Preliminary work for working static/PIE

svn path=/; revision=145

4 files changed, 47 insertions, 7 deletions

diff --git a/hardened/toolchain/branches/pieworld-gccnopie/eclass/toolchain.eclass b/hardened/toolchain/branches/pieworld-gccnopie/eclass/toolchain.eclass
index 6b617a0..1723fc4 100644
--- a/hardened/toolchain/branches/pieworld-gccnopie/eclass/toolchain.eclass
+++ b/hardened/toolchain/branches/pieworld-gccnopie/eclass/toolchain.eclass
@@ -2124,6 +2124,39 @@ do_gcc_SSP_patches() {
 	# Don't build libgcc with ssp
 	sed -e 's|^LIBGCC2_CFLAGS = |LIBGCC2_CFLAGS = -fno-stack-protector |' \
 		-i gcc/Makefile.in || die "Failed to update libgcc2!"
+
+	if use_hardened && want_pie; then
+		# Force lib*.a to be built -fPIE - when built for the .so,
+		# -fPIC is appended which overrides -fPIE added here.
+		sed -e 's|CFLAGS = |CFLAGS = -fPIE |' -i \
+			libcpp/Makefile.in \
+			libffi/Makefile.in \
+			libgfortran/Makefile.in \
+			libiberty/Makefile.in \
+			libjava/Makefile.in \
+			libmudflap/Makefile.in \
+			libobjc/Makefile.in \
+			libssp/Makefile.in \
+			libstdc++-v3/Makefile.in
+#		sed -e 's|ALL_CFLAGS = |ALL_CFLAGS = -fPIE |' \
+#			-i libcpp/Makefile.in
+#		sed -e 's|AM_CFLAGS = |AM_CFLAGS = -fPIE |' \
+#			-i libffi/Makefile.in
+#		sed -e 's|AM_CFLAGS = |AM_CFLAGS = -fPIE |' \
+#			-i libgfortran/Makefile.in
+#		sed -e 's|LIBFLAGS = |LIBFLAGS = -fPIE |' \
+#			-i libiberty/Makefile.in
+#		sed -e 's|AM_CFLAGS = |AM_CFLAGS = -fPIE |' \
+#			-i libjava/Makefile.in
+#		sed -e 's|AM_CFLAGS = |AM_CFLAGS = -fPIE |' \
+#			-i libmudflap/Makefile.in
+#		sed -e 's|AM_CFLAGS = |AM_CFLAGS = -fPIE |' \
+#			-i libobjc/Makefile.in
+#		sed -e 's|ALL_CFLAGS = |ALL_CFLAGS = -fPIE |' \
+#			-i libssp/Makefile.in
+#		sed -e 's|CFLAGS = |CFLAGS = -fPIE |' \
+#			-i libstdc++-v3/Makefile.in
+	fi
 }
 
 # If glibc or uclibc has been patched to provide the necessary symbols itself,
diff --git a/hardened/toolchain/branches/pieworld-gccnopie/gcc-glibc-nopie.README b/hardened/toolchain/branches/pieworld-gccnopie/gcc-glibc-nopie.README
deleted file mode 100644
index 45a3ebb..0000000
--- a/hardened/toolchain/branches/pieworld-gccnopie/gcc-glibc-nopie.README
+++ /dev/null
@@ -1,6 +0,0 @@
-This is gcc-glibc-nopie
-=======================
-
-Hardened toolchain, where lib*a, crtbegin.o, crtend.o are normal (neither PIC nor PIE).
-
-Better for building static binaries, and being able to switch to a vanilla compiler.
diff --git a/hardened/toolchain/branches/pieworld-gccnopie/pieworld-gccnopie.README b/hardened/toolchain/branches/pieworld-gccnopie/pieworld-gccnopie.README
new file mode 100644
index 0000000..85de0dc
--- /dev/null
+++ b/hardened/toolchain/branches/pieworld-gccnopie/pieworld-gccnopie.README
@@ -0,0 +1,13 @@
+This is pieworld-gccnopie
+=========================
+
+Hardened toolchain, where lib*a are -fPIE, crtbegin.o, crtend.o are normal (neither PIC nor PIE).
+
+Specs different from pieworld in that "static PIE" executables use crt*S.o & Scrt1.o - so they work
+on all platforms.
+
+As far as GCC is concerned, it is possible to build anything.  However in this environment lib*.a will
+be built -fPIE, so to build pure vanilla static binaries (or anything vanilla that links to lib*.a)
+requires those lib*.a built -fno-PIE.
+
+To build pure vanilla stuff, it's best to use a vanilla-toolchain chroot.
diff --git a/hardened/toolchain/branches/pieworld-gccnopie/sys-devel/gcc/gcc-4.1.1-r3.ebuild b/hardened/toolchain/branches/pieworld-gccnopie/sys-devel/gcc/gcc-4.1.1-r3.ebuild
index d7009da..034f376 100644
--- a/hardened/toolchain/branches/pieworld-gccnopie/sys-devel/gcc/gcc-4.1.1-r3.ebuild
+++ b/hardened/toolchain/branches/pieworld-gccnopie/sys-devel/gcc/gcc-4.1.1-r3.ebuild
@@ -4,7 +4,7 @@
 
 PATCH_VER="1.9"
 UCLIBC_VER="1.1"
-PIE_VER="9.0.6"
+PIE_VER="9.0.7"
 PIE_GCC_VER="4.1.1"
 
 ETYPE="gcc-compiler"