b/sys-libs/glibc/ChangeLog
index 7eccab858b6b..328938c9430f 100644
--- a/sys-libs/glibc/ChangeLog
+++ b/sys-libs/glibc/ChangeLog
@@ -1,6 +1,14 @@
 # ChangeLog for sys-libs/glibc
 # Copyright 1999-2014 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/sys-libs/glibc/ChangeLog,v 1.1013 2014/09/10 05:43:00 vapier Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-libs/glibc/ChangeLog,v 1.1014 2014/09/10 05:49:03 vapier Exp $
+
+*glibc-2.20 (10 Sep 2014)
+
+  10 Sep 2014; Mike Frysinger <vapier@gentoo.org>
+  +files/2.20/glibc-2.20-gentoo-chk_fail.c,
+  +files/2.20/glibc-2.20-gentoo-stack_chk_fail.c, +glibc-2.20.ebuild,
+  files/eblits/src_compile.eblit, metadata.xml:
+  Version bump.
 
   10 Sep 2014; Mike Frysinger <vapier@gentoo.org> glibc-2.19-r1.ebuild:
   Mark sparc stable.
diff --git a/sys-libs/glibc/files/2.20/glibc-2.20-gentoo-chk_fail.c b/sys-libs/glibc/files/2.20/glibc-2.20-gentoo-chk_fail.c
new file mode 100644
index 000000000000..a8ab9d8a3e29
--- /dev/null
+++ b/sys-libs/glibc/files/2.20/glibc-2.20-gentoo-chk_fail.c
@@ -0,0 +1,299 @@
+/* Copyright (C) 2004-2014 Free Software Foundation, Inc.
+   Copyright (C) 2006-2014 Gentoo Foundation Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, write to the Free
+   Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+   02111-1307 USA.  */
+
+/* Hardened Gentoo SSP and FORTIFY handler
+
+   A failure handler that does not use functions from the rest of glibc;
+   it uses the INTERNAL_SYSCALL methods directly.  This helps ensure no
+   possibility of recursion into the handler.
+
+   Direct all bug reports to http://bugs.gentoo.org/
+
+   People who have contributed significantly to the evolution of this file:
+   Ned Ludd - <solar[@]gentoo.org>
+   Alexander Gabert - <pappy[@]gentoo.org>
+   The PaX Team - <pageexec[@]freemail.hu>
+   Peter S. Mazinger - <ps.m[@]gmx.net>
+   Yoann Vandoorselaere - <yoann[@]prelude-ids.org>
+   Robert Connolly - <robert[@]linuxfromscratch.org>
+   Cory Visi <cory[@]visi.name>
+   Mike Frysinger <vapier[@]gentoo.org>
+   Magnus Granberg <zorry[@]gentoo.org>
+   Kevin F. Quinn - <kevquinn[@]gentoo.org>
+ */
+
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <signal.h>
+
+#include <sys/types.h>
+
+#include <sysdep-cancel.h>
+#include <sys/syscall.h>
+
+#include <kernel-features.h>
+
+#include <alloca.h>
+/* from sysdeps */
+#include <socketcall.h>
+/* for the stuff in bits/socket.h */
+#include <sys/socket.h>
+#include <sys/un.h>
+
+/* Sanity check on SYSCALL macro names - force compilation
+ * failure if the names used here do not exist
+ */
+#if !defined __NR_socketcall && !defined __NR_socket
+# error Cannot do syscall socket or socketcall
+#endif
+#if !defined __NR_socketcall && !defined __NR_connect
+# error Cannot do syscall connect or socketcall
+#endif
+#ifndef __NR_write
+# error Cannot do syscall write
+#endif
+#ifndef __NR_close
+# error Cannot do syscall close
+#endif
+#ifndef __NR_getpid
+# error Cannot do syscall getpid
+#endif
+#ifndef __NR_kill
+# error Cannot do syscall kill
+#endif
+#ifndef __NR_exit
+# error Cannot do syscall exit
+#endif
+#ifdef SSP_SMASH_DUMPS_CORE
+# define ENABLE_SSP_SMASH_DUMPS_CORE 1
+# if !defined _KERNEL_NSIG && !defined _NSIG
+#  error No _NSIG or _KERNEL_NSIG for rt_sigaction
+# endif
+# if !defined __NR_sigaction && !defined __NR_rt_sigaction
+#  error Cannot do syscall sigaction or rt_sigaction
+# endif
+/* Although rt_sigaction expects sizeof(sigset_t) - it expects the size
+ * of the _kernel_ sigset_t which is not the same as the user sigset_t.
+ * Most arches have this as _NSIG bits - mips has _KERNEL_NSIG bits for
+ * some reason.
+ */
+# ifdef _KERNEL_NSIG
+#  define _SSP_NSIG _KERNEL_NSIG
+# else
+#  define _SSP_NSIG _NSIG
+# endif
+#else
+# define _SSP_NSIG 0
+# define ENABLE_SSP_SMASH_DUMPS_CORE 0
+#endif
+
+/* Define DO_SIGACTION - default to newer rt signal interface but
+ * fallback to old as needed.
+ */
+#ifdef __NR_rt_sigaction
+# define DO_SIGACTION(signum, act, oldact) \
+	INLINE_SYSCALL(rt_sigaction, 4, signum, act, oldact, _SSP_NSIG/8)
+#else
+# define DO_SIGACTION(signum, act, oldact) \
+	INLINE_SYSCALL(sigaction, 3, signum, act, oldact)
+#endif
+
+/* Define DO_SOCKET/DO_CONNECT functions to deal with socketcall vs socket/connect */
+#if defined(__NR_socket) && defined(__NR_connect)
+# define USE_OLD_SOCKETCALL 0
+#else
+# define USE_OLD_SOCKETCALL 1
+#endif
+
+/* stub out the __NR_'s so we can let gcc optimize away dead code */
+#ifndef __NR_socketcall
+# define __NR_socketcall 0
+#endif
+#ifndef __NR_socket
+# define __NR_socket 0
+#endif
+#ifndef __NR_connect
+# define __NR_connect 0
+#endif
+#define DO_SOCKET(result, domain, type, protocol) \
+	do { \
+		if (USE_OLD_SOCKETCALL) { \
+			socketargs[0] = domain; \
+			socketargs[1] = type; \
+			socketargs[2] = protocol; \
+			socketargs[3] = 0; \
+			result = INLINE_SYSCALL(socketcall, 2, SOCKOP_socket, socketargs); \
+		} else \
+			result = INLINE_SYSCALL(socket, 3, domain, type, protocol); \
+	} while (0)
+#define DO_CONNECT(result, sockfd, serv_addr, addrlen) \
+	do { \
+		if (USE_OLD_SOCKETCALL) { \
+			socketargs[0] = sockfd; \
+			socketargs[1] = (unsigned long int)serv_addr; \
+			socketargs[2] = addrlen; \
+			socketargs[3] = 0; \
+			result = INLINE_SYSCALL(socketcall, 2, SOCKOP_connect, socketargs); \
+		} else \
+			result = INLINE_SYSCALL(connect, 3, sockfd, serv_addr, addrlen); \
+	} while (0)
+
+#ifndef _PATH_LOG
+# define _PATH_LOG "/dev/log"
+#endif
+
+static const char path_log[] = _PATH_LOG;
+
+/* For building glibc with SSP switched on, define __progname to a
+ * constant if building for the run-time loader, to avoid pulling
+ * in more of libc.so into ld.so
+ */
+#ifdef IS_IN_rtld
+static const char *__progname = "<ldso>";
+#else
+extern const char *__progname;
+#endif
+
+#ifdef GENTOO_SSP_HANDLER
+# define ERROR_MSG "stack smashing"
+#else
+# define ERROR_MSG "buffer overflow"
+#endif
+
+/* Common handler code, used by chk_fail
+ * Inlined to ensure no self-references to the handler within itself.
+ * Data static to avoid putting more than necessary on the stack,
+ * to aid core debugging.
+ */
+__attribute__ ((__noreturn__, __always_inline__))
+static inline void
+__hardened_gentoo_fail(void)
+{
+#define MESSAGE_BUFSIZ 512
+	static pid_t pid;
+	static int plen, i, hlen;
+	static char message[MESSAGE_BUFSIZ];
+	/* <11> is LOG_USER|LOG_ERR. A dummy date for loggers to skip over. */
+	static const char msg_header[] = "<11>" __DATE__ " " __TIME__ " glibc-gentoo-hardened-check: ";
+	static const char msg_ssd[] = "*** " ERROR_MSG " detected ***: ";
+	static const char msg_terminated[] = " terminated; ";
+	static const char msg_report[] = "report to " REPORT_BUGS_TO "\n";
+	static const char msg_unknown[] = "<unknown>";
+	static int log_socket, connect_result;
+	static struct sockaddr_un sock;
+	static unsigned long int socketargs[4];
+
+	/* Build socket address */
+	sock.sun_family = AF_UNIX;
+	i = 0;
+	while (path_log[i] != '\0' && i < sizeof(sock.sun_path) - 1) {
+		sock.sun_path[i] = path_log[i];
+		++i;
+	}
+	sock.sun_path[i] = '\0';
+
+	/* Try SOCK_DGRAM connection to syslog */
+	connect_result = -1;
+	DO_SOCKET(log_socket, AF_UNIX, SOCK_DGRAM, 0);
+	if (log_socket != -1)
+		DO_CONNECT(connect_result, log_socket, &sock, sizeof(sock));
+	if (connect_result == -1) {
+		if (log_socket != -1)
+			INLINE_SYSCALL(close, 1, log_socket);
+		/* Try SOCK_STREAM connection to syslog */
+		DO_SOCKET(log_socket, AF_UNIX, SOCK_STREAM, 0);
+		if (log_socket != -1)
+			DO_CONNECT(connect_result, log_socket, &sock, sizeof(sock));
+	}
+
+	/* Build message.  Messages are generated both in the old style and new style,
+	 * so that log watchers that are configured for the old-style message continue
+	 * to work.
+	 */
+#define strconcat(str) \
+	({ \
+		i = 0; \
+		while ((str[i] != '\0') && ((i + plen) < (MESSAGE_BUFSIZ - 1))) { \
+			message[plen + i] = str[i]; \
+			++i; \
+		} \
+		plen += i; \
+	})
+
+	/* Tersely log the failure */
+	plen = 0;
+	strconcat(msg_header);
+	hlen = plen;
+	strconcat(msg_ssd);
+	if (__progname != NULL)
+		strconcat(__progname);
+	else
+		strconcat(msg_unknown);
+	strconcat(msg_terminated);
+	strconcat(msg_report);
+
+	/* Write out error message to STDERR, to syslog if open */
+	INLINE_SYSCALL(write, 3, STDERR_FILENO, message + hlen, plen - hlen);
+	if (connect_result != -1) {
+		INLINE_SYSCALL(write, 3, log_socket, message, plen);
+		INLINE_SYSCALL(close, 1, log_socket);
+	}
+
+	/* Time to kill self since we have no idea what is going on */
+	pid = INLINE_SYSCALL(getpid, 0);
+
+	if (ENABLE_SSP_SMASH_DUMPS_CORE) {
+		/* Remove any user-supplied handler for SIGABRT, before using it. */
+#if 0
+		/*
+		 * Note: Disabled because some programs catch & process their
+		 * own crashes.  We've already enabled this code path which
+		 * means we want to let core dumps happen.
+		 */
+		static struct sigaction default_abort_act;
+		default_abort_act.sa_handler = SIG_DFL;
+		default_abort_act.sa_sigaction = NULL;
+		__sigfillset(&default_abort_act.sa_mask);
+		default_abort_act.sa_flags = 0;
+		if (DO_SIGACTION(SIGABRT, &default_abort_act, NULL) == 0)
+#endif
+			INLINE_SYSCALL(kill, 2, pid, SIGABRT);
+	}
+
+	/* SIGKILL is only signal which cannot be caught */
+	INLINE_SYSCALL(kill, 2, pid, SIGKILL);
+
+	/* In case the kill didn't work, exit anyway.
+	 * The loop prevents gcc thinking this routine returns.
+	 */
+	while (1)
+		INLINE_SYSCALL(exit, 1, 137);
+}
+
+__attribute__ ((__noreturn__))
+#ifdef GENTOO_SSP_HANDLER
+void __stack_chk_fail(void)
+#else
+void __chk_fail(void)
+#endif
+{
+	__hardened_gentoo_fail();
+}
diff --git a/sys-libs/glibc/files/2.20/glibc-2.20-gentoo-stack_chk_fail.c b/sys-libs/glibc/files/2.20/glibc-2.20-gentoo-stack_chk_fail.c
new file mode 100644
index 000000000000..4a537bb52c5f
--- /dev/null
+++ b/sys-libs/glibc/files/2.20/glibc-2.20-gentoo-stack_chk_fail.c
@@ -0,0 +1,2 @@
+#define GENTOO_SSP_HANDLER
+#include <debug/chk_fail.c>
diff --git a/sys-libs/glibc/files/eblits/src_compile.eblit b/sys-libs/glibc/files/eblits/src_compile.eblit
index e336715cbc4e..d606e137ad29 100644
--- a/sys-libs/glibc/files/eblits/src_compile.eblit
+++ b/sys-libs/glibc/files/eblits/src_compile.eblit
@@ -1,6 +1,6 @@
 # Copyright 1999-2014 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/sys-libs/glibc/files/eblits/src_compile.eblit,v 1.40 2014/08/21 14:41:39 vapier Exp $
+# $Header: /var/cvsroot/gentoo-x86/sys-libs/glibc/files/eblits/src_compile.eblit,v 1.41 2014/09/10 05:49:03 vapier Exp $
 
 glibc_do_configure() {
 	local myconf=()
@@ -9,14 +9,14 @@ glibc_do_configure() {
 
 	# set addons
 	pushd "${S}" > /dev/null
-	local ADDONS=$(echo */configure | sed \
+	local addons=$(echo */configure | sed \
 		-e 's:/configure::g' \
 		-e 's:\(linuxthreads\|nptl\|rtkaio\|glibc-compat\)\( \|$\)::g' \
 		-e 's: \+$::' \
 		-e 's! !,!g' \
 		-e 's!^!,!' \
 		-e '/^,\*$/d')
-	[[ -d ports ]] && ADDONS="${ADDONS},ports"
+	[[ -d ports ]] && addons+=",ports"
 	popd > /dev/null
 
 	myconf+=( $(use_enable hardened stackguard-randomization) )
@@ -40,14 +40,16 @@ glibc_do_configure() {
 		fi
 
 		myconf+=( --disable-sanity-checks )
-		myconf+=( --enable-add-ons="linuxthreads${ADDONS}" )
+		addons="linuxthreads${addons}"
 		myconf+=( --enable-kernel=${LT_KER_VER} )
 	elif [[ $1 == "nptl" ]] ; then
-		myconf+=( --enable-add-ons="nptl${ADDONS}" )
+		# Newer versions require nptl, so there is no addon for it.
+		version_is_at_least 2.20 || addons="nptl${addons}"
 		myconf+=( --enable-kernel=${NPTL_KERN_VER} )
 	else
 		die "invalid pthread option"
 	fi
+	myconf+=( --enable-add-ons="${addons#,}" )
 
 	# Since SELinux support is only required for nscd, only enable it if:
 	# 1. USE selinux
diff --git a/sys-libs/glibc/glibc-2.20.ebuild b/sys-libs/glibc/glibc-2.20.ebuild
new file mode 100644
index 000000000000..378bcd200615
--- /dev/null
+++ b/sys-libs/glibc/glibc-2.20.ebuild
@@ -0,0 +1,187 @@
+# Copyright 1999-2014 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/sys-libs/glibc/glibc-2.20.ebuild,v 1.1 2014/09/10 05:49:03 vapier Exp $
+
+inherit eutils versionator toolchain-funcs flag-o-matic gnuconfig multilib systemd unpacker multiprocessing
+
+DESCRIPTION="GNU libc6 (also called glibc2) C library"
+HOMEPAGE="http://www.gnu.org/software/libc/libc.html"
+
+LICENSE="LGPL-2.1+ BSD HPND ISC inner-net rc PCRE"
+#KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86"
+RESTRICT="strip" # strip ourself #46186
+EMULTILIB_PKG="true"
+
+# Configuration variables
+RELEASE_VER=""
+case ${PV} in
+9999*)
+	EGIT_REPO_URIS="git://sourceware.org/git/glibc.git"
+	EGIT_SOURCEDIRS="${S}"
+	inherit git-2
+	;;
+*)
+	RELEASE_VER=${PV}
+	;;
+esac
+GCC_BOOTSTRAP_VER="4.7.3-r1"
+PATCH_VER="1"                                  # Gentoo patchset
+NPTL_KERN_VER=${NPTL_KERN_VER:-"2.6.32"}       # min kernel version nptl requires
+
+IUSE="debug gd hardened multilib nscd selinux systemtap profile suid vanilla crosscompile_opts_headers-only"
+
+# Here's how the cross-compile logic breaks down ...
+#  CTARGET - machine that will target the binaries
+#  CHOST   - machine that will host the binaries
+#  CBUILD  - machine that will build the binaries
+# If CTARGET != CHOST, it means you want a libc for cross-compiling.
+# If CHOST != CBUILD, it means you want to cross-compile the libc.
+#  CBUILD = CHOST = CTARGET    - native build/install
+#  CBUILD != (CHOST = CTARGET) - cross-compile a native build
+#  (CBUILD = CHOST) != CTARGET - libc for cross-compiler
+#  CBUILD != CHOST != CTARGET  - cross-compile a libc for a cross-compiler
+# For install paths:
+#  CHOST = CTARGET  - install into /
+#  CHOST != CTARGET - install into /usr/CTARGET/
+
+export CBUILD=${CBUILD:-${CHOST}}
+export CTARGET=${CTARGET:-${CHOST}}
+if [[ ${CTARGET} == ${CHOST} ]] ; then
+	if [[ ${CATEGORY} == cross-* ]] ; then
+		export CTARGET=${CATEGORY#cross-}
+	fi
+fi
+
+[[ ${CTARGET} == hppa* ]] && NPTL_KERN_VER=${NPTL_KERN_VER/2.6.16/2.6.20}
+
+is_crosscompile() {
+	[[ ${CHOST} != ${CTARGET} ]]
+}
+
+# Why SLOT 2.2 you ask yourself while sippin your tea ?
+# Everyone knows 2.2 > 0, duh.
+SLOT="2.2"
+
+# General: We need a new-enough binutils/gcc to match upstream baseline.
+# arch: we need to make sure our binutils/gcc supports TLS.
+DEPEND=">=app-misc/pax-utils-0.1.10
+	!<sys-apps/sandbox-1.6
+	!<sys-apps/portage-2.1.2
+	selinux? ( sys-libs/libselinux )"
+RDEPEND="!sys-kernel/ps3-sources
+	selinux? ( sys-libs/libselinux )
+	!sys-libs/nss-db"
+
+if [[ ${CATEGORY} == cross-* ]] ; then
+	DEPEND+=" !crosscompile_opts_headers-only? (
+		>=${CATEGORY}/binutils-2.20
+		>=${CATEGORY}/gcc-4.4
+	)"
+	[[ ${CATEGORY} == *-linux* ]] && DEPEND+=" ${CATEGORY}/linux-headers"
+else
+	DEPEND+="
+		>=sys-devel/binutils-2.20
+		>=sys-devel/gcc-4.4
+		virtual/os-headers
+		!vanilla? ( >=sys-libs/timezone-data-2012c )"
+	RDEPEND+="
+		vanilla? ( !sys-libs/timezone-data )
+		!vanilla? ( sys-libs/timezone-data )"
+fi
+
+upstream_uris() {
+	echo mirror://gnu/glibc/$1 ftp://sourceware.org/pub/glibc/{releases,snapshots}/$1 mirror://gentoo/$1
+}
+gentoo_uris() {
+	local devspace="HTTP~vapier/dist/URI HTTP~azarah/glibc/URI"
+	devspace=${devspace//HTTP/http://dev.gentoo.org/}
+	echo mirror://gentoo/$1 ${devspace//URI/$1}
+}
+SRC_URI=$(
+	[[ -z ${EGIT_REPO_URIS} ]] && upstream_uris ${P}.tar.xz
+	[[ -n ${PATCH_VER}      ]] && gentoo_uris ${P}-patches-${PATCH_VER}.tar.bz2
+)
+SRC_URI+=" ${GCC_BOOTSTRAP_VER:+multilib? ( $(gentoo_uris gcc-${GCC_BOOTSTRAP_VER}-multilib-bootstrap.tar.bz2) )}"
+
+# eblit-include [--skip] <function> [version]
+eblit-include() {
+	local skipable=false
+	[[ $1 == "--skip" ]] && skipable=true && shift
+	[[ $1 == pkg_* ]] && skipable=true
+
+	local e v func=$1 ver=$2
+	[[ -z ${func} ]] && die "Usage: eblit-include <function> [version]"
+	for v in ${ver:+-}${ver} -${PVR} -${PV} "" ; do
+		e="${FILESDIR}/eblits/${func}${v}.eblit"
+		if [[ -e ${e} ]] ; then
+			source "${e}"
+			return 0
+		fi
+	done
+	${skipable} && return 0
+	die "Could not locate requested eblit '${func}' in ${FILESDIR}/eblits/"
+}
+
+# eblit-run-maybe <function>
+# run the specified function if it is defined
+eblit-run-maybe() {
+	[[ $(type -t "$@") == "function" ]] && "$@"
+}
+
+# eblit-run <function> [version]
+# aka: src_unpack() { eblit-run src_unpack ; }
+eblit-run() {
+	eblit-include --skip common "${*:2}"
+	eblit-include "$@"
+	eblit-run-maybe eblit-$1-pre
+	eblit-${PN}-$1
+	eblit-run-maybe eblit-$1-post
+}
+
+src_unpack()  { eblit-run src_unpack  ; }
+src_compile() { eblit-run src_compile ; }
+src_test()    { eblit-run src_test    ; }
+src_install() { eblit-run src_install ; }
+
+# FILESDIR might not be available during binpkg install
+for x in setup {pre,post}inst ; do
+	e="${FILESDIR}/eblits/pkg_${x}.eblit"
+	if [[ -e ${e} ]] ; then
+		. "${e}"
+		eval "pkg_${x}() { eblit-run pkg_${x} ; }"
+	fi
+done
+
+eblit-src_unpack-pre() {
+	[[ -n ${GCC_BOOTSTRAP_VER} ]] && use multilib && unpack gcc-${GCC_BOOTSTRAP_VER}-multilib-bootstrap.tar.bz2
+}
+
+eblit-src_unpack-post() {
+	cd "${S}"
+
+	if use hardened ; then
+		einfo "Patching to get working PIE binaries on PIE (hardened) platforms"
+		gcc-specs-pie && epatch "${FILESDIR}"/2.17/glibc-2.17-hardened-pie.patch
+		epatch "${FILESDIR}"/2.18/glibc-2.18-hardened-inittls-nosysenter.patch
+
+		# We don't enable these for non-hardened as the output is very terse --
+		# it only states that a crash happened.  The default upstream behavior
+		# includes backtraces and symbols.
+		einfo "Installing Hardened Gentoo SSP and FORTIFY_SOURCE handler"
+		cp "${FILESDIR}"/2.20/glibc-2.20-gentoo-stack_chk_fail.c debug/stack_chk_fail.c || die
+		cp "${FILESDIR}"/2.20/glibc-2.20-gentoo-chk_fail.c debug/chk_fail.c || die
+
+		if use debug ; then
+			# Allow SIGABRT to dump core on non-hardened systems, or when debug is requested.
+			sed -i \
+				-e '/^CFLAGS-backtrace.c/ iCPPFLAGS-stack_chk_fail.c = -DSSP_SMASH_DUMPS_CORE' \
+				-e '/^CFLAGS-backtrace.c/ iCPPFLAGS-chk_fail.c = -DSSP_SMASH_DUMPS_CORE' \
+				debug/Makefile || die
+		fi
+
+		# Build various bits with ssp-all
+		sed -i \
+			-e 's:-fstack-protector$:-fstack-protector-all:' \
+			*/Makefile || die
+	fi
+}
diff --git a/sys-libs/glibc/metadata.xml b/sys-libs/glibc/metadata.xml
index 29f68edc8065..a113d4369b6c 100644
--- a/sys-libs/glibc/metadata.xml
+++ b/sys-libs/glibc/metadata.xml
@@ -3,6 +3,7 @@
 <pkgmetadata>
 <herd>toolchain</herd>
 <use>
+ <flag name='debug'>When USE=hardened, allow fortify/stack violations to dump core (SIGABRT) and not kill self (SIGKILL)</flag>
  <flag name='gd'>build memusage and memusagestat tools</flag>
  <flag name='nscd'>Build, and enable support for, the Name Service Cache Daemon</flag>
  <flag name='suid'>Make internal pt_chown helper setuid -- not needed if using Linux and have /dev/pts mounted with gid=5</flag>
author	Mike Frysinger <vapier@gentoo.org>	2014-09-10 05:49:03 +0000
committer	Mike Frysinger <vapier@gentoo.org>	2014-09-10 05:49:03 +0000
commit	344b07bc001b1eb83631f94422b867f482eb64c5 (patch)
tree	22773d95e0b8711bea7658d7cf35b0c54567b5dc /sys-libs
parent	Version bump. (diff)
download	gentoo-2-344b07bc001b1eb83631f94422b867f482eb64c5.tar.gz gentoo-2-344b07bc001b1eb83631f94422b867f482eb64c5.tar.bz2 gentoo-2-344b07bc001b1eb83631f94422b867f482eb64c5.zip