From 15a3d49bf12b24c0a353525acb93e188f67e7581 Mon Sep 17 00:00:00 2001 From: "Andrew G. Morgan" Date: Tue, 31 Aug 2021 19:05:59 -0700 Subject: Move $(LDFLAGS) earlier in build command lines. As explained (thanks David Seifert) there are some LDFLAGS that need to precede actual linked libraries. For example, -Wl,--as-needed. Given this, I've tried it and it appears to work for the default build cases as captured in 'make distcheck'. Signed-off-by: Andrew G. Morgan --- pam_cap/Makefile | 8 ++++---- progs/Makefile | 6 ++++-- tests/Makefile | 14 +++++++------- 3 files changed, 15 insertions(+), 13 deletions(-) diff --git a/pam_cap/Makefile b/pam_cap/Makefile index d5da6be..09083ea 100644 --- a/pam_cap/Makefile +++ b/pam_cap/Makefile @@ -20,7 +20,7 @@ execable.o: execable.c ../libcap/execable.h ../libcap/loader.txt $(CC) $(CFLAGS) $(CPPFLAGS) -DLIBCAP_VERSION=\"libcap-$(VERSION).$(MINOR)\" -DSHARED_LOADER=\"$(shell cat ../libcap/loader.txt)\" -c execable.c -o $@ pam_cap.so: pam_cap.o execable.o pam_cap_linkopts - cat pam_cap_linkopts | xargs -e $(LD) -o $@ pam_cap.o execable.o $(LIBCAPLIB) $(LDFLAGS) + cat pam_cap_linkopts | xargs -e $(LD) $(LDFLAGS) -o $@ pam_cap.o execable.o $(LIBCAPLIB) # Some distributions force link everything at compile time, and don't # take advantage of libpam's dlopen runtime options to resolve ill @@ -51,7 +51,7 @@ pam_cap_linkopts: lazylink.so ./lazylink.so || echo "-lpam" >> $@ lazylink.so: lazylink.c ../libcap/execable.h ../libcap/loader.txt - $(LD) -o $@ $(CFLAGS) $(CPPFLAGS) lazylink.c -DSHARED_LOADER=\"$(shell cat ../libcap/loader.txt)\" $(LDFLAGS) -Wl,-e,__so_start + $(LD) -o $@ $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) lazylink.c -DSHARED_LOADER=\"$(shell cat ../libcap/loader.txt)\" -Wl,-e,__so_start endif endif @@ -62,10 +62,10 @@ pam_cap.o: pam_cap.c $(MAKE) -C ../libcap libcap.a test_pam_cap: test_pam_cap.c pam_cap.c ../libcap/libcap.a - $(CC) $(CFLAGS) $(CPPFLAGS) -o $@ test_pam_cap.c $(LIBCAPLIB) $(LDFLAGS) --static + $(CC) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) -o $@ test_pam_cap.c $(LIBCAPLIB) --static testlink: test.c pam_cap.o - $(CC) $(CFLAGS) -o $@ $+ -lpam -ldl $(LIBCAPLIB) $(LDFLAGS) + $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $+ -lpam -ldl $(LIBCAPLIB) test: testlink test_pam_cap pam_cap.so $(MAKE) testlink diff --git a/progs/Makefile b/progs/Makefile index 0917dd3..2f887c8 100644 --- a/progs/Makefile +++ b/progs/Makefile @@ -28,7 +28,7 @@ endif $(MAKE) -C ../libcap libcap.so $(BUILD): %: %.o $(DEPS) - $(CC) $(CFLAGS) -o $@ $< $(LIBCAPLIB) $(LDFLAGS) + $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $< $(LIBCAPLIB) %.o: %.c $(INCS) $(CC) $(CFLAGS) $(CPPFLAGS) -c $< -o $@ @@ -49,8 +49,10 @@ capshdoc.h.cf: capshdoc.h ./mkcapshdoc.sh diff -u capshdoc.h $@ || (rm $@ ; exit 1) capsh: capsh.c capshdoc.h.cf $(DEPS) - $(CC) $(CFLAGS) $(CPPFLAGS) $(CAPSH_SHELL) -o $@ $< $(LIBCAPLIB) $(LDFLAGS) + $(CC) $(CFLAGS) $(CPPFLAGS) $(CAPSH_SHELL) $(LDFLAGS) -o $@ $< $(LIBCAPLIB) +# Statically linked with minimal linkage flags to enable running in a +# chroot and in other in-tree testing contexts. tcapsh-static: capsh.c capshdoc.h.cf $(DEPS) $(CC) $(CFLAGS) $(CPPFLAGS) $(CAPSH_SHELL) -o $@ $< $(LIBCAPLIB) --static diff --git a/tests/Makefile b/tests/Makefile index d9ed248..770cffa 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -66,17 +66,17 @@ run_psx_test: psx_test ./psx_test psx_test: psx_test.c $(DEPS) - $(CC) $(CFLAGS) $(CPPFLAGS) $< -o $@ $(LINKEXTRA) $(LIBPSXLIB) $(LDFLAGS) + $(CC) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) $< -o $@ $(LINKEXTRA) $(LIBPSXLIB) run_libcap_psx_test: libcap_psx_test ./libcap_psx_test libcap_psx_test: libcap_psx_test.c $(DEPS) - $(CC) $(CFLAGS) $(CPPFLAGS) $< -o $@ $(LINKEXTRA) $(LIBCAPLIB) $(LIBPSXLIB) $(LDFLAGS) + $(CC) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) $< -o $@ $(LINKEXTRA) $(LIBCAPLIB) $(LIBPSXLIB) # privileged uns_test: uns_test.c $(DEPS) - $(CC) $(CFLAGS) $(CPPFLAGS) $< -o $@ $(LINKEXTRA) $(LIBCAPLIB) $(LDFLAGS) + $(CC) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) $< -o $@ $(LINKEXTRA) $(LIBCAPLIB) run_uns_test: uns_test echo exit | $(SUDO) ./uns_test @@ -88,13 +88,13 @@ run_libcap_psx_launch_test: libcap_psx_launch_test ../progs/tcapsh-static $(SUDO) ./libcap_psx_launch_test libcap_launch_test: libcap_launch_test.c $(DEPS) - $(CC) $(CFLAGS) $(CPPFLAGS) $< -o $@ $(LINKEXTRA) $(LIBCAPLIB) $(LDFLAGS) + $(CC) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) $< -o $@ $(LINKEXTRA) $(LIBCAPLIB) # This varies only slightly from the above insofar as it currently # only links in the pthreads fork support. TODO() we need to change # the source to do something interesting with pthreads. libcap_psx_launch_test: libcap_launch_test.c $(DEPS) - $(CC) $(CFLAGS) $(CPPFLAGS) -DWITH_PTHREADS $< -o $@ $(LINKEXTRA) $(LIBCAPLIB) $(LIBPSXLIB) $(LDFLAGS) + $(CC) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) -DWITH_PTHREADS $< -o $@ $(LINKEXTRA) $(LIBCAPLIB) $(LIBPSXLIB) # This test demonstrates that libpsx is needed to secure multithreaded @@ -109,12 +109,12 @@ exploit.o: exploit.c $(CC) $(CFLAGS) $(CPPFLAGS) -c $< exploit: exploit.o $(DEPS) - $(CC) $(CFLAGS) $(CPPFLAGS) $< -o $@ $(LINKEXTRA) $(LIBCAPLIB) -lpthread $(LDFLAGS) + $(CC) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) $< -o $@ $(LINKEXTRA) $(LIBCAPLIB) -lpthread # Note, for some reason, the order of libraries is important to avoid # the exploit working for dynamic linking. noexploit: exploit.o $(DEPS) - $(CC) $(CFLAGS) $(CPPFLAGS) $< -o $@ $(LINKEXTRA) $(LIBPSXLIB) $(LIBCAPLIB) $(LDFLAGS) + $(CC) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) $< -o $@ $(LINKEXTRA) $(LIBPSXLIB) $(LIBCAPLIB) # This one runs in a chroot with no shared library files. noop: noop.c -- cgit v1.2.1