From 8a92100bbed2ba5cb16a1ede36214fa7d2f43e43 Mon Sep 17 00:00:00 2001 From: "John (J5) Palmieri" Date: Wed, 3 Oct 2007 15:21:57 -0400 Subject: Correctly implement -fPIC and -fPIE * For security reasons we want possition independent code for libraries and possition independent executable for executables * before we were just enabling -fPIC * now we correctly enable -fPIC and -PIE for libdbus and the bus respectively * propper LD_FLAGS are set for each also --- bus/Makefile.am | 4 ++-- configure.in | 17 ++++++++++++++++- dbus/Makefile.am | 4 ++-- 3 files changed, 20 insertions(+), 5 deletions(-) diff --git a/bus/Makefile.am b/bus/Makefile.am index d521fa7b..4648a31d 100644 --- a/bus/Makefile.am +++ b/bus/Makefile.am @@ -1,7 +1,7 @@ configdir=$(sysconfdir)/dbus-1 -INCLUDES=-I$(top_srcdir) $(DBUS_BUS_CFLAGS) \ +INCLUDES=-I$(top_srcdir) $(DBUS_BUS_CFLAGS) @PIE_CFLAGS@ \ -DDBUS_SYSTEM_CONFIG_FILE=\""$(configdir)/system.conf"\" \ -DDAEMON_NAME=\"dbus-daemon\" -DDBUS_COMPILATION @@ -77,7 +77,7 @@ dbus_daemon_LDADD= \ $(DBUS_BUS_LIBS) \ $(top_builddir)/dbus/libdbus-convenience.la -dbus_daemon_LDFLAGS=@R_DYNAMIC_LDFLAG@ @SECTION_LDFLAGS@ +dbus_daemon_LDFLAGS=@R_DYNAMIC_LDFLAG@ @SECTION_LDFLAGS@ @PIE_LDFLAGS@ LAUNCH_HELPER_SOURCES= \ $(XML_SOURCES) \ diff --git a/configure.in b/configure.in index 3dcd8bc6..ee0d40ba 100644 --- a/configure.in +++ b/configure.in @@ -211,7 +211,17 @@ if test "x$GCC" = "xyes"; then case " $CFLAGS " in *[\ \ ]-fPIC[\ \ ]*) ;; *) if cc_supports_flag -fPIC; then - CFLAGS="$CFLAGS -fPIC" + PIC_CFLAGS="-fPIC" + PIC_LDFLAGS="-Wl,-z,relro" + fi + ;; + esac + + case " $CFLAGS " in + *[\ \ ]-fPIE[\ \ ]*) ;; + *) if cc_supports_flag -fPIE; then + PIE_CFLAGS="-fPIE" + PIE_LDFLAGS="-pie -Wl,-z,relro" fi ;; esac @@ -257,6 +267,11 @@ else fi fi +AC_SUBST(PIC_CFLAGS) +AC_SUBST(PIC_LDFLAGS) +AC_SUBST(PIE_CFLAGS) +AC_SUBST(PIE_LDFLAGS) + # Check for -Wl,--gc-sections AC_MSG_CHECKING([for ld that supports "-Wl,--gc-sections"]) AC_TRY_LINK([ diff --git a/dbus/Makefile.am b/dbus/Makefile.am index 81f90b9b..e966a438 100644 --- a/dbus/Makefile.am +++ b/dbus/Makefile.am @@ -1,7 +1,7 @@ configdir=$(sysconfdir)/dbus-1 -INCLUDES=-I$(top_builddir) -I$(top_srcdir) $(DBUS_CLIENT_CFLAGS) -DDBUS_COMPILATION \ +INCLUDES=-I$(top_builddir) -I$(top_srcdir) $(DBUS_CLIENT_CFLAGS) @PIC_CFLAGS@ -DDBUS_COMPILATION \ -DDBUS_MACHINE_UUID_FILE=\""$(localstatedir)/lib/dbus/machine-id"\" \ -DDBUS_SYSTEM_CONFIG_FILE=\""$(configdir)/system.conf"\" \ -DDBUS_SESSION_CONFIG_FILE=\""$(configdir)/session.conf"\" @@ -173,7 +173,7 @@ noinst_LTLIBRARIES=libdbus-convenience.la libdbus_1_la_LIBADD= $(DBUS_CLIENT_LIBS) ## don't export symbols that start with "_" (we use this ## convention for internal symbols) -libdbus_1_la_LDFLAGS= -export-symbols-regex "^[^_].*" -version-info $(LT_CURRENT):$(LT_REVISION):$(LT_AGE) -no-undefined @R_DYNAMIC_LDFLAG@ +libdbus_1_la_LDFLAGS= -export-symbols-regex "^[^_].*" -version-info $(LT_CURRENT):$(LT_REVISION):$(LT_AGE) -no-undefined @R_DYNAMIC_LDFLAG@ @PIC_LDFLAGS@ libdbus_convenience_la_LDFLAGS=@R_DYNAMIC_LDFLAG@ -- cgit From 7d9d3fc031244bee29b5ac25e07f3e8e5b5dd97b Mon Sep 17 00:00:00 2001 From: "John (J5) Palmieri" Date: Wed, 3 Oct 2007 16:43:22 -0400 Subject: fd.o bug #12547 remove superfluous if * also convert tabs to spaces --- tools/dbus-launch.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/tools/dbus-launch.c b/tools/dbus-launch.c index 11b6e6a4..80d885f4 100644 --- a/tools/dbus-launch.c +++ b/tools/dbus-launch.c @@ -324,17 +324,16 @@ print_variables (const char *bus_address, pid_t bus_pid, long bus_wid, printf ("setenv DBUS_SESSION_BUS_ADDRESS '%s';\n", bus_address); printf ("set DBUS_SESSION_BUS_PID=%ld;\n", (long) bus_pid); if (bus_wid) - printf ("set DBUS_SESSION_BUS_WINDOWID=%ld;\n", (long) bus_wid); + printf ("set DBUS_SESSION_BUS_WINDOWID=%ld;\n", (long) bus_wid); fflush (stdout); } else if (bourne_shell_syntax) { printf ("DBUS_SESSION_BUS_ADDRESS='%s';\n", bus_address); - if (bourne_shell_syntax) - printf ("export DBUS_SESSION_BUS_ADDRESS;\n"); + printf ("export DBUS_SESSION_BUS_ADDRESS;\n"); printf ("DBUS_SESSION_BUS_PID=%ld;\n", (long) bus_pid); if (bus_wid) - printf ("DBUS_SESSION_BUS_WINDOWID=%ld;\n", (long) bus_wid); + printf ("DBUS_SESSION_BUS_WINDOWID=%ld;\n", (long) bus_wid); fflush (stdout); } else -- cgit From adb0270edf6ffae2f2d9d319aed7737f85fa6ec2 Mon Sep 17 00:00:00 2001 From: "John (J5) Palmieri" Date: Wed, 3 Oct 2007 17:02:23 -0400 Subject: fd.o bug #11872 fix clearenv for systems that do not have it * patch from Brian Cameron --- configure.in | 2 +- dbus/dbus-sysdeps.c | 14 +++++++++++++- 2 files changed, 14 insertions(+), 2 deletions(-) diff --git a/configure.in b/configure.in index ee0d40ba..34e653f8 100644 --- a/configure.in +++ b/configure.in @@ -586,7 +586,7 @@ fi AC_CHECK_LIB(socket,socket) AC_CHECK_FUNC(gethostbyname,,[AC_CHECK_LIB(nsl,gethostbyname)]) -AC_CHECK_FUNCS(vsnprintf vasprintf nanosleep usleep poll setenv unsetenv socketpair getgrouplist fpathconf setrlimit) +AC_CHECK_FUNCS(vsnprintf vasprintf nanosleep usleep poll setenv clearenv unsetenv socketpair getgrouplist fpathconf setrlimit) AC_MSG_CHECKING(for dirfd) AC_TRY_LINK([ diff --git a/dbus/dbus-sysdeps.c b/dbus/dbus-sysdeps.c index c76603a8..1a736e42 100644 --- a/dbus/dbus-sysdeps.c +++ b/dbus/dbus-sysdeps.c @@ -185,7 +185,19 @@ _dbus_getenv (const char *varname) dbus_bool_t _dbus_clearenv (void) { - return (clearenv () == 0); + dbus_bool_t rc = TRUE; + +#ifdef HAVE_CLEARENV + if (clearenv () != 0) + rc = FALSE; +#else + extern char **environ; + + if (environ != NULL) + environ[0] = NULL; +#endif + + return rc; } /* -- cgit From a295b2e66c9db7e7687e22414f93e171c29e495d Mon Sep 17 00:00:00 2001 From: "John (J5) Palmieri" Date: Wed, 3 Oct 2007 17:08:44 -0400 Subject: fd.o bug #11872 improve linker test for --gc-sections * patch by Tim Mooney --- configure.in | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/configure.in b/configure.in index 34e653f8..4ed2e1c0 100644 --- a/configure.in +++ b/configure.in @@ -283,8 +283,11 @@ if test "$ac_gcsections" = "yes"; then rm -f conftest.c touch conftest.c if $CC -c conftest.c; then - if $LD --gc-sections -o conftest conftest.o 2>&1 | \ - grep "Warning: gc-sections option ignored" > /dev/null; then + ld_out=`$LD --gc-sections -o conftest conftest.o 2>&1` + ld_ret=$? + if test $ld_ret -ne 0 ; then + ac_gcsections=no + elif echo "$ld_out" | egrep 'option ignored|^usage:|illegal option' >/dev/null ; then ac_gcsections=no fi fi -- cgit From 09aa69e0153e66326c6746ec7e4841567d44ccdb Mon Sep 17 00:00:00 2001 From: "John (J5) Palmieri" Date: Wed, 3 Oct 2007 17:29:45 -0400 Subject: fd.o bug #12429 Reverse check to setpcap and only init audit if we were root * patch by Dan Walsh * https://bugs.freedesktop.org/show_bug.cgi?id=12429 * Reverse we_were_root check to setpcap if we were root. Also only init audit if we were root. So error dbus message will not show up when policy reload happens. dbus -session will no longer try to send audit message, only system will. --- bus/selinux.c | 8 ++------ dbus/dbus-sysdeps-util-unix.c | 5 +++-- 2 files changed, 5 insertions(+), 8 deletions(-) diff --git a/bus/selinux.c b/bus/selinux.c index 7fedba6f..8c7a6f83 100644 --- a/bus/selinux.c +++ b/bus/selinux.c @@ -113,7 +113,7 @@ static const struct avc_lock_callback lock_cb = static int audit_fd = -1; #endif -static void +void audit_init(void) { #ifdef HAVE_LIBAUDIT @@ -350,12 +350,8 @@ bus_selinux_full_init (void) freecon (bus_context); - audit_init (); - - return TRUE; -#else - return TRUE; #endif /* HAVE_SELINUX */ + return TRUE; } /** diff --git a/dbus/dbus-sysdeps-util-unix.c b/dbus/dbus-sysdeps-util-unix.c index df967a38..e03e0b76 100644 --- a/dbus/dbus-sysdeps-util-unix.c +++ b/dbus/dbus-sysdeps-util-unix.c @@ -338,7 +338,7 @@ _dbus_change_to_daemon_user (const char *user, * run as ... doesn't really help. But keeps people happy. */ - if (!we_were_root) + if (we_were_root) { cap_value_t new_cap_list[] = { CAP_AUDIT_WRITE }; cap_value_t tmp_cap_list[] = { CAP_AUDIT_WRITE, CAP_SETUID, CAP_SETGID }; @@ -414,7 +414,7 @@ _dbus_change_to_daemon_user (const char *user, } #ifdef HAVE_LIBAUDIT - if (!we_were_root) + if (we_were_root) { if (cap_set_proc (new_caps)) { @@ -433,6 +433,7 @@ _dbus_change_to_daemon_user (const char *user, _dbus_strerror (errno)); return FALSE; } + audit_init(); } #endif -- cgit From 79aafc193176253454dd455a4cfc45a1a2e36c00 Mon Sep 17 00:00:00 2001 From: "John (J5) Palmieri" Date: Wed, 3 Oct 2007 17:54:09 -0400 Subject: fd.o bug #11678 Don't error out if compiler does not support vararg macros * _dbus_verbose is the only function that does this so make it a noop if vararg macros are not supported * https://bugs.freedesktop.org/show_bug.cgi?id=11678 --- dbus/dbus-internals.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dbus/dbus-internals.h b/dbus/dbus-internals.h index 43a46b83..3e5f989d 100644 --- a/dbus/dbus-internals.h +++ b/dbus/dbus-internals.h @@ -97,7 +97,7 @@ dbus_bool_t _dbus_is_verbose_real (void); # elif defined (HAVE_GNUC_VARARGS) # define _dbus_verbose(format...) # else -# error "This compiler does not support varargs macros and thus verbose mode can't be disabled meaningfully" +static void _dbus_verbose(const char * x,...) {;} # endif # define _dbus_verbose_reset() # define _dbus_is_verbose() FALSE -- cgit