[PATCH 1/5] security_flags.inc: add SECURITY_NO_PIE_CFLAGS to libgcc and gcc-sanitizers

[PATCH 1/5] security_flags.inc: add SECURITY_NO_PIE_CFLAGS to libgcc and gcc-sanitizers

[Alexander Kanavin]

These recipes no longer seem to need full exclusion from security hardening.

The rest (glibc, gcc-runtime, valgrind, grub, grub-efi, uclibc) still do.

[YOCTO #9489]

Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
---
 meta/conf/distro/include/security_flags.inc | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc
index ea1d4e5..cd2b964 100644
--- a/meta/conf/distro/include/security_flags.inc
+++ b/meta/conf/distro/include/security_flags.inc
@@ -43,7 +43,7 @@ SECURITY_CFLAGS_pn-flac = "${SECURITY_NO_PIE_CFLAGS}"
 SECURITY_CFLAGS_pn-flex = "${SECURITY_NO_PIE_CFLAGS}"
 SECURITY_CFLAGS_pn-gcc = "${SECURITY_NO_PIE_CFLAGS}"
 SECURITY_CFLAGS_pn-gcc-runtime = ""
-SECURITY_CFLAGS_pn-gcc-sanitizers = ""
+SECURITY_CFLAGS_pn-gcc-sanitizers = "${SECURITY_NO_PIE_CFLAGS}"
 SECURITY_CFLAGS_pn-gdb = "${SECURITY_NO_PIE_CFLAGS}"
 SECURITY_CFLAGS_pn-gmp = "${SECURITY_NO_PIE_CFLAGS}"
 SECURITY_CFLAGS_pn-gnutls = "${SECURITY_NO_PIE_CFLAGS}"
@@ -62,7 +62,7 @@ SECURITY_CFLAGS_pn-kexec-tools = "${SECURITY_NO_PIE_CFLAGS}"
 SECURITY_CFLAGS_pn-iptables = "${SECURITY_NO_PIE_CFLAGS}"
 SECURITY_CFLAGS_pn-libaio = "${SECURITY_NO_PIE_CFLAGS}"
 SECURITY_CFLAGS_pn-libcap = "${SECURITY_NO_PIE_CFLAGS}"
-SECURITY_CFLAGS_pn-libgcc = ""
+SECURITY_CFLAGS_pn-libgcc = "${SECURITY_NO_PIE_CFLAGS}"
 SECURITY_CFLAGS_pn-libid3tag = "${SECURITY_NO_PIE_CFLAGS}"
 SECURITY_CFLAGS_pn-libnewt = "${SECURITY_NO_PIE_CFLAGS}"
 SECURITY_CFLAGS_pn-libglu = "${SECURITY_NO_PIE_CFLAGS}"
@@ -109,10 +109,8 @@ TARGET_CFLAGS_append_class-target = " ${SECURITY_CFLAGS}"
 TARGET_LDFLAGS_append_class-target = " ${SECURITY_LDFLAGS}"
 
 SECURITY_LDFLAGS_remove_pn-gcc-runtime = "-fstack-protector-strong"
-SECURITY_LDFLAGS_remove_pn-gcc-sanitizers = "-fstack-protector-strong"
 SECURITY_LDFLAGS_remove_pn-glibc = "-fstack-protector-strong"
 SECURITY_LDFLAGS_remove_pn-glibc-initial = "-fstack-protector-strong"
-SECURITY_LDFLAGS_remove_pn-libgcc = "-fstack-protector-strong"
 SECURITY_LDFLAGS_remove_pn-uclibc = "-fstack-protector-strong"
 SECURITY_LDFLAGS_remove_pn-uclibc-initial = "-fstack-protector-strong"
 SECURITY_LDFLAGS_pn-xf86-video-fbdev = "${SECURITY_X_LDFLAGS}"
-- 
2.8.1

[PATCH 2/5] security_flags.inc: add python3-pycairo and libnewt-python to no-pie exception list

[Alexander Kanavin]

Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
---
 meta/conf/distro/include/security_flags.inc | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc
index cd2b964..a7be185 100644
--- a/meta/conf/distro/include/security_flags.inc
+++ b/meta/conf/distro/include/security_flags.inc
@@ -65,6 +65,7 @@ SECURITY_CFLAGS_pn-libcap = "${SECURITY_NO_PIE_CFLAGS}"
 SECURITY_CFLAGS_pn-libgcc = "${SECURITY_NO_PIE_CFLAGS}"
 SECURITY_CFLAGS_pn-libid3tag = "${SECURITY_NO_PIE_CFLAGS}"
 SECURITY_CFLAGS_pn-libnewt = "${SECURITY_NO_PIE_CFLAGS}"
+SECURITY_CFLAGS_pn-libnewt-python = "${SECURITY_NO_PIE_CFLAGS}"
 SECURITY_CFLAGS_pn-libglu = "${SECURITY_NO_PIE_CFLAGS}"
 SECURITY_CFLAGS_pn-libpcap = "${SECURITY_NO_PIE_CFLAGS}"
 SECURITY_CFLAGS_pn-libpcre = "${SECURITY_NO_PIE_CFLAGS}"
@@ -80,6 +81,7 @@ SECURITY_CFLAGS_pn-python-pycurl = "${SECURITY_NO_PIE_CFLAGS}"
 SECURITY_CFLAGS_pn-python-smartpm = "${SECURITY_NO_PIE_CFLAGS}"
 SECURITY_CFLAGS_pn-python-numpy = "${SECURITY_NO_PIE_CFLAGS}"
 SECURITY_CFLAGS_pn-python3-numpy = "${SECURITY_NO_PIE_CFLAGS}"
+SECURITY_CFLAGS_pn-python3-pycairo = "${SECURITY_NO_PIE_CFLAGS}"
 SECURITY_CFLAGS_pn-python3 = "${SECURITY_NO_PIE_CFLAGS}"
 # Revert RPM to using internally supported values
 SECURITY_CFLAGS_pn-rpm = "${lcl_maybe_fortify} -fstack-protector"
-- 
2.8.1

[PATCH 3/5] security_flags.inc: add -fPIC to SECURITY_NO_PIE_CFLAGS

[Alexander Kanavin]

The packages that break due to -fpie can be still built with -fPIC.

[YOCTO #9486]

Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
---
 meta/conf/distro/include/security_flags.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc
index a7be185..26804bd 100644
--- a/meta/conf/distro/include/security_flags.inc
+++ b/meta/conf/distro/include/security_flags.inc
@@ -13,7 +13,7 @@ lcl_maybe_fortify = "${@base_conditional('DEBUG_BUILD','1','','-D_FORTIFY_SOURCE
 SECURITY_STRINGFORMAT ?= "-Wformat -Wformat-security -Werror=format-security"
 
 SECURITY_CFLAGS ?= "-fstack-protector-strong -pie -fpie ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}"
-SECURITY_NO_PIE_CFLAGS ?= "-fstack-protector-strong ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}"
+SECURITY_NO_PIE_CFLAGS ?= "-fPIC -fstack-protector-strong ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}"
 
 SECURITY_LDFLAGS ?= "-fstack-protector-strong -Wl,-z,relro,-z,now"
 SECURITY_X_LDFLAGS ?= "-fstack-protector-strong -Wl,-z,relro"
-- 
2.8.1

[PATCH 4/5] security_flags.inc: add epiphany to SECURITY_NO_PIE_CFLAGS

[Alexander Kanavin]

Otherwise there is a QA warning about relocations in .text

Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
---
 meta/conf/distro/include/security_flags.inc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc
index 26804bd..ea00bdd 100644
--- a/meta/conf/distro/include/security_flags.inc
+++ b/meta/conf/distro/include/security_flags.inc
@@ -38,6 +38,7 @@ SECURITY_CFLAGS_pn-glibc = ""
 SECURITY_CFLAGS_pn-glibc-initial = ""
 SECURITY_CFLAGS_pn-elfutils = "${SECURITY_NO_PIE_CFLAGS}"
 SECURITY_CFLAGS_pn-enchant = "${SECURITY_NO_PIE_CFLAGS}"
+SECURITY_CFLAGS_pn-epiphany = "${SECURITY_NO_PIE_CFLAGS}"
 SECURITY_CFLAGS_pn-expect = "${SECURITY_NO_PIE_CFLAGS}"
 SECURITY_CFLAGS_pn-flac = "${SECURITY_NO_PIE_CFLAGS}"
 SECURITY_CFLAGS_pn-flex = "${SECURITY_NO_PIE_CFLAGS}"
-- 
2.8.1

[PATCH 5/5] libmad: replace with mpg123

[Alexander Kanavin]

mpg123 recipe is taken from meta-oe and updated to latest release.
Also audiofile dependency is dropped as it's not actually used anywhere.

[YOCTO #6020]

Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
---
 .../gstreamer/gstreamer1.0-plugins-ugly.inc        |  2 +-
 .../libmad/libmad/add-pkgconfig.patch              | 70 ----------------------
 .../libmad/libmad/automake-foreign.patch           | 12 ----
 .../libmad/fix_for_mips_with_gcc-4.5.0.patch       | 33 ----------
 .../libmad/libmad/no-force-mem.patch               | 18 ------
 .../libmad/libmad/obsolete_automake_macros.patch   | 14 -----
 meta/recipes-multimedia/libmad/libmad_0.15.1b.bb   | 36 -----------
 meta/recipes-multimedia/mpg123/mpg123_1.23.4.bb    | 63 +++++++++++++++++++
 8 files changed, 64 insertions(+), 184 deletions(-)
 delete mode 100644 meta/recipes-multimedia/libmad/libmad/add-pkgconfig.patch
 delete mode 100644 meta/recipes-multimedia/libmad/libmad/automake-foreign.patch
 delete mode 100644 meta/recipes-multimedia/libmad/libmad/fix_for_mips_with_gcc-4.5.0.patch
 delete mode 100644 meta/recipes-multimedia/libmad/libmad/no-force-mem.patch
 delete mode 100644 meta/recipes-multimedia/libmad/libmad/obsolete_automake_macros.patch
 delete mode 100644 meta/recipes-multimedia/libmad/libmad_0.15.1b.bb
 create mode 100644 meta/recipes-multimedia/mpg123/mpg123_1.23.4.bb

diff --git a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-ugly.inc b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-ugly.inc
index 4582e5b..708ad7a 100644
--- a/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-ugly.inc
+++ b/meta/recipes-multimedia/gstreamer/gstreamer1.0-plugins-ugly.inc
@@ -9,7 +9,7 @@ inherit gettext
 
 PACKAGECONFIG ??= " \
     ${GSTREAMER_ORC} \
-    a52dec lame mad mpeg2dec \
+    a52dec lame mpg123 mpeg2dec \
 "
 
 PACKAGECONFIG[a52dec]   = "--enable-a52dec,--disable-a52dec,liba52"
diff --git a/meta/recipes-multimedia/libmad/libmad/add-pkgconfig.patch b/meta/recipes-multimedia/libmad/libmad/add-pkgconfig.patch
deleted file mode 100644
index b49dc8c..0000000
--- a/meta/recipes-multimedia/libmad/libmad/add-pkgconfig.patch
+++ /dev/null
@@ -1,70 +0,0 @@
-Here is a patch for adding pkg-config support to libmad.
-It would make life a bit easier for distro maintainers if this was applied.
-In case you didn't know, pkg-config is a tool for providing LDFLAGS and
-CFLAGS for packages using shared libraries. It's on freedesktop.org.
-Debian has already been distributing the pkg-config file mad.pc with
-libmad for some time, and people developing on debian (notably xmms2 
-developers) have started relying on this support being present, causing
-some confusion for people installing from source and on some BSDs which
-do not provide mad.pc (google: pkgconfig libmad).
-
-EMH
-
-Upstream-Status: Inappropriate [configuration]
-
---h31gzZEtNLTqOjlF
-Content-Type: text/plain; charset=us-ascii
-Content-Disposition: attachment; filename=&quot;libmad-0.15.1b-pkgconfig.patch&quot;
-
-diff -Naur libmad-0.15.1b.old/configure.ac libmad-0.15.1b/configure.ac
---- libmad-0.15.1b.old/configure.ac	2004-01-23 10:41:32.000000000 +0100
-+++ libmad-0.15.1b/configure.ac	2004-08-07 02:25:24.633462168 +0200
-@@ -429,5 +429,5 @@
- dnl AC_SUBST(LTLIBOBJS)
- 
- AC_CONFIG_FILES([Makefile msvc++/Makefile  \
--	libmad.list])
-+	libmad.list mad.pc])
- AC_OUTPUT
-diff -Naur libmad-0.15.1b.old/mad.pc.in libmad-0.15.1b/mad.pc.in
---- libmad-0.15.1b.old/mad.pc.in	1970-01-01 01:00:00.000000000 +0100
-+++ libmad-0.15.1b/mad.pc.in	2004-08-07 02:04:59.617692872 +0200
-@@ -0,0 +1,14 @@
-+# libmad pkg-config source file
-+
-+prefix=@prefix@
-+exec_prefix=@exec_prefix@
-+libdir=@libdir@
-+includedir=@includedir@
-+
-+Name: mad
-+Description: MPEG Audio Decoder
-+Version: @VERSION@
-+Requires:
-+Conflicts:
-+Libs: -L${libdir} -lmad -lm
-+Cflags: -I${includedir}
-diff -Naur libmad-0.15.1b.old/Makefile.am libmad-0.15.1b/Makefile.am
---- libmad-0.15.1b.old/Makefile.am	2004-02-17 03:02:03.000000000 +0100
-+++ libmad-0.15.1b/Makefile.am	2004-08-07 02:03:19.859858368 +0200
-@@ -24,6 +24,9 @@
- SUBDIRS =		
- DIST_SUBDIRS =		msvc++
- 
-+pkgconfigdir =		$(libdir)/pkgconfig
-+pkgconfig_DATA =	mad.pc
-+
- lib_LTLIBRARIES =	libmad.la
- include_HEADERS =	mad.h
- 
-@@ -34,7 +37,8 @@
- minimad_LDADD =		libmad.la
- 
- EXTRA_DIST =		mad.h.sed  \
--			CHANGES COPYRIGHT CREDITS README TODO VERSION
-+			CHANGES COPYRIGHT CREDITS README TODO VERSION \
-+			mad.pc.in
- 
- exported_headers =	version.h fixed.h bit.h timer.h stream.h frame.h  \
- 			synth.h decoder.h
-
diff --git a/meta/recipes-multimedia/libmad/libmad/automake-foreign.patch b/meta/recipes-multimedia/libmad/libmad/automake-foreign.patch
deleted file mode 100644
index 3e54424..0000000
--- a/meta/recipes-multimedia/libmad/libmad/automake-foreign.patch
+++ /dev/null
@@ -1,12 +0,0 @@
-Pass foreign to AM_INIT_AUTOMAKE so it doesn't enforce GNU strictness.
-
-Upstream-Status: Pending
-Signed-off-by: Ross Burton <ross.burton@intel.com>
-
-diff --git a/configure.ac b/configure.ac
-index e602fd3..e075b86 100644
---- a/configure.ac
-+++ b/configure.ac
-@@ -29 +29 @@ AC_CONFIG_SRCDIR([decoder.h])
--AM_INIT_AUTOMAKE
-+AM_INIT_AUTOMAKE([foreign])
diff --git a/meta/recipes-multimedia/libmad/libmad/fix_for_mips_with_gcc-4.5.0.patch b/meta/recipes-multimedia/libmad/libmad/fix_for_mips_with_gcc-4.5.0.patch
deleted file mode 100644
index 01c7aa3..0000000
--- a/meta/recipes-multimedia/libmad/libmad/fix_for_mips_with_gcc-4.5.0.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-gcc 4.4 did this: The MIPS port no longer recognizes the h  asm constraint. It was necessary to remove this constraint in order to avoid generating unpredictable code sequences. 
-
-so the libmad build with gcc-4.5.0 was failing.
-
-Found a solution here:
-
-http://us.generation-nt.com/answer/bug-568418-libmad0-dev-mpg321-compilation-errors-mips-mipsel-architectures-help-169033451.html
-
-Upstream-Status: Pending
-
-2010/07/29
-Nitin A Kamble <nitin.a.kamble@intel.com>
-
-Index: libmad-0.15.1b/fixed.h
-===================================================================
---- libmad-0.15.1b.orig/fixed.h
-+++ libmad-0.15.1b/fixed.h
-@@ -297,6 +297,15 @@ mad_fixed_t mad_f_mul_inline(mad_fixed_t
- 
- /* --- MIPS ---------------------------------------------------------------- */
- 
-+# elif defined(FPM_MIPS) && (__GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 4))
-+    typedef unsigned int u64_di_t __attribute__ ((mode (DI)));
-+#   define MAD_F_MLX(hi, lo, x, y) \
-+    do { \
-+        u64_di_t __ll = (u64_di_t) (x) * (y); \
-+        hi = __ll >> 32; \
-+        lo = __ll; \
-+     } while (0)
-+
- # elif defined(FPM_MIPS)
- 
- /*
diff --git a/meta/recipes-multimedia/libmad/libmad/no-force-mem.patch b/meta/recipes-multimedia/libmad/libmad/no-force-mem.patch
deleted file mode 100644
index d5e6d20..0000000
--- a/meta/recipes-multimedia/libmad/libmad/no-force-mem.patch
+++ /dev/null
@@ -1,18 +0,0 @@
-This option no longer exists in gcc 3.4.1
-
-RP - 18/07/2008
-
-Upstream-Status: Inappropriate [configuration]
-
-Index: libmad-0.15.1b/configure.ac
-===================================================================
---- libmad-0.15.1b.orig/configure.ac	2008-07-18 15:45:30.000000000 +0100
-+++ libmad-0.15.1b/configure.ac	2008-07-18 15:45:37.000000000 +0100
-@@ -140,7 +140,6 @@
-     case "$optimize" in
- 	-O|"-O "*)
- 	    optimize="-O"
--	    optimize="$optimize -fforce-mem"
- 	    optimize="$optimize -fforce-addr"
- 	    : #x optimize="$optimize -finline-functions"
- 	    : #- optimize="$optimize -fstrength-reduce"
diff --git a/meta/recipes-multimedia/libmad/libmad/obsolete_automake_macros.patch b/meta/recipes-multimedia/libmad/libmad/obsolete_automake_macros.patch
deleted file mode 100644
index cc87d29..0000000
--- a/meta/recipes-multimedia/libmad/libmad/obsolete_automake_macros.patch
+++ /dev/null
@@ -1,14 +0,0 @@
-Upstream-Status: Submitted [https://sourceforge.net/tracker/?group_id=12349&atid=112349]
-
-Signed-off-by: Marko Lindqvist <cazfi74@gmail.com>
-diff -Nurd libmad-0.15.1b/configure.ac libmad-0.15.1b/configure.ac
---- libmad-0.15.1b/configure.ac	2004-01-23 11:41:32.000000000 +0200
-+++ libmad-0.15.1b/configure.ac	2013-01-03 08:28:23.718693697 +0200
-@@ -28,7 +28,7 @@
-
- AM_INIT_AUTOMAKE
-
--AM_CONFIG_HEADER([config.h])
-+AC_CONFIG_HEADERS([config.h])
-
- dnl System type.
diff --git a/meta/recipes-multimedia/libmad/libmad_0.15.1b.bb b/meta/recipes-multimedia/libmad/libmad_0.15.1b.bb
deleted file mode 100644
index d431abd..0000000
--- a/meta/recipes-multimedia/libmad/libmad_0.15.1b.bb
+++ /dev/null
@@ -1,36 +0,0 @@
-SUMMARY = "MPEG Audio Decoder library"
-HOMEPAGE = "http://sourceforge.net/projects/mad/"
-BUGTRACKER = "http://sourceforge.net/tracker/?group_id=12349&atid=112349"
-LICENSE = "GPLv2+"
-LICENSE_FLAGS = "commercial"
-LIC_FILES_CHKSUM = "file://COPYING;md5=94d55d512a9ba36caa9b7df079bae19f \
-			file://COPYRIGHT;md5=8e55eb14894e782b84488d5a239bc23d \
-			file://version.h;beginline=1;endline=8;md5=aa07311dd39288d4349f28e1de516454"
-SECTION = "libs"
-DEPENDS = "libid3tag"
-PR = "r3"
-
-SRC_URI = "ftp://ftp.mars.org/pub/mpeg/libmad-${PV}.tar.gz \
-           file://no-force-mem.patch \
-           file://add-pkgconfig.patch \
-           file://fix_for_mips_with_gcc-4.5.0.patch \
-           file://obsolete_automake_macros.patch \
-           file://automake-foreign.patch \
-"
-
-SRC_URI[md5sum] = "1be543bc30c56fb6bea1d7bf6a64e66c"
-SRC_URI[sha256sum] = "bbfac3ed6bfbc2823d3775ebb931087371e142bb0e9bb1bee51a76a6e0078690" 
-
-S = "${WORKDIR}/libmad-${PV}"
-
-inherit autotools pkgconfig
-
-EXTRA_OECONF = "-enable-speed --enable-shared"
-EXTRA_OECONF_append_arm = " --enable-fpm=arm"
-
-do_configure_prepend () {
-#	damn picky automake...
-	touch NEWS AUTHORS ChangeLog
-}
-
-ARM_INSTRUCTION_SET = "arm"
diff --git a/meta/recipes-multimedia/mpg123/mpg123_1.23.4.bb b/meta/recipes-multimedia/mpg123/mpg123_1.23.4.bb
new file mode 100644
index 0000000..3101023
--- /dev/null
+++ b/meta/recipes-multimedia/mpg123/mpg123_1.23.4.bb
@@ -0,0 +1,63 @@
+SUMMARY = "Audio decoder for MPEG-1 Layer 1/2/3"
+DESCRIPTION = "The core of mpg123 is an MPEG-1 Layer 1/2/3 decoding library, which can be used by other programs. \
+mpg123 also comes with a command-line tool which can playback using ALSA, PulseAudio, OSS, and several other APIs, \
+and also can write the decoded audio to WAV."
+HOMEPAGE = "http://mpg123.de/"
+BUGTRACKER = "http://sourceforge.net/p/mpg123/bugs/"
+SECTION = "multimedia"
+
+LICENSE = "LGPLv2.1"
+LICENSE_FLAGS = "commercial"
+LIC_FILES_CHKSUM = "file://COPYING;md5=1e86753638d3cf2512528b99079bc4f3"
+
+SRC_URI = "https://www.mpg123.de/download/${BP}.tar.bz2"
+
+SRC_URI[md5sum] = "dea9e3a815d127d04ebe9f6b80f229ce"
+SRC_URI[sha256sum] = "3495e678dec9a60f29cbcd4fc698abc4c811ec60d1276e744f7a10ac35023b48"
+
+inherit autotools pkgconfig
+
+# The options should be mutually exclusive for configuration script.
+# If both alsa and pulseaudio are specified (as in the default distro features)
+# pulseaudio takes precedence.
+PACKAGECONFIG_ALSA = "${@bb.utils.contains('DISTRO_FEATURES', 'alsa', 'alsa', '', d)}"
+PACKAGECONFIG ??= "${@bb.utils.contains('DISTRO_FEATURES', 'pulseaudio', 'pulseaudio', '${PACKAGECONFIG_ALSA}', d)}"
+
+PACKAGECONFIG[alsa] = "--with-default-audio=alsa,,alsa-lib"
+PACKAGECONFIG[esd] = ",,esound"
+PACKAGECONFIG[jack] = ",,jack"
+PACKAGECONFIG[openal] = ",,openal-soft"
+PACKAGECONFIG[portaudio] = ",,portaudio-v19"
+PACKAGECONFIG[pulseaudio] = "--with-default-audio=pulse,,pulseaudio"
+PACKAGECONFIG[sdl] = ",,libsdl"
+
+# Following are possible sound output modules:
+# alsa arts coreaudio dummy esd jack nas openal os2 oss portaudio pulse sdl sndio sun tinyalsa win32 win32_wasapi
+AUDIOMODS += "${@bb.utils.contains('PACKAGECONFIG', 'alsa', 'alsa', '', d)}"
+AUDIOMODS += "${@bb.utils.contains('PACKAGECONFIG', 'esd', 'esd', '', d)}"
+AUDIOMODS += "${@bb.utils.contains('PACKAGECONFIG', 'jack', 'jack', '', d)}"
+AUDIOMODS += "${@bb.utils.contains('PACKAGECONFIG', 'openal', 'openal', '', d)}"
+AUDIOMODS += "${@bb.utils.contains('PACKAGECONFIG', 'portaudio', 'portaudio', '', d)}"
+AUDIOMODS += "${@bb.utils.contains('PACKAGECONFIG', 'pulseaudio', 'pulse', '', d)}"
+AUDIOMODS += "${@bb.utils.contains('PACKAGECONFIG', 'sdl', 'sdl', '', d)}"
+
+EXTRA_OECONF = " \
+    --enable-shared \
+    --with-audio='${AUDIOMODS}' \
+    --with-module-suffix=.so \
+    ${@bb.utils.contains('TUNE_FEATURES', 'neon', '--with-cpu=neon', '', d)} \
+    ${@bb.utils.contains('TUNE_FEATURES', 'altivec', '--with-cpu=altivec', '', d)} \
+"
+
+# The x86 assembler optimisations contains text relocations and there are no
+# upstream plans to fix them: http://sourceforge.net/p/mpg123/bugs/168/
+INSANE_SKIP_${PN}_append_x86 = " textrel"
+
+# Fails to build with thumb-1 (qemuarm)
+#| {standard input}: Assembler messages:
+#| {standard input}:47: Error: selected processor does not support Thumb mode `smull r5,r6,r7,r4'
+#| {standard input}:48: Error: shifts in CMP/MOV instructions are only supported in unified syntax -- `mov r5,r5,lsr#24'
+#...
+#| make[3]: *** [equalizer.lo] Error 1
+ARM_INSTRUCTION_SET_armv4 = "arm"
+ARM_INSTRUCTION_SET_armv5 = "arm"
-- 
2.8.1

Re: [PATCH 3/5] security_flags.inc: add -fPIC to SECURITY_NO_PIE_CFLAGS

[Andre McCurdy]

On Thu, Jun 16, 2016 at 3:59 AM, Alexander Kanavin
<alexander.kanavin@linux.intel.com> wrote:
> The packages that break due to -fpie can be still built with -fPIC.
>
> [YOCTO #9486]
>
> Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
> ---
>  meta/conf/distro/include/security_flags.inc | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc
> index a7be185..26804bd 100644
> --- a/meta/conf/distro/include/security_flags.inc
> +++ b/meta/conf/distro/include/security_flags.inc
> @@ -13,7 +13,7 @@ lcl_maybe_fortify = "${@base_conditional('DEBUG_BUILD','1','','-D_FORTIFY_SOURCE
>  SECURITY_STRINGFORMAT ?= "-Wformat -Wformat-security -Werror=format-security"
>
>  SECURITY_CFLAGS ?= "-fstack-protector-strong -pie -fpie ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}"
> -SECURITY_NO_PIE_CFLAGS ?= "-fstack-protector-strong ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}"
> +SECURITY_NO_PIE_CFLAGS ?= "-fPIC -fstack-protector-strong ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}"

I don't think this does anything useful. An executable won't be
position independent unless -pie is passed to the linker, so if
linking with -pie doesn't work, forcing all object code to be position
independent is just adding overhead with no benefit.

>  SECURITY_LDFLAGS ?= "-fstack-protector-strong -Wl,-z,relro,-z,now"
>  SECURITY_X_LDFLAGS ?= "-fstack-protector-strong -Wl,-z,relro"
> --
> 2.8.1
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [PATCH 4/5] security_flags.inc: add epiphany to SECURITY_NO_PIE_CFLAGS

[Andre McCurdy]

On Thu, Jun 16, 2016 at 3:59 AM, Alexander Kanavin
<alexander.kanavin@linux.intel.com> wrote:
> Otherwise there is a QA warning about relocations in .text

Typically these warnings come from assembler and can't be fixed via
CFLAGS. If this one _can_ be fixed via CFLAGS then it suggests a bug
in the Epiphany build somewhere (e.g. reusing an object file intended
for a static lib in an .so). Maybe it's better to track that down and
fix properly instead of working around it by globally adding -fPIC to
CFLAGS?

> Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
> ---
>  meta/conf/distro/include/security_flags.inc | 1 +
>  1 file changed, 1 insertion(+)
>
> diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc
> index 26804bd..ea00bdd 100644
> --- a/meta/conf/distro/include/security_flags.inc
> +++ b/meta/conf/distro/include/security_flags.inc
> @@ -38,6 +38,7 @@ SECURITY_CFLAGS_pn-glibc = ""
>  SECURITY_CFLAGS_pn-glibc-initial = ""
>  SECURITY_CFLAGS_pn-elfutils = "${SECURITY_NO_PIE_CFLAGS}"
>  SECURITY_CFLAGS_pn-enchant = "${SECURITY_NO_PIE_CFLAGS}"
> +SECURITY_CFLAGS_pn-epiphany = "${SECURITY_NO_PIE_CFLAGS}"
>  SECURITY_CFLAGS_pn-expect = "${SECURITY_NO_PIE_CFLAGS}"
>  SECURITY_CFLAGS_pn-flac = "${SECURITY_NO_PIE_CFLAGS}"
>  SECURITY_CFLAGS_pn-flex = "${SECURITY_NO_PIE_CFLAGS}"
> --
> 2.8.1
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [PATCH 1/5] security_flags.inc: add SECURITY_NO_PIE_CFLAGS to libgcc and gcc-sanitizers

[Andre McCurdy]

On Thu, Jun 16, 2016 at 3:59 AM, Alexander Kanavin
<alexander.kanavin@linux.intel.com> wrote:
> These recipes no longer seem to need full exclusion from security hardening.

Did you also confirm that for gcc 4.9 and 5.3?

> The rest (glibc, gcc-runtime, valgrind, grub, grub-efi, uclibc) still do.
>
> [YOCTO #9489]
>
> Signed-off-by: Alexander Kanavin <alexander.kanavin@linux.intel.com>
> ---
>  meta/conf/distro/include/security_flags.inc | 6 ++----
>  1 file changed, 2 insertions(+), 4 deletions(-)
>
> diff --git a/meta/conf/distro/include/security_flags.inc b/meta/conf/distro/include/security_flags.inc
> index ea1d4e5..cd2b964 100644
> --- a/meta/conf/distro/include/security_flags.inc
> +++ b/meta/conf/distro/include/security_flags.inc
> @@ -43,7 +43,7 @@ SECURITY_CFLAGS_pn-flac = "${SECURITY_NO_PIE_CFLAGS}"
>  SECURITY_CFLAGS_pn-flex = "${SECURITY_NO_PIE_CFLAGS}"
>  SECURITY_CFLAGS_pn-gcc = "${SECURITY_NO_PIE_CFLAGS}"
>  SECURITY_CFLAGS_pn-gcc-runtime = ""
> -SECURITY_CFLAGS_pn-gcc-sanitizers = ""
> +SECURITY_CFLAGS_pn-gcc-sanitizers = "${SECURITY_NO_PIE_CFLAGS}"
>  SECURITY_CFLAGS_pn-gdb = "${SECURITY_NO_PIE_CFLAGS}"
>  SECURITY_CFLAGS_pn-gmp = "${SECURITY_NO_PIE_CFLAGS}"
>  SECURITY_CFLAGS_pn-gnutls = "${SECURITY_NO_PIE_CFLAGS}"
> @@ -62,7 +62,7 @@ SECURITY_CFLAGS_pn-kexec-tools = "${SECURITY_NO_PIE_CFLAGS}"
>  SECURITY_CFLAGS_pn-iptables = "${SECURITY_NO_PIE_CFLAGS}"
>  SECURITY_CFLAGS_pn-libaio = "${SECURITY_NO_PIE_CFLAGS}"
>  SECURITY_CFLAGS_pn-libcap = "${SECURITY_NO_PIE_CFLAGS}"
> -SECURITY_CFLAGS_pn-libgcc = ""
> +SECURITY_CFLAGS_pn-libgcc = "${SECURITY_NO_PIE_CFLAGS}"
>  SECURITY_CFLAGS_pn-libid3tag = "${SECURITY_NO_PIE_CFLAGS}"
>  SECURITY_CFLAGS_pn-libnewt = "${SECURITY_NO_PIE_CFLAGS}"
>  SECURITY_CFLAGS_pn-libglu = "${SECURITY_NO_PIE_CFLAGS}"
> @@ -109,10 +109,8 @@ TARGET_CFLAGS_append_class-target = " ${SECURITY_CFLAGS}"
>  TARGET_LDFLAGS_append_class-target = " ${SECURITY_LDFLAGS}"
>
>  SECURITY_LDFLAGS_remove_pn-gcc-runtime = "-fstack-protector-strong"
> -SECURITY_LDFLAGS_remove_pn-gcc-sanitizers = "-fstack-protector-strong"
>  SECURITY_LDFLAGS_remove_pn-glibc = "-fstack-protector-strong"
>  SECURITY_LDFLAGS_remove_pn-glibc-initial = "-fstack-protector-strong"
> -SECURITY_LDFLAGS_remove_pn-libgcc = "-fstack-protector-strong"
>  SECURITY_LDFLAGS_remove_pn-uclibc = "-fstack-protector-strong"
>  SECURITY_LDFLAGS_remove_pn-uclibc-initial = "-fstack-protector-strong"
>  SECURITY_LDFLAGS_pn-xf86-video-fbdev = "${SECURITY_X_LDFLAGS}"
> --
> 2.8.1
>
> --
> _______________________________________________
> Openembedded-core mailing list
> Openembedded-core@lists.openembedded.org
> http://lists.openembedded.org/mailman/listinfo/openembedded-core

Re: [PATCH 3/5] security_flags.inc: add -fPIC to SECURITY_NO_PIE_CFLAGS

[Alexander Kanavin]

On 06/17/2016 05:38 AM, Andre McCurdy wrote:
>>  SECURITY_CFLAGS ?= "-fstack-protector-strong -pie -fpie ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}"
>> -SECURITY_NO_PIE_CFLAGS ?= "-fstack-protector-strong ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}"
>> +SECURITY_NO_PIE_CFLAGS ?= "-fPIC -fstack-protector-strong ${lcl_maybe_fortify} ${SECURITY_STRINGFORMAT}"
>
> I don't think this does anything useful. An executable won't be
> position independent unless -pie is passed to the linker, so if
> linking with -pie doesn't work, forcing all object code to be position
> independent is just adding overhead with no benefit.

That's right; there is no security benefit in -fPIC alone.
Sorry for not researching this fully.

I have however disabled NO_PIE for all recipes that use it, and then 
re-enabled it for those that started to fail. This uncovered a few 
recipes where NO_PIE is no longer needed - at least on x86_64. Patch is 
coming :)


Alex

Re: [PATCH 4/5] security_flags.inc: add epiphany to SECURITY_NO_PIE_CFLAGS

[Alexander Kanavin]

On 06/17/2016 05:39 AM, Andre McCurdy wrote:
> Typically these warnings come from assembler and can't be fixed via
> CFLAGS. If this one _can_ be fixed via CFLAGS then it suggests a bug
> in the Epiphany build somewhere (e.g. reusing an object file intended
> for a static lib in an .so). Maybe it's better to track that down and
> fix properly instead of working around it by globally adding -fPIC to
> CFLAGS?

Thanks; I dropped the patch.

Alex

Re: [PATCH 1/5] security_flags.inc: add SECURITY_NO_PIE_CFLAGS to libgcc and gcc-sanitizers

[Alexander Kanavin]

On 06/17/2016 05:56 AM, Andre McCurdy wrote:
> On Thu, Jun 16, 2016 at 3:59 AM, Alexander Kanavin
> <alexander.kanavin@linux.intel.com> wrote:
>> These recipes no longer seem to need full exclusion from security hardening.
>
> Did you also confirm that for gcc 4.9 and 5.3?


I just did; they build with both.


Alex