Merge pull request #892 from skyamgarp/PA-6383

(PA-6383) Enable PIE for Ubuntu and Debian
puppetlabs · Aug 19, 2024 · d9873e5 · d9873e5
2 parents 9833ad9 + 7b20a00
commit d9873e5
Show file tree

Hide file tree

Showing 7 changed files with 33 additions and 21 deletions.
diff --git a/configs/components/_base-ruby.rb b/configs/components/_base-ruby.rb
@@ -76,6 +76,9 @@
   elsif platform.architecture == 'arm64' && platform.os_version.to_i >= 13
     pkg.environment 'CC', 'clang'
   end
+elsif settings[:supports_pie]
+  pkg.environment 'LDFLAGS', settings[:ldflags]
+  pkg.environment 'optflags', settings[:cflags]
 end
 
 ####################

diff --git a/configs/components/augeas.rb b/configs/components/augeas.rb
@@ -119,7 +119,7 @@
     end
   end
 
-  if platform.name =~ /sles-15|el-8|debian-10/ || platform.is_fedora?
+  if settings[:supports_pie]
     pkg.environment 'CFLAGS', settings[:cflags]
     pkg.environment 'CPPFLAGS', settings[:cppflags]
     pkg.environment "LDFLAGS", settings[:ldflags]

diff --git a/configs/components/ruby-2.7.8.rb b/configs/components/ruby-2.7.8.rb
@@ -100,7 +100,7 @@
 
   special_flags = " --prefix=#{ruby_dir} --with-opt-dir=#{settings[:prefix]} "
 
-  if platform.name =~ /sles-15|el-8|debian-10/
+  if settings[:supports_pie]
     special_flags += " CFLAGS='#{settings[:cflags]}' LDFLAGS='#{settings[:ldflags]}' CPPFLAGS='#{settings[:cppflags]}' "
   end
 

diff --git a/configs/components/ruby-3.2.5.rb b/configs/components/ruby-3.2.5.rb
@@ -93,7 +93,7 @@
 
   special_flags = " --prefix=#{ruby_dir} --with-opt-dir=#{settings[:prefix]} "
 
-  if platform.name =~ /sles-15|el-8|debian-10/
+  if settings[:supports_pie]
     special_flags += " CFLAGS='#{settings[:cflags]}' LDFLAGS='#{settings[:ldflags]}' CPPFLAGS='#{settings[:cppflags]}' "
   end
 

diff --git a/configs/components/runtime-bolt.rb b/configs/components/runtime-bolt.rb
@@ -13,7 +13,7 @@
     pkg.install_file "#{settings[:tools_root]}/bin/libgdbm_compat-4.dll", "#{settings[:ruby_bindir]}/libgdbm_compat-4.dll"
     pkg.install_file "#{settings[:tools_root]}/bin/libiconv-2.dll", "#{settings[:ruby_bindir]}/libiconv-2.dll"
     pkg.install_file "#{settings[:tools_root]}/bin/libffi-6.dll", "#{settings[:ruby_bindir]}/libffi-6.dll"
-  elsif platform.is_macos? or platform.name =~ /sles-15|el-8|debian-10|ubuntu-20.04|ubuntu-22.04/ || platform.is_fedora?
+  elsif settings[:supports_pie]
 
     # Do nothing for distros that have a suitable compiler do not use pl-build-tools
 

diff --git a/configs/projects/_shared-agent-settings.rb b/configs/projects/_shared-agent-settings.rb
@@ -140,23 +140,8 @@
 proj.setting(:platform_triple, platform_triple)
 proj.setting(:host, host)
 
-# Define default CFLAGS and LDFLAGS for most platforms, and then
-# tweak or adjust them as needed.
-proj.setting(:cppflags, "-I#{proj.includedir} -I/opt/pl-build-tools/include")
-proj.setting(:cflags, "#{proj.cppflags}")
-proj.setting(:ldflags, "-L#{proj.libdir} -L/opt/pl-build-tools/lib -Wl,-rpath=#{proj.libdir}")
-
-# Platform specific overrides or settings, which may override the defaults
-
-# Harden Linux ELF binaries by compiling with PIE (Position Independent Executables) support,
-# stack canary and full RELRO.
-# We only do this on platforms that use their default OS toolchain since pl-gcc versions
-# are too old to support these flags.
-if platform.name =~ /sles-15|el-8|debian-10/ || platform.is_fedora?
-  proj.setting(:cppflags, "-I#{proj.includedir} -D_FORTIFY_SOURCE=2")
-  proj.setting(:cflags, '-fstack-protector-strong -fno-plt -O2')
-  proj.setting(:ldflags, "-L#{proj.libdir} -Wl,-rpath=#{proj.libdir},-z,relro,-z,now")
-end
+# Load default compiler settings
+instance_eval File.read('configs/projects/_shared-compiler-settings.rb')
 
 if ruby_version_x == "3"
   proj.setting(:openssl_version, '3.0')

diff --git a/configs/projects/_shared-compiler-settings.rb b/configs/projects/_shared-compiler-settings.rb
@@ -0,0 +1,24 @@
+# Define default CFLAGS and LDFLAGS for most platforms, and then
+# tweak or adjust them as needed.
+proj.setting(:cppflags, "-I#{proj.includedir} -I/opt/pl-build-tools/include")
+proj.setting(:cflags, "#{proj.cppflags}")
+proj.setting(:ldflags, "-L#{proj.libdir} -L/opt/pl-build-tools/lib -Wl,-rpath=#{proj.libdir}")
+
+# Platform specific overrides or settings, which may override the defaults
+
+# Harden Linux ELF binaries by compiling with PIE (Position Independent Executables) support,
+# stack canary and full RELRO.
+# We only do this on platforms that use their default OS toolchain since pl-gcc versions
+# are too old to support these flags.
+
+if((platform.is_sles? && platform.os_version.to_i >= 15) ||
+      (platform.is_el? && platform.os_version.to_i == 8 && platform.architecture !~ /ppc64/) ||
+      (platform.is_debian? && platform.os_version.to_i >= 10) ||
+      (platform.is_ubuntu? && platform.os_version.to_i >= 22) ||
+      platform.is_fedora?
+    )
+  proj.setting(:supports_pie, true)
+  proj.setting(:cppflags, "-I#{proj.includedir} -D_FORTIFY_SOURCE=2")
+  proj.setting(:cflags, '-fstack-protector-strong -fno-plt -O2')
+  proj.setting(:ldflags, "-L#{proj.libdir} -Wl,-rpath=#{proj.libdir},-z,relro,-z,now")
+end