[Buildroot] [PATCH 2/2] lxc: fix build without stack protector

Fabrice Fontaine fontaine.fabrice at gmail.com
Mon Dec 3 21:46:37 UTC 2018


Add an option to disable the stack protector flags added in version
3.0.3 by
https://github.com/lxc/lxc/commit/2268c27754152aa538db2c9e3753d72d19bcd17a

Fixes:
 - http://autobuild.buildroot.org/results/0b90e7dca2984652842832a41abad93ac49a9b86

Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>
---
 ...ure.ac-add-an-option-to-disable-hardening.patch | 73 ++++++++++++++++++++++
 package/lxc/lxc.mk                                 |  4 +-
 2 files changed, 76 insertions(+), 1 deletion(-)
 create mode 100644 package/lxc/0002-configure.ac-add-an-option-to-disable-hardening.patch

diff --git a/package/lxc/0002-configure.ac-add-an-option-to-disable-hardening.patch b/package/lxc/0002-configure.ac-add-an-option-to-disable-hardening.patch
new file mode 100644
index 0000000000..24dd8f627a
--- /dev/null
+++ b/package/lxc/0002-configure.ac-add-an-option-to-disable-hardening.patch
@@ -0,0 +1,73 @@
+From 165d417003c66be6d2a61e3c6e706e33a6746788 Mon Sep 17 00:00:00 2001
+From: Fabrice Fontaine <fontaine.fabrice at gmail.com>
+Date: Mon, 3 Dec 2018 22:29:52 +0100
+Subject: [PATCH] configure.ac: add an option to disable hardening
+
+Compiler based hardening is enabled since version 3.0.3 and
+https://github.com/lxc/lxc/commit/2268c27754152aa538db2c9e3753d72d19bcd17a
+
+Add an option to disable it as some compilers could missed the needed
+library (-lssp or -lssp_nonshared) at linking step
+
+Fixes:
+ - http://autobuild.buildroot.org/results/0b9/0b90e7dca2984652842832a41abad93ac49a9b86/build-end.log
+
+Signed-off-by: Fabrice Fontaine <fontaine.fabrice at gmail.com>
+---
+ configure.ac | 19 ++++++++++++++-----
+ 1 file changed, 14 insertions(+), 5 deletions(-)
+
+diff --git a/configure.ac b/configure.ac
+index 9a9adac3..3ff35a61 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -189,6 +189,11 @@ AC_ARG_ENABLE([werror],
+ 	[do not treat warnings as errors])],
+ 	[], [enable_werror=yes])
+ 
++AC_ARG_ENABLE([hardening],
++	[AC_HELP_STRING([--disable-hardening],
++	[do not enable hardening compiler options])],
++	[], [enable_hardening=yes])
++
+ # Allow disabling rpath
+ AC_ARG_ENABLE([rpath],
+ 	[AC_HELP_STRING([--enable-rpath], [set rpath in executables [default=no]])],
+@@ -695,11 +700,6 @@ AX_CHECK_COMPILE_FLAG([-Wimplicit-fallthrough], [CFLAGS="$CFLAGS -Wimplicit-fall
+ AX_CHECK_COMPILE_FLAG([-Wcast-align], [CFLAGS="$CFLAGS -Wcast-align"],,[-Werror])
+ AX_CHECK_COMPILE_FLAG([-Wstrict-prototypes], [CFLAGS="$CFLAGS -Wstrict-prototypes"],,[-Werror])
+ AX_CHECK_COMPILE_FLAG([-fno-strict-aliasing], [CFLAGS="$CFLAGS -fno-strict-aliasing"],,[-Werror])
+-AX_CHECK_COMPILE_FLAG([-fstack-clash-protection], [CFLAGS="$CFLAGS -fstack-clash-protection"],,[-Werror])
+-AX_CHECK_COMPILE_FLAG([-fstack-protector-strong], [CFLAGS="$CFLAGS -fstack-protector-strong"],,[-Werror])
+-AX_CHECK_COMPILE_FLAG([-g], [CFLAGS="$CFLAGS -g"],,[-Werror])
+-AX_CHECK_COMPILE_FLAG([--mcet -fcf-protection], [CFLAGS="$CFLAGS --mcet -fcf-protection"],,[-Werror])
+-AX_CHECK_COMPILE_FLAG([-Werror=implicit-function-declaration], [CFLAGS="$CFLAGS -Werror=implicit-function-declaration"],,[-Werror])
+ 
+ AX_CHECK_LINK_FLAG([-z relro], [LDLAGS="$LDLAGS -z relro"],,[])
+ AX_CHECK_LINK_FLAG([-z now], [LDLAGS="$LDLAGS -z now"],,[])
+@@ -709,6 +709,14 @@ if test "x$enable_werror" = "xyes"; then
+ 	CFLAGS="$CFLAGS -Werror"
+ fi
+ 
++if test "x$enable_hardening" = "xyes"; then
++	AX_CHECK_COMPILE_FLAG([-fstack-clash-protection], [CFLAGS="$CFLAGS -fstack-clash-protection"],,[-Werror])
++	AX_CHECK_COMPILE_FLAG([-fstack-protector-strong], [CFLAGS="$CFLAGS -fstack-protector-strong"],,[-Werror])
++	AX_CHECK_COMPILE_FLAG([-g], [CFLAGS="$CFLAGS -g"],,[-Werror])
++	AX_CHECK_COMPILE_FLAG([--mcet -fcf-protection], [CFLAGS="$CFLAGS --mcet -fcf-protection"],,[-Werror])
++	AX_CHECK_COMPILE_FLAG([-Werror=implicit-function-declaration], [CFLAGS="$CFLAGS -Werror=implicit-function-declaration"],,[-Werror])
++fi
++
+ AC_ARG_ENABLE([thread-safety],
+ 	[AC_HELP_STRING([--enable-thread-safety], [enforce thread-safety otherwise fail the build [default=yes]])],
+ 	[], [enable_thread_safety=yes])
+@@ -951,6 +959,7 @@ Environment:
+  - Bash integration: $enable_bash
+ 
+ Security features:
++ - Compiler hardening options: $enable_hardening
+  - Apparmor: $enable_apparmor
+  - Linux capabilities: $enable_capabilities
+  - seccomp: $enable_seccomp
+-- 
+2.14.1
+
diff --git a/package/lxc/lxc.mk b/package/lxc/lxc.mk
index 48d5b20329..3af03ab256 100644
--- a/package/lxc/lxc.mk
+++ b/package/lxc/lxc.mk
@@ -10,9 +10,11 @@ LXC_LICENSE = LGPL-2.1+
 LXC_LICENSE_FILES = COPYING
 LXC_DEPENDENCIES = host-pkgconf
 LXC_INSTALL_STAGING = YES
+# We're patching configure.ac
+LXC_AUTORECONF = YES
 
 LXC_CONF_OPTS = --disable-apparmor --with-distro=buildroot \
-	--disable-werror \
+	--disable-hardening --disable-werror \
 	$(if $(BR2_PACKAGE_BASH),,--disable-bash)
 
 ifeq ($(BR2_PACKAGE_GNUTLS),y)
-- 
2.14.1



More information about the buildroot mailing list