diff options
author | Khem Raj <raj.khem@gmail.com> | 2017-07-29 08:58:38 -0700 |
---|---|---|
committer | Khem Raj <raj.khem@gmail.com> | 2017-07-29 10:31:38 -0700 |
commit | ebf65eba343ae4c5e9af073b62d386d1749c12e0 (patch) | |
tree | 3f3582146545f6dbee4ba45fa0dc08ea3dc03fe5 | |
parent | 2eb7946cc6003aeaf9909cdd3329d9458b767805 (diff) | |
download | meta-clang-ebf65eba343ae4c5e9af073b62d386d1749c12e0.tar.gz |
clang: Default to PIE when GCCPIE is set
This matches with OE-Core expectations and we
do not need to inject PIE flags manually via
SECURITY_CFLAGS which does not always work
Signed-off-by: Khem Raj <raj.khem@gmail.com>
-rw-r--r-- | classes/clang.bbclass | 2 | ||||
-rw-r--r-- | recipes-devtools/clang/clang/0007-clang-Enable-SSP-and-PIE-by-default.patch | 95 | ||||
-rw-r--r-- | recipes-devtools/clang/common.inc | 3 |
3 files changed, 98 insertions, 2 deletions
diff --git a/classes/clang.bbclass b/classes/clang.bbclass index db0dd3d..f0cd57f 100644 --- a/classes/clang.bbclass +++ b/classes/clang.bbclass | |||
@@ -4,8 +4,6 @@ CXX_toolchain-clang = "${CCACHE}${HOST_PREFIX}clang++ ${HOST_CC_ARCH}${TOOLCHAIN | |||
4 | CPP_toolchain-clang = "${CCACHE}${HOST_PREFIX}clang ${HOST_CC_ARCH}${TOOLCHAIN_OPTIONS} -E" | 4 | CPP_toolchain-clang = "${CCACHE}${HOST_PREFIX}clang ${HOST_CC_ARCH}${TOOLCHAIN_OPTIONS} -E" |
5 | CCLD_toolchain-clang = "${CCACHE}${HOST_PREFIX}clang ${HOST_CC_ARCH}${TOOLCHAIN_OPTIONS}" | 5 | CCLD_toolchain-clang = "${CCACHE}${HOST_PREFIX}clang ${HOST_CC_ARCH}${TOOLCHAIN_OPTIONS}" |
6 | 6 | ||
7 | SECURITY_PIE_CFLAGS_toolchain-clang= "-pie -fPIE" | ||
8 | |||
9 | THUMB_TUNE_CCARGS_remove_toolchain-clang = "-mthumb-interwork" | 7 | THUMB_TUNE_CCARGS_remove_toolchain-clang = "-mthumb-interwork" |
10 | TUNE_CCARGS_remove_toolchain-clang = "-meb" | 8 | TUNE_CCARGS_remove_toolchain-clang = "-meb" |
11 | TUNE_CCARGS_remove_toolchain-clang = "-mel" | 9 | TUNE_CCARGS_remove_toolchain-clang = "-mel" |
diff --git a/recipes-devtools/clang/clang/0007-clang-Enable-SSP-and-PIE-by-default.patch b/recipes-devtools/clang/clang/0007-clang-Enable-SSP-and-PIE-by-default.patch new file mode 100644 index 0000000..481dd24 --- /dev/null +++ b/recipes-devtools/clang/clang/0007-clang-Enable-SSP-and-PIE-by-default.patch | |||
@@ -0,0 +1,95 @@ | |||
1 | From 013035de788d1e2e00a4238fb2fdd39591c5c009 Mon Sep 17 00:00:00 2001 | ||
2 | From: Khem Raj <raj.khem@gmail.com> | ||
3 | Date: Sat, 29 Jul 2017 08:29:19 -0700 | ||
4 | Subject: [PATCH 7/7] clang: Enable SSP and PIE by default | ||
5 | |||
6 | This is a minimal set of changes needed to make clang use SSP and PIE by | ||
7 | default on Arch Linux. Tests that were easy to adjust have been changed | ||
8 | accordingly; only test/Driver/linux-ld.c has been marked as "expected | ||
9 | failure" due to the number of changes it would require (mostly replacing | ||
10 | crtbegin.o with crtbeginS.o). | ||
11 | |||
12 | Doing so is needed in order to align clang with the new default GCC | ||
13 | behavior in Arch which generates PIE executables by default and also | ||
14 | defaults to -fstack-protector-strong. It is not meant to be a long term | ||
15 | solution, but a simple temporary fix. | ||
16 | |||
17 | Hopefully these changes will be obsoleted by the introduction upstream | ||
18 | of a compile-time option (https://bugs.llvm.org/show_bug.cgi?id=13410) | ||
19 | |||
20 | From: Evangelos Foutras <evangelos@foutrelis.com> | ||
21 | |||
22 | https://git.archlinux.org/svntogit/packages.git/tree/trunk/0002-Enable-SSP-and-PIE-by-default.patch?h=packages/llvm | ||
23 | |||
24 | Signed-off-by: Khem Raj <raj.khem@gmail.com> | ||
25 | --- | ||
26 | lib/Driver/ToolChains/FreeBSD.cpp | 1 + | ||
27 | lib/Driver/ToolChains/Gnu.cpp | 1 + | ||
28 | lib/Driver/ToolChains/Linux.cpp | 14 +++++++++++++- | ||
29 | lib/Driver/ToolChains/Linux.h | 1 + | ||
30 | 4 files changed, 16 insertions(+), 1 deletion(-) | ||
31 | |||
32 | diff --git a/lib/Driver/ToolChains/FreeBSD.cpp b/lib/Driver/ToolChains/FreeBSD.cpp | ||
33 | index c6626e922e..39d0d6fb0d 100644 | ||
34 | --- a/lib/Driver/ToolChains/FreeBSD.cpp | ||
35 | +++ b/lib/Driver/ToolChains/FreeBSD.cpp | ||
36 | @@ -128,6 +128,7 @@ void freebsd::Linker::ConstructJob(Compilation &C, const JobAction &JA, | ||
37 | const llvm::Triple::ArchType Arch = ToolChain.getArch(); | ||
38 | const bool IsPIE = | ||
39 | !Args.hasArg(options::OPT_shared) && | ||
40 | + !Args.hasArg(options::OPT_nopie) && | ||
41 | (Args.hasArg(options::OPT_pie) || ToolChain.isPIEDefault()); | ||
42 | ArgStringList CmdArgs; | ||
43 | |||
44 | diff --git a/lib/Driver/ToolChains/Gnu.cpp b/lib/Driver/ToolChains/Gnu.cpp | ||
45 | index 8eb7401b24..8d06196231 100644 | ||
46 | --- a/lib/Driver/ToolChains/Gnu.cpp | ||
47 | +++ b/lib/Driver/ToolChains/Gnu.cpp | ||
48 | @@ -417,6 +417,7 @@ void tools::gnutools::Linker::ConstructJob(Compilation &C, const JobAction &JA, | ||
49 | const bool IsIAMCU = ToolChain.getTriple().isOSIAMCU(); | ||
50 | const bool IsPIE = | ||
51 | !Args.hasArg(options::OPT_shared) && !Args.hasArg(options::OPT_static) && | ||
52 | + !Args.hasArg(options::OPT_nopie) && | ||
53 | (Args.hasArg(options::OPT_pie) || ToolChain.isPIEDefault()); | ||
54 | const bool HasCRTBeginEndFiles = | ||
55 | ToolChain.getTriple().hasEnvironment() || | ||
56 | diff --git a/lib/Driver/ToolChains/Linux.cpp b/lib/Driver/ToolChains/Linux.cpp | ||
57 | index 6dd6d52633..773063249a 100644 | ||
58 | --- a/lib/Driver/ToolChains/Linux.cpp | ||
59 | +++ b/lib/Driver/ToolChains/Linux.cpp | ||
60 | @@ -810,7 +810,19 @@ void Linux::AddIAMCUIncludeArgs(const ArgList &DriverArgs, | ||
61 | } | ||
62 | } | ||
63 | |||
64 | -bool Linux::isPIEDefault() const { return getSanitizerArgs().requiresPIE(); } | ||
65 | +bool Linux::isPIEDefault() const { | ||
66 | + const bool IsMips = tools::isMipsArch(getTriple().getArch()); | ||
67 | + const bool IsAndroid = getTriple().isAndroid(); | ||
68 | + | ||
69 | + if (IsMips || IsAndroid) | ||
70 | + return getSanitizerArgs().requiresPIE(); | ||
71 | + | ||
72 | + return true; | ||
73 | +} | ||
74 | + | ||
75 | +unsigned Linux::GetDefaultStackProtectorLevel(bool KernelOrKext) const { | ||
76 | + return 2; | ||
77 | +} | ||
78 | |||
79 | SanitizerMask Linux::getSupportedSanitizers() const { | ||
80 | const bool IsX86 = getTriple().getArch() == llvm::Triple::x86; | ||
81 | diff --git a/lib/Driver/ToolChains/Linux.h b/lib/Driver/ToolChains/Linux.h | ||
82 | index 9778c1832c..ddd46a1d58 100644 | ||
83 | --- a/lib/Driver/ToolChains/Linux.h | ||
84 | +++ b/lib/Driver/ToolChains/Linux.h | ||
85 | @@ -36,6 +36,7 @@ public: | ||
86 | void AddIAMCUIncludeArgs(const llvm::opt::ArgList &DriverArgs, | ||
87 | llvm::opt::ArgStringList &CC1Args) const override; | ||
88 | bool isPIEDefault() const override; | ||
89 | + unsigned GetDefaultStackProtectorLevel(bool KernelOrKext) const override; | ||
90 | SanitizerMask getSupportedSanitizers() const override; | ||
91 | void addProfileRTLibs(const llvm::opt::ArgList &Args, | ||
92 | llvm::opt::ArgStringList &CmdArgs) const override; | ||
93 | -- | ||
94 | 2.13.3 | ||
95 | |||
diff --git a/recipes-devtools/clang/common.inc b/recipes-devtools/clang/common.inc index 62af42b..2a6600e 100644 --- a/recipes-devtools/clang/common.inc +++ b/recipes-devtools/clang/common.inc | |||
@@ -7,6 +7,8 @@ LLVMPATCHES = "\ | |||
7 | file://0001-llvm-TargetLibraryInfo-Undefine-libc-functions-if-th.patch \ | 7 | file://0001-llvm-TargetLibraryInfo-Undefine-libc-functions-if-th.patch \ |
8 | file://0002-llvm-allow-env-override-of-exe-path.patch \ | 8 | file://0002-llvm-allow-env-override-of-exe-path.patch \ |
9 | " | 9 | " |
10 | # Fallback to no-PIE if not set | ||
11 | GCCPIE ??= "" | ||
10 | 12 | ||
11 | # Clang patches | 13 | # Clang patches |
12 | CLANGPATCHES = "\ | 14 | CLANGPATCHES = "\ |
@@ -17,6 +19,7 @@ CLANGPATCHES = "\ | |||
17 | file://0005-clang-Look-inside-the-target-sysroot-for-compiler-ru.patch;patchdir=tools/clang \ | 19 | file://0005-clang-Look-inside-the-target-sysroot-for-compiler-ru.patch;patchdir=tools/clang \ |
18 | file://0006-clang-Define-releative-gcc-installation-dir.patch;patchdir=tools/clang \ | 20 | file://0006-clang-Define-releative-gcc-installation-dir.patch;patchdir=tools/clang \ |
19 | " | 21 | " |
22 | CLANGPATCHES += "${@'file://0007-clang-Enable-SSP-and-PIE-by-default.patch;patchdir=tools/clang' if '${GCCPIE}' else ''}" | ||
20 | 23 | ||
21 | # libcxxabi patches | 24 | # libcxxabi patches |
22 | LIBCXXABIPATCHES ="\ | 25 | LIBCXXABIPATCHES ="\ |