From 88c4af670c3f8e43dc0f903254af688befba4969 Mon Sep 17 00:00:00 2001 From: rpe <> Date: Sun, 5 Nov 2017 10:29:24 +0000 Subject: [PATCH] Consolidate lib.so.*.a, ld.so.a and the kernel relink kit into one location under /usr/share/relink. Be more specific in src/etc/rc reorder_libs() what filesystems need r/w remount and ensure that their mount state is restored. Idea and positive feedback from deraadt@ OK aja@ tb@ --- src/etc/Makefile | 10 ++++---- src/etc/mtree/4.4BSD.dist | 14 +++++++---- src/etc/rc | 52 ++++++++++++++++++++++----------------- 3 files changed, 43 insertions(+), 33 deletions(-) diff --git a/src/etc/Makefile b/src/etc/Makefile index 26461a8c..aa0a7309 100644 --- a/src/etc/Makefile +++ b/src/etc/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.460 2017/06/22 16:02:42 deraadt Exp $ +# $OpenBSD: Makefile,v 1.461 2017/11/05 10:29:24 rpe Exp $ .include @@ -30,11 +30,11 @@ kernels: ${ALL_KERNELS} chmod a+r ${RELEASEDIR}/$K .endfor cd ${.CURDIR}/../sys/arch/${MACHINE}/compile/ && \ - tar -chzf ${DESTDIR}/usr/share/compile.tgz -s ',/obj/,/,' \ + tar -chzf ${DESTDIR}/usr/share/relink/kernel.tgz -s ',/obj/,/,' \ GENERIC*/obj/*.o GENERIC*/obj/Makefile \ GENERIC*/obj/ld.script GENERIC*/obj/makegap.sh - chown root:wheel ${DESTDIR}/usr/share/compile.tgz - chmod 644 ${DESTDIR}/usr/share/compile.tgz + chown root:wheel ${DESTDIR}/usr/share/relink/kernel.tgz + chmod 644 ${DESTDIR}/usr/share/relink/kernel.tgz # -rw-r--r-- BINOWN= root @@ -272,7 +272,7 @@ do-release: release-sets: su ${BUILDUSER} -c 'exec ${MAKE} distribution' su ${BUILDUSER} -c 'exec ${MAKE} kernels' - cp -p ${DESTDIR}/usr/share/compile.tgz /usr/share/compile.tgz + cp -p ${DESTDIR}/usr/share/relink/kernel.tgz /usr/share/relink/kernel.tgz ${MAKE} bootblocks cd ${RELEASEDIR} && rm -f SHA256 cd ../distrib/sets && exec su ${BUILDUSER} -c 'exec sh maketars ${OSrev}' diff --git a/src/etc/mtree/4.4BSD.dist b/src/etc/mtree/4.4BSD.dist index f9a099ad..33570e93 100644 --- a/src/etc/mtree/4.4BSD.dist +++ b/src/etc/mtree/4.4BSD.dist @@ -1,4 +1,4 @@ -# $OpenBSD: 4.4BSD.dist,v 1.300 2017/10/08 15:14:17 visa Exp $ +# $OpenBSD: 4.4BSD.dist,v 1.301 2017/11/05 10:29:24 rpe Exp $ /set type=dir uname=root gname=wheel mode=0755 @@ -414,10 +414,6 @@ usr calendar .. - # ./usr/share/compile - compile - .. - # ./usr/share/dict dict papers @@ -565,6 +561,14 @@ usr .. mk .. + + # ./usr/share/relink + relink + + # ./usr/share/relink/kernel + kernel + .. + .. snmp mibs .. diff --git a/src/etc/rc b/src/etc/rc index 3d4f219e..c11ffeb2 100644 --- a/src/etc/rc +++ b/src/etc/rc @@ -1,4 +1,4 @@ -# $OpenBSD: rc,v 1.520 2017/10/25 10:42:51 bluhm Exp $ +# $OpenBSD: rc,v 1.521 2017/11/05 10:29:24 rpe Exp $ # System startup script run by init on autoboot or after single-user. # Output and error are redirected to console by init, and the console is the @@ -162,40 +162,46 @@ make_keys() { # Re-link libraries, placing the objects in a random order. reorder_libs() { - local _dkdev _liba _libas _mp _tmpdir _remount=false _error=false + local _error=false _dkdev _liba _libas _mp _ro_list _tmpdir [[ $library_aslr == NO ]] && return - # Skip if /usr/lib is on a nfs mounted filesystem. - _dkdev=$(df /usr/lib | sed '1d;s/ .*//') - _mp=$(mount | grep "^$_dkdev") - [[ $_mp == *' type nfs '* ]] && return + # Skip if /usr/lib, /usr/libexec or /usr/share/relink are on nfs mounted + # filesystems, otherwise record which ones are mounted read-only. + for _d in /usr/{lib,libexec,share/relink}; do + _dkdev=$(df $_d | sed '1d;s/ .*//') + _mp=$(mount | grep "^$_dkdev") + [[ $_mp == *" type nfs "* ]] && return + if [[ $_mp == *" type ffs "*"read-only"* && + $_ro_list != *${_mp%% *}* ]]; then + _ro_list="$_ro_list ${_mp%% *}" + fi + done echo -n 'reordering libraries:' - - # Remount read-write, if /usr/lib is on a read-only ffs filesystem. - if [[ $_mp == *' type ffs '*'read-only'* ]]; then - if mount -u -w $_dkdev; then - _remount=true - else + + # Remount the (read-only) filessystems in _ro_list as read-write. + for _mp in $_ro_list; do + if ! mount -u -w $_mp; then echo ' failed.' return fi - fi + done # Only choose the latest version of the libraries. - for _liba in /usr/lib/lib{c,crypto}; do + for _liba in /usr/share/relink/usr/lib/lib{c,crypto}; do _libas="$_libas $(ls $_liba.so.+([0-9.]).a | sort -rV | head -1)" done - _libas=${_libas# } - for _liba in /usr/libdata/ld.so.a $_libas; do - _tmpdir=$(mktemp -dq /usr/lib/_rebuild.XXXXXXXXXXXX) && + for _liba in /usr/share/relink/usr/libexec/ld.so.a $_libas; do + _tmpdir=$(mktemp -dq /usr/share/relink/_rebuild.XXXXXXXXXXXX) && ( set -o errexit _install='install -F -S -o root -g bin -m 0444' _lib=${_liba##*/} _lib=${_lib%.a} + _lib_dir=${_liba#/usr/share/relink} + _lib_dir=${_lib_dir%/*} cd $_tmpdir ar x $_liba if [[ $_lib == ld.so ]]; then @@ -205,24 +211,24 @@ reorder_libs() { chmod u+x test-ld.so [[ $(./test-ld.so ok) == './test-ld.so: ok!' ]] $_install /usr/libexec/ld.so /usr/libexec/ld.so.save - $_install ld.so.test /usr/libexec/ld.so + $_install ld.so.test $_lib_dir/ld.so else cc -shared -o $_lib $(ls *.so | sort -R) $(cat .ldadd) [[ -s $_lib ]] && file $_lib | fgrep -q 'shared object' LD_BIND_NOW=1 LD_LIBRARY_PATH=$_tmpdir awk 'BEGIN {exit 0}' LD_BIND_NOW=1 LD_LIBRARY_PATH=$_tmpdir openssl \ x509 -in /etc/ssl/cert.pem -out /dev/null - $_install $_lib ${_liba%/*}/$_lib + $_install $_lib $_lib_dir/$_lib fi ) || { _error=true; break; } done - rm -rf /usr/lib/_rebuild.* + rm -rf /usr/share/relink/_rebuild.* # Restore previous mount state if it was changed. - if $_remount; then - mount -u -r $_dkdev || _error=true - fi + for _mp in $_ro_list; do + mount -u -r $_mp || _error=true + done if $_error; then echo ' failed.'