core/gcc: set hardened specs by default

3 files changed, 56 insertions, 32 deletions

diff --git a/core/gcc/03_all_gcc-4.3.2-hardened-default.patch b/core/gcc/03_all_gcc-4.3.2-hardened-default.patch
new file mode 100644
index 0000000000..04da4ea11b
--- /dev/null
+++ b/core/gcc/03_all_gcc-4.3.2-hardened-default.patch
@@ -0,0 +1,53 @@
+This patch defines the hardened specs hard in the gcc.c file.
+--- gcc-4.3.2/gcc/gcc.c.orig2	Sun Nov 23 11:35:41 2008
++++ gcc-4.3.2/gcc/gcc.c	Sun Nov 23 11:51:58 2008
+@@ -703,9 +703,9 @@
+ 
+ #ifndef LINK_PIE_SPEC
+ #ifdef HAVE_LD_PIE
+-#define LINK_PIE_SPEC "%{pie:-pie} "
+-#define CC1_PIE_SPEC "%{pie:-fPIE}"
+-#define ASM_PIE_SPEC "%{pie:-K PIC}"
++#define LINK_PIE_SPEC "%{pie:-pie} %{!pie: %{!A: %{!fno-pie:%{!fno-PIE: %{!shared:%{!static:%{!r: %{!nopie:-pie} }}} }} } }%{pie:-pie} %{!pie: %{!A: %{!fno-pie:%{!fno-PIE: %{!shared:%{!static:%{!r: %{!nopie:-pie} }}} }} } } "
++#define CC1_PIE_SPEC "%{pie:-fPIE} %{!pie: %{!fpic:%{!fPIC:%{!fpie:%{!fPIE: %{!fno-pic:%{!fno-PIC:%{!fno-pie:%{!fno-PIE: %{!shared: %{!nopie:-fPIE} } }}}} }}}} }"
++#define ASM_PIE_SPEC "%{pie:-K PIC} %{!pie: %{!fpic:%{!fPIC:%{!fpie:%{!fPIE: %{!fno-pic:%{!fno-PIC:%{!fno-pie:%{!fno-PIE: %{!shared: %{!nopie:-K PIC} } }}}} }}}} }"
+ #else
+ #define LINK_PIE_SPEC "%{pie:} "
+ #define CC1_PIE_SPEC ""
+@@ -717,28 +717,28 @@
+ #define CC1_HARDENED_SPEC " %{!D__KERNEL__: %(cc1_pie) %(cc1_ssp) %(cc1_fortify) %(cc1_strict) }"
+ #endif
+ #ifndef CC1_SSP_SPEC
+-#define CC1_SSP_SPEC ""
++#define CC1_SSP_SPEC "%{!nostdlib:%{!nodefaultlibs: %{!fno-stack-protector:%{!fstack-protector:%{!fstack-protector-all:-fstack-protector %(cc1_ssp_all) }}} }}"
+ #endif
+ #ifndef CC1_SSP_ALL_SPEC
+-#define CC1_SSP_ALL_SPEC ""
++#define CC1_SSP_ALL_SPEC ""
+ #endif
+ #ifndef CRTFILE_PIE_SPEC
+-#define CRTFILE_PIE_SPEC "%{static:crt1.o%s;pie:Scrt1.o%s;:crt1.o%s}"
++#define CRTFILE_PIE_SPEC "%{fno-pie|fno-PIE|nopie:crt1.o%s;:Scrt1.o%s}"
+ #endif
+ #ifndef STARTFILE_PIE_SPEC
+-#define STARTFILE_PIE_SPEC "%{static:crtbegin.o%s;pie:crtbeginS.o%s;:crtbegin.o%s}"
++#define STARTFILE_PIE_SPEC "%{fno-pie|fno-PIE|nopie:crtbegin.o%s;:crtbeginS.o%s}"
+ #endif
+ #ifndef STARTFILE_PIE_T_SPEC
+-#define STARTFILE_PIE_T_SPEC "%{static:crtbeginT.o%s;pie:crtbeginS.o%s;:crtbegin.o%s}"
++#define STARTFILE_PIE_T_SPEC "%{static: %{fno-pie|fno-PIE|nopie:crtbeginT.o%s;:crtbeginTS.o%s} } %{!static: %{fno-pie|fno-PIE|nopie:crtbegin.o%s;:crtbeginS.o%s} }"
+ #endif
+ #ifndef ENDFILE_PIE_SPEC
+-#define ENDFILE_PIE_SPEC "%{pie:crtendS.o%s;:crtend.o%s}"
++#define ENDFILE_PIE_SPEC "%{fno-pie|fno-PIE|nopie:crtend.o%s;:crtendS.o%s}"
+ #endif
+ #ifndef LINK_RELRO_SPEC
+-#define LINK_RELRO_SPEC "%{norelro:}"
++#define LINK_RELRO_SPEC "%{!norelro:-z relro}"
+ #endif
+ #ifndef LINK_NOW_SPEC
+-#define LINK_NOW_SPEC "%{nonow:}"
++#define LINK_NOW_SPEC "%{!nonow:-z now}"
+ #endif
+ 
+ /* -u* was put back because both BSD and SysV seem to support it.  */
diff --git a/core/gcc/APKBUILD b/core/gcc/APKBUILD
index 9f1690d598..85beadf8f8 100644
--- a/core/gcc/APKBUILD
+++ b/core/gcc/APKBUILD
@@ -1,6 +1,6 @@
 pkgname=gcc
 pkgver=4.3.2
-pkgrel=1
+pkgrel=2
 pkgdesc="The GNU Compiler Collection"
 url="http://gcc.gnu.org"
 license="GPL LGPL"
@@ -13,9 +13,9 @@ source="ftp://gcc.gnu.org/pub/gcc/releases/gcc-4.3.2/gcc-core-4.3.2.tar.bz2
 	01_all_gcc-4.0.2-v9.0.0-start_endfile-boundschecking-no.patch
 	01_all_gcc-4.3.1-crtbeginTS-stuff.patch
 	02_all_gcc-4.3.1-v10.0.1-start_endfile.patch
+	03_all_gcc-4.3.2-hardened-default.patch
 	gcc4-stack-protector-uclibc-no_tls.patch
 	gcc-4.2.0-cc1-no-stack-protector.patch
-	gcc-4.3.2-default-ssp-pie.patch
 	pt_gnu_eh_frame.patch
 	"
 
@@ -90,7 +90,7 @@ f0c6c419318537505ec2717a139a091b  00_all_gcc-4.0-cvs-incompat.patch
 3cb2148075e818f09c34718725f335d9  01_all_gcc-4.0.2-v9.0.0-start_endfile-boundschecking-no.patch
 1c6294b95f13a59ed7cbf7be2dde7804  01_all_gcc-4.3.1-crtbeginTS-stuff.patch
 019522a38f2e25b6a820766402ff2ee4  02_all_gcc-4.3.1-v10.0.1-start_endfile.patch
+ed3f5a947fed432fbef1dc0e71977ae7  03_all_gcc-4.3.2-hardened-default.patch
 15e77082db0e1a131af98debd3016290  gcc4-stack-protector-uclibc-no_tls.patch
 cff2e73a8455bfa844dcdd9c229b0875  gcc-4.2.0-cc1-no-stack-protector.patch
-a7d9c722d1ae2f216948a8718f11e24e  gcc-4.3.2-default-ssp-pie.patch
 2db1e3482c5dd59dab70f701afa2ca80  pt_gnu_eh_frame.patch"
diff --git a/core/gcc/gcc-4.3.2-default-ssp-pie.patch b/core/gcc/gcc-4.3.2-default-ssp-pie.patch
deleted file mode 100644
index b7a1267cf9..0000000000
--- a/core/gcc/gcc-4.3.2-default-ssp-pie.patch
+++ /dev/null
@@ -1,29 +0,0 @@
---- gcc-4.3.2.orig/gcc/common.opt	Tue Jan 22 14:11:44 2008
-+++ gcc-4.3.2/gcc/common.opt	Tue Nov 18 10:00:49 2008
-@@ -147,7 +147,7 @@
- Warn when one local variable shadows another
- 
- Wstack-protector
--Common Var(warn_stack_protect) Warning
-+Common Var(warn_stack_protect) Warning Init(1)
- Warn when not issuing stack smashing protection for some reason
- 
- Wstrict-aliasing
-@@ -766,7 +766,7 @@
- Generate position-independent code if possible (large mode)
- 
- fPIE
--Common Report Var(flag_pie,2)
-+Common Report Var(flag_pie,2) Init(2)
- Generate position-independent code for executables if possible (large mode)
- 
- fpic
-@@ -978,7 +978,7 @@
- Use propolice as a stack protection method
- 
- fstack-protector-all
--Common Report RejectNegative Var(flag_stack_protect, 2) VarExists
-+Common Report RejectNegative Var(flag_stack_protect, 2) init(2)
- Use a stack protection method for every function
- 
- fstrength-reduce