Author: robert Date: 2010-02-20 13:27:43 -0700 (Sat, 20 Feb 2010) New Revision: 1545
Modified: branches/Onward/downloads/packages.txt branches/Onward/downloads/patches.txt branches/Onward/temporary_system/glibc.txt Log: Bump to Glibc-2.11.1. Modified: branches/Onward/downloads/packages.txt =================================================================== --- branches/Onward/downloads/packages.txt 2010-02-19 17:28:43 UTC (rev 1544) +++ branches/Onward/downloads/packages.txt 2010-02-20 20:27:43 UTC (rev 1545) @@ -51,9 +51,9 @@ # http://ftp.gnu.org/gnu/gettext/gettext-0.17.tar.gz.sig http://ftp.gnu.org/gnu/gettext/gettext-0.17.tar.gz -# Glibc-2.9 snapshot: -# You may want to follow this symlink, and get the real file name. -ftp://sources.redhat.com/pub/glibc/snapshots/glibc-2.9-latest.tar.bz2 +# Glibc: +# http://ftp.gnu.org/gnu/glibc/glibc-2.11.1.tar.bz2.sig +http://ftp.gnu.org/gnu/glibc/glibc-2.11.1.tar.bz2 # GMP: # http://ftp.gnu.org/gnu/gmp/gmp-5.0.1.tar.bz2.sig Modified: branches/Onward/downloads/patches.txt =================================================================== --- branches/Onward/downloads/patches.txt 2010-02-19 17:28:43 UTC (rev 1544) +++ branches/Onward/downloads/patches.txt 2010-02-20 20:27:43 UTC (rev 1545) @@ -35,20 +35,27 @@ # Gettext upstream fixes: http://www.linuxfromscratch.org/~robert/new/patches/gettext-0.17-upstream_fixes-2.diff +# Glibc branch update patches: +http://www.linuxfromscratch.org/~robert/new/patches/glibc-2.11.1-update-1.diff +http://www.linuxfromscratch.org/~robert/new/patches/glibc-2.11.1-update-2.diff +http://www.linuxfromscratch.org/~robert/new/patches/glibc-2.11.1-update-3.diff +http://www.linuxfromscratch.org/~robert/new/patches/glibc-2.11.1-update-4.diff + # Glibc localedef trampoline patch: http://www.linuxfromscratch.org/patches/downloads/glibc/glibc-2.5.1-localedef_trampoline-1.patch # Glibc random mk*temp() patch: -http://www.linuxfromscratch.org/~robert/new/patches/glibc-2.8-mktemp_urandom.diff +http://www.linuxfromscratch.org/~robert/new/patches/glibc-2.11.1-mktemp_urandom.diff # Glibc PT_PaX patch: http://www.linuxfromscratch.org/patches/downloads/glibc/glibc-2.5.1-pt_pax-1.patch -# Glibc better res_randomid() patch: -http://www.linuxfromscratch.org/~robert/new/patches/glibc-2.9-res_randomid.diff +# Glibc res_randomid() patch: +http://www.linuxfromscratch.org/~robert/new/patches/glibc-2.10.1-owl-alt-res_randomid.diff # Glibc sanitize environment patch: -http://www.linuxfromscratch.org/~robert/new/patches/glibc-2.8-sanitize_env.diff +# Broken - FIXME +# http://www.linuxfromscratch.org/~robert/new/patches/glibc-2.8-sanitize_env.diff # Glibc strlcpy()/strlcat() patch: http://www.linuxfromscratch.org/~robert/new/patches/glibc-2.8-strlcpy_strlcat.diff Modified: branches/Onward/temporary_system/glibc.txt =================================================================== --- branches/Onward/temporary_system/glibc.txt 2010-02-19 17:28:43 UTC (rev 1544) +++ branches/Onward/temporary_system/glibc.txt 2010-02-20 20:27:43 UTC (rev 1545) @@ -1,8 +1,9 @@ # Temporary tools - Glibc -# Configure Glibc to usr /tools/etc, /tools/var, and /tools/bin/sh. This +# Configure Glibc to use /tools/etc, /tools/var, and /tools/bin/sh. This # affects /etc/mtab and utmp/wtmp files in the rebooted system: +ln -vs /bin/sh /tools/bin/sh && cp -v sysdeps/unix/sysv/linux/paths.h{,.orig} && sed -e 's@/etc@/tools&@' -e 's@/var@/tools&@' -e 's@/bin/sh@/tools&@' \ sysdeps/unix/sysv/linux/paths.h.orig > \ @@ -18,6 +19,14 @@ cp -v elf/rtld.c{,.orig} && sed 's@/etc/ld.so.preload@/tools&@' elf/rtld.c.orig > elf/rtld.c && +# Apply upstream patches from the 2.11 Glibc branch +# (http://sourceware.org/git/?p=glibc.git;a=log;h=refs/heads/release/2.11/master): + +patch -p1 -i ../glibc-2.11.1-update-1.diff && +patch -p1 -i ../glibc-2.11.1-update-2.diff && +patch -p1 -i ../glibc-2.11.1-update-3.diff && +patch -p1 -i ../glibc-2.11.1-update-4.diff && + # The next patch modifies the localedef program so it does not use GCC # Trampoline code (http://gcc.gnu.org/onlinedocs/gccint/Trampolines.html), # which relies on an executable stack to run. Without this patch the localedef @@ -33,7 +42,8 @@ # This patch resticts the environment, particularly with setuid programs: -patch -p1 -i ../glibc-2.8-sanitize_env.diff && +# FIXME: This has to be picked out of Alt-Linux Glibc git. +#patch -p1 -i ../glibc-2.8-sanitize_env.diff && # This patch adds the strlcpy(3) and strlcat(3) functions and manual pages to # Glibc. A paper written about these functions is available here: @@ -65,14 +75,14 @@ # of functions, to use /dev/urandom instead of hp-timing, gettimeofday(3), or # getpid(3): -patch -p1 -i ../glibc-2.8-mktemp_urandom.diff && +patch -p1 -i ../glibc-2.11.1-mktemp_urandom.diff && # The res_randomid(3) function is a pseudo-random number generator, using # getpid(3) for entropy. More information about this vulnerability is here: # http://www.openbsd.org/advisories/res_random.txt # This patch uses /dev/urandom instead: -patch -p1 -i ../glibc-2.9-res_randomid.diff && +patch -p1 -i ../glibc-2.10.1-owl-alt-res_randomid.diff && # We don't install pt_chown(1) on the final system, so why install it to # /tools: @@ -91,74 +101,94 @@ cp -v nscd/Makefile{,.orig} && sed 's/fstack-protector/&-all/' nscd/Makefile.orig > nscd/Makefile && -# We don't need to set -march=i486 in confparams because GCC was built with -# --with-arch=i486. +# Optimize the linking of libraries and programs: -# --sbindir=/tools/bin does not work... anyone want to fix this? We don't need -# Glibc's sbin programs, but still. +cp -v Makeconfig{,.orig} && +sed 's/-Wl,--hash-style=both/-Wl,--hash-style=gnu -Wl,-O1/' \ + Makeconfig.orig > Makeconfig && -# --enable-kernel=2.6.0 is important for test suites. For unknown reasons, -# setting this higher than 2.6.0 can cause test suites to fail. This option -# causes code to be removed from Glibc when kernel functions are expected to -# exist to replace Glibc code. This improves performance. Even when this -# option is set to 2.6.0, the kernel system call will always be attempted -# first, before using the Glibc library version. Using 2.6.0 is more robust -# and provides Glibc with a backup that is known to be 100% compatible. +# The above optimization will benefit everything that uses Glibc. -# --enable-stackguard-randomization could be added here, but this is primarily -# for attacks by local users, and we shouldn't have those in the rebooted -# system. Adding this will empty the /dev/random entropy pool (via -# /dev/urandom), unless the system is running a Random Number Gathering Daemon -# (rngd). This version of Glibc uses high precision timing with SSP, so the -# canary value changes at run-time. This is not as good as /dev/urandom, but -# it's better than nothing and has very good performance. FIXME - Use erandom. +# Configure Glibc: mkdir -v obj/ && cd obj/ && -../configure --prefix=/tools \ - --with-binutils=/tools/bin --with-headers=/tools/include \ - --enable-kernel=2.6.0 --enable-bind-now --enable-add-ons \ - --without-gd --disable-profile --without-selinux \ - --libexecdir=/tools/lib/glibc \ - --infodir=$(pwd)/DESTDIR --mandir=$(pwd)/DESTDIR && +../configure --prefix=/tools --with-binutils=/tools/bin \ + --with-headers=/tools/include --libexecdir=/tools/lib/glibc \ + --enable-add-ons --enable-bind-now --enable-kernel=2.6.18 \ + --enable-omitfp --enable-stackguard-randomization --disable-profile \ + --without-gd --without-selinux --infodir=$(pwd)/DESTDIR \ + --mandir=$(pwd)/DESTDIR && -# Our GCC is already passing -fPIC, and that's all we want for the libraries. -# LDFLAGS.so is appended to so we don't build shared libraries with -# DT_TEXTREL (and to tell us if something goes wrong). For now we only build -# the libraries, not the programs: +# --sbindir=/tools/bin does not work... anyone want to fix this? We don't need +# Glibc's sbin programs, but still. +# --enable-bind-now will add -Wl,-z,now, which in addition to -Wl,-z,relro will +# causes the Global Offset Table to be read-only. + +# --enable-kernel=2.6.18 is known to work and not cause test failures in this +# Glibc release. This allows Glibc to remove built-in library functions that are +# provided by the kernel. + +# --enable-omitfp adds optimizations for better performance. + +# --enable-stackguard-randomization randomizes the SSP guard value with +# /dev/urandom. FIXME - Use erandom. + +# --enable-kernel=2.6.18 is known to work and not cause test failures in this +# Glibc release. This allows Glibc to remove built-in library functions that are +# provided by the kernel. + +# Preprare the 'configparms' file to build the Glibc libraries: + cat > configparms << "EOF" && build-programs=no +CC = gcc -fPIC +CXX = g++ -fPIC LDFLAGS.so += -Wl,--warn-shared-textrel,--fatal-warnings EOF -make && -# Then build the programs with hardening, so everything possible in /tools is -# hardened: +# -fPIC is being passed by default by GCC, but is added here for clarity. +# -Wl,--warn-shared-textrel -Wl,--fatal-warnings are added to indicate a problem +# with the build. + +# Build the libraries: + +env -u MAKEFLAGS make PARALLELMAKEFLAGS="$MAKEFLAGS" && + +# The MAKEFLAGS and PARALLELMAKEFLAGS variables are used to build Glibc in +# parallel. The above command is still safe to use if you're not building in +# parallel. + +# Next prepare to build the Glibc utilities: + cat > configparms << "EOF" && CC = gcc -fPIE -fstack-protector-all -D_FORTIFY_SOURCE=2 CXX = g++ -fPIE -fstack-protector-all -D_FORTIFY_SOURCE=2 CFLAGS-sln.c += -fno-PIC -fno-PIE -+link = $(CC) -nostdlib -nostartfiles -fPIE -pie -o $@ \ - $(sysdep-LDFLAGS) $(config-LDFLAGS) $(LDFLAGS) $(LDFLAGS-$(@F)) \ - -Wl,-z,combreloc -Wl,-z,relro -Wl,-z,now $(hashstyle-LDFLAGS) \ - -Wl,--warn-shared-textrel,--fatal-warnings \ - $(addprefix $(csu-objpfx),S$(start-installed-name)) \ - $(+preinit) `$(CC) --print-file-name=crtbeginS.o` \ - $(filter-out $(addprefix $(csu-objpfx),start.o \ - $(start-installed-name))\ - $(+preinit) $(link-extra-libs) \ - $(common-objpfx)libc% $(+postinit),$^) \ - $(link-extra-libs) $(link-libc) `$(CC) --print-file-name=crtendS.o` $(+postinit) ++link = $(CC) -pie -Wl,-O1 -nostdlib -nostartfiles -o $@ \ + $(sysdep-LDFLAGS) $(config-LDFLAGS) $(LDFLAGS) $(LDFLAGS-$(@F)) \ + $(combreloc-LDFLAGS) $(relro-LDFLAGS) $(hashstyle-LDFLAGS) \ + -Wl,-z,now -Wl,--warn-shared-textrel,--fatal-warnings \ + $(addprefix $(csu-objpfx),S$(start-installed-name)) \ + $(+preinit) $(+prectorS) \ + $(filter-out $(addprefix $(csu-objpfx),start.o \ + S$(start-installed-name))\ + $(+preinit) $(link-extra-libs) \ + $(common-objpfx)libc% $(+postinit),$^) \ + $(link-extra-libs) $(link-libc) $(+postctorS) $(+postinit) EOF -make && -# And install: +# Build the Glibc utilities: +env -u MAKEFLAGS make PARALLELMAKEFLAGS="$MAKEFLAGS" && + +# Install Glibc: + install -v -d /tools/etc && touch /tools/etc/ld.so.conf && -make install && +env -u MAKEFLAGS make PARALLELMAKEFLAGS="$MAKEFLAGS" install && # This package has a lot of issues with read-only sources. @@ -174,4 +204,3 @@ touch /tools/var/run/utmp && touch /tools/var/log/wtmp - -- http://linuxfromscratch.org/mailman/listinfo/hlfs-book FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
