[Devil-linux-commit] build/scripts finalize, 1.12, 1.13 grub, 1.24, 1.25

[Heiko Z. <smi...@us...>]

Update of /cvsroot/devil-linux/build/scripts
In directory vz-cvs-3.sog:/tmp/cvs-serv30342/scripts

Modified Files:
	finalize grub 
Log Message:
disable gnu exec stack on grub
can't disable it for the grub kernel, shouldn't be a problem since this is
used before the system actually boots


Index: finalize
===================================================================
RCS file: /cvsroot/devil-linux/build/scripts/finalize,v
retrieving revision 1.12
retrieving revision 1.13
diff -u -d -r1.12 -r1.13
--- finalize	2 Nov 2011 14:03:41 -0000	1.12
+++ finalize	9 Dec 2011 12:59:49 -0000	1.13
@@ -44,7 +44,7 @@
 		
 		# now let's search for libraries which have the executable stack flag set 
 		# and error out if we find any (only if PAX or GRSecurity are on)
-		GNU_EXEC_STACK=$(scanelf $CDDIR -eRq)
+		GNU_EXEC_STACK=$(scanelf $CDDIR -eRq | grep -v grub/kernel.img)
 		if [ -n "$GNU_EXEC_STACK" ]; then
 		    if [ "$CONFIG_GRSECURITY" = "y" ] || [ "$CONFIG_PAX" == "y" ]; then
 		        echo "************ ERROR ************"

Index: grub
===================================================================
RCS file: /cvsroot/devil-linux/build/scripts/grub,v
retrieving revision 1.24
retrieving revision 1.25
diff -u -d -r1.24 -r1.25
--- grub	8 Dec 2011 19:24:31 -0000	1.24
+++ grub	9 Dec 2011 12:59:49 -0000	1.25
@@ -21,12 +21,12 @@
 		patch_from_dir ../grub-patches
 		
                 if [ "$CONFIG_GCC_HARDENED" = "y" ]; then
-			export CC="gcc -fno-stack-protector -fno-pic -fno-pie -nopie"
+			export CC="gcc -fno-stack-protector -fno-pic -fno-pie -nopie -Wa,--noexecstack"
 		fi
 		unset CFLAGS
 		unset CXXFLAGS
 		./configure --prefix=/usr --sbindir=/sbin --sysconfdir=/etc --disable-nls || exit 1
-		make $PMAKE || exit 1
+		make $PMAKE LDFLAGS="-Wl,-z,noexecstack" || exit 1
 		;;
 
 	install )