net-firewall/conntrack-tools/files/conntrack-tools-1.4.4-lazy-binding.patch - third_party/overlays/chromiumos-overlay - Git at Google

 From 75e3bd2618852f47498e75f482e5015fcd4fb270 Mon Sep 17 00:00:00 2001
 From: Kevin Cernekee <cernekee@chromium.org>
 Date: Sat, 10 Sep 2016 09:23:55 -0700
 Subject: [PATCH] Link nfct and helper modules with `-z lazy`

 Some distributions, such as Gentoo and Chrome OS, try to link all
 programs with `-z now` as a security hardening measure.  This breaks
 nfct, because nfct cannot satisfy all of the helper modules' symbols.
 Therefore nfct implicitly depends on lazy binding.

 Have autoconf probe the linker to see if `-z lazy` works, and if so,
 use it to link nfct and the helpers.

 conntrackd itself is unaffected, and should still work with `-z now`.

 Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
 ---
  configure.ac             |  3 ++
  m4/ax_check_link_flag.m4 | 74 ++++++++++++++++++++++++++++++++++++++++++++++++
  src/Makefile.am          |  2 +-
  src/helpers/Makefile.am  | 39 +++++++++++++------------
  4 files changed, 99 insertions(+), 19 deletions(-)
  create mode 100644 m4/ax_check_link_flag.m4

 diff --git a/configure.ac b/configure.ac
 index e2223d7555a5..6141220c0e6a 100644
 --- a/configure.ac
 +++ b/configure.ac
 @@ -118,6 +118,9 @@ dnl AC_CHECK_HEADERS([netinet/in.h stdlib.h])
  dnl AC_C_CONST
  dnl AC_C_INLINE

 +# Let nfct use dlopen() on helper libraries without resolving all symbols.
 +AX_CHECK_LINK_FLAG([-Wl,-z,lazy], [AC_SUBST([LAZY_LDFLAGS], [-Wl,-z,lazy])])
 +
  # Checks for library functions.
  dnl AC_FUNC_MALLOC
  dnl AC_FUNC_VPRINTF
 diff --git a/m4/ax_check_link_flag.m4 b/m4/ax_check_link_flag.m4
 new file mode 100644
 index 000000000000..eb01a6ce135e
 --- /dev/null
 +++ b/m4/ax_check_link_flag.m4
 @@ -0,0 +1,74 @@
 +# ===========================================================================
 +#    http://www.gnu.org/software/autoconf-archive/ax_check_link_flag.html
 +# ===========================================================================
 +#
 +# SYNOPSIS
 +#
 +#   AX_CHECK_LINK_FLAG(FLAG, [ACTION-SUCCESS], [ACTION-FAILURE], [EXTRA-FLAGS], [INPUT])
 +#
 +# DESCRIPTION
 +#
 +#   Check whether the given FLAG works with the linker or gives an error.
 +#   (Warnings, however, are ignored)
 +#
 +#   ACTION-SUCCESS/ACTION-FAILURE are shell commands to execute on
 +#   success/failure.
 +#
 +#   If EXTRA-FLAGS is defined, it is added to the linker's default flags
 +#   when the check is done.  The check is thus made with the flags: "LDFLAGS
 +#   EXTRA-FLAGS FLAG".  This can for example be used to force the linker to
 +#   issue an error when a bad flag is given.
 +#
 +#   INPUT gives an alternative input source to AC_LINK_IFELSE.
 +#
 +#   NOTE: Implementation based on AX_CFLAGS_GCC_OPTION. Please keep this
 +#   macro in sync with AX_CHECK_{PREPROC,COMPILE}_FLAG.
 +#
 +# LICENSE
 +#
 +#   Copyright (c) 2008 Guido U. Draheim <guidod@gmx.de>
 +#   Copyright (c) 2011 Maarten Bosmans <mkbosmans@gmail.com>
 +#
 +#   This program is free software: you can redistribute it and/or modify it
 +#   under the terms of the GNU General Public License as published by the
 +#   Free Software Foundation, either version 3 of the License, or (at your
 +#   option) any later version.
 +#
 +#   This program is distributed in the hope that it will be useful, but
 +#   WITHOUT ANY WARRANTY; without even the implied warranty of
 +#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
 +#   Public License for more details.
 +#
 +#   You should have received a copy of the GNU General Public License along
 +#   with this program. If not, see <http://www.gnu.org/licenses/>.
 +#
 +#   As a special exception, the respective Autoconf Macro's copyright owner
 +#   gives unlimited permission to copy, distribute and modify the configure
 +#   scripts that are the output of Autoconf when processing the Macro. You
 +#   need not follow the terms of the GNU General Public License when using
 +#   or distributing such scripts, even though portions of the text of the
 +#   Macro appear in them. The GNU General Public License (GPL) does govern
 +#   all other use of the material that constitutes the Autoconf Macro.
 +#
 +#   This special exception to the GPL applies to versions of the Autoconf
 +#   Macro released by the Autoconf Archive. When you make and distribute a
 +#   modified version of the Autoconf Macro, you may extend this special
 +#   exception to the GPL to apply to your modified version as well.
 +
 +#serial 4
 +
 +AC_DEFUN([AX_CHECK_LINK_FLAG],
 +[AC_PREREQ(2.64)dnl for _AC_LANG_PREFIX and AS_VAR_IF
 +AS_VAR_PUSHDEF([CACHEVAR],[ax_cv_check_ldflags_$4_$1])dnl
 +AC_CACHE_CHECK([whether the linker accepts $1], CACHEVAR, [
 +  ax_check_save_flags=$LDFLAGS
 +  LDFLAGS="$LDFLAGS $4 $1"
 +  AC_LINK_IFELSE([m4_default([$5],[AC_LANG_PROGRAM()])],
 +    [AS_VAR_SET(CACHEVAR,[yes])],
 +    [AS_VAR_SET(CACHEVAR,[no])])
 +  LDFLAGS=$ax_check_save_flags])
 +AS_VAR_IF(CACHEVAR,yes,
 +  [m4_default([$2], :)],
 +  [m4_default([$3], :)])
 +AS_VAR_POPDEF([CACHEVAR])dnl
 +])dnl AX_CHECK_LINK_FLAGS
 diff --git a/src/Makefile.am b/src/Makefile.am
 index 607f19161857..144c52c48c64 100644
 --- a/src/Makefile.am
 +++ b/src/Makefile.am
 @@ -35,7 +35,7 @@ if HAVE_CTHELPER
  nfct_LDADD += ${LIBNETFILTER_CTHELPER_LIBS}
  endif

 -nfct_LDFLAGS = -export-dynamic
 +nfct_LDFLAGS = -export-dynamic @LAZY_LDFLAGS@

  conntrackd_SOURCES = alarm.c main.c run.c hash.c queue.c rbtree.c \
  		    local.c log.c mcast.c udp.c netlink.c vector.c \
 diff --git a/src/helpers/Makefile.am b/src/helpers/Makefile.am
 index 51f4887ccced..05801bc7f703 100644
 --- a/src/helpers/Makefile.am
 +++ b/src/helpers/Makefile.am
 @@ -10,38 +10,41 @@ pkglib_LTLIBRARIES = ct_helper_amanda.la \
  		     ct_helper_sane.la	\
  		     ct_helper_ssdp.la

 +HELPER_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS) @LAZY_LDFLAGS@
 +HELPER_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS)
 +
  ct_helper_amanda_la_SOURCES = amanda.c
 -ct_helper_amanda_la_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS)
 -ct_helper_amanda_la_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS)
 +ct_helper_amanda_la_LDFLAGS = $(HELPER_LDFLAGS)
 +ct_helper_amanda_la_CFLAGS = $(HELPER_CFLAGS)

  ct_helper_dhcpv6_la_SOURCES = dhcpv6.c
 -ct_helper_dhcpv6_la_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS)
 -ct_helper_dhcpv6_la_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS)
 +ct_helper_dhcpv6_la_LDFLAGS = $(HELPER_LDFLAGS)
 +ct_helper_dhcpv6_la_CFLAGS = $(HELPER_CFLAGS)

  ct_helper_ftp_la_SOURCES = ftp.c
 -ct_helper_ftp_la_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS)
 -ct_helper_ftp_la_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS)
 +ct_helper_ftp_la_LDFLAGS = $(HELPER_LDFLAGS)
 +ct_helper_ftp_la_CFLAGS = $(HELPER_CFLAGS)

  ct_helper_mdns_la_SOURCES = mdns.c
 -ct_helper_mdns_la_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS)
 -ct_helper_mdns_la_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS)
 +ct_helper_mdns_la_LDFLAGS = $(HELPER_LDFLAGS)
 +ct_helper_mdns_la_CFLAGS = $(HELPER_CFLAGS)

  ct_helper_rpc_la_SOURCES = rpc.c
 -ct_helper_rpc_la_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS)
 -ct_helper_rpc_la_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS)
 +ct_helper_rpc_la_LDFLAGS = $(HELPER_LDFLAGS)
 +ct_helper_rpc_la_CFLAGS = $(HELPER_CFLAGS)

  ct_helper_tftp_la_SOURCES = tftp.c
 -ct_helper_tftp_la_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS)
 -ct_helper_tftp_la_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS)
 +ct_helper_tftp_la_LDFLAGS = $(HELPER_LDFLAGS)
 +ct_helper_tftp_la_CFLAGS = $(HELPER_CFLAGS)

  ct_helper_tns_la_SOURCES = tns.c
 -ct_helper_tns_la_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS)
 -ct_helper_tns_la_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS)
 +ct_helper_tns_la_LDFLAGS = $(HELPER_LDFLAGS)
 +ct_helper_tns_la_CFLAGS = $(HELPER_CFLAGS)

  ct_helper_sane_la_SOURCES = sane.c
 -ct_helper_sane_la_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS)
 -ct_helper_sane_la_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS)
 +ct_helper_sane_la_LDFLAGS = $(HELPER_LDFLAGS)
 +ct_helper_sane_la_CFLAGS = $(HELPER_CFLAGS)

  ct_helper_ssdp_la_SOURCES = ssdp.c
 -ct_helper_ssdp_la_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS)
 -ct_helper_ssdp_la_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS)
 +ct_helper_ssdp_la_LDFLAGS = $(HELPER_LDFLAGS)
 +ct_helper_ssdp_la_CFLAGS = $(HELPER_CFLAGS)
 --
 2.8.0.rc3.226.g39d4020
	From 75e3bd2618852f47498e75f482e5015fcd4fb270 Mon Sep 17 00:00:00 2001
	From: Kevin Cernekee <cernekee@chromium.org>
	Date: Sat, 10 Sep 2016 09:23:55 -0700
	Subject: [PATCH] Link nfct and helper modules with `-z lazy`

	Some distributions, such as Gentoo and Chrome OS, try to link all
	programs with `-z now` as a security hardening measure. This breaks
	nfct, because nfct cannot satisfy all of the helper modules' symbols.
	Therefore nfct implicitly depends on lazy binding.

	Have autoconf probe the linker to see if `-z lazy` works, and if so,
	use it to link nfct and the helpers.

	conntrackd itself is unaffected, and should still work with `-z now`.

	Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
	---
	configure.ac \| 3 ++
	m4/ax_check_link_flag.m4 \| 74 ++++++++++++++++++++++++++++++++++++++++++++++++
	src/Makefile.am \| 2 +-
	src/helpers/Makefile.am \| 39 +++++++++++++------------
	4 files changed, 99 insertions(+), 19 deletions(-)
	create mode 100644 m4/ax_check_link_flag.m4

	diff --git a/configure.ac b/configure.ac
	index e2223d7555a5..6141220c0e6a 100644
	--- a/configure.ac
	+++ b/configure.ac
	@@ -118,6 +118,9 @@ dnl AC_CHECK_HEADERS([netinet/in.h stdlib.h])
	dnl AC_C_CONST
	dnl AC_C_INLINE

	+# Let nfct use dlopen() on helper libraries without resolving all symbols.
	+AX_CHECK_LINK_FLAG([-Wl,-z,lazy], [AC_SUBST([LAZY_LDFLAGS], [-Wl,-z,lazy])])
	+
	# Checks for library functions.
	dnl AC_FUNC_MALLOC
	dnl AC_FUNC_VPRINTF
	diff --git a/m4/ax_check_link_flag.m4 b/m4/ax_check_link_flag.m4
	new file mode 100644
	index 000000000000..eb01a6ce135e
	--- /dev/null
	+++ b/m4/ax_check_link_flag.m4
	@@ -0,0 +1,74 @@
	+# ===========================================================================
	+# http://www.gnu.org/software/autoconf-archive/ax_check_link_flag.html
	+# ===========================================================================
	+#
	+# SYNOPSIS
	+#
	+# AX_CHECK_LINK_FLAG(FLAG, [ACTION-SUCCESS], [ACTION-FAILURE], [EXTRA-FLAGS], [INPUT])
	+#
	+# DESCRIPTION
	+#
	+# Check whether the given FLAG works with the linker or gives an error.
	+# (Warnings, however, are ignored)
	+#
	+# ACTION-SUCCESS/ACTION-FAILURE are shell commands to execute on
	+# success/failure.
	+#
	+# If EXTRA-FLAGS is defined, it is added to the linker's default flags
	+# when the check is done. The check is thus made with the flags: "LDFLAGS
	+# EXTRA-FLAGS FLAG". This can for example be used to force the linker to
	+# issue an error when a bad flag is given.
	+#
	+# INPUT gives an alternative input source to AC_LINK_IFELSE.
	+#
	+# NOTE: Implementation based on AX_CFLAGS_GCC_OPTION. Please keep this
	+# macro in sync with AX_CHECK_{PREPROC,COMPILE}_FLAG.
	+#
	+# LICENSE
	+#
	+# Copyright (c) 2008 Guido U. Draheim <guidod@gmx.de>
	+# Copyright (c) 2011 Maarten Bosmans <mkbosmans@gmail.com>
	+#
	+# This program is free software: you can redistribute it and/or modify it
	+# under the terms of the GNU General Public License as published by the
	+# Free Software Foundation, either version 3 of the License, or (at your
	+# option) any later version.
	+#
	+# This program is distributed in the hope that it will be useful, but
	+# WITHOUT ANY WARRANTY; without even the implied warranty of
	+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
	+# Public License for more details.
	+#
	+# You should have received a copy of the GNU General Public License along
	+# with this program. If not, see <http://www.gnu.org/licenses/>.
	+#
	+# As a special exception, the respective Autoconf Macro's copyright owner
	+# gives unlimited permission to copy, distribute and modify the configure
	+# scripts that are the output of Autoconf when processing the Macro. You
	+# need not follow the terms of the GNU General Public License when using
	+# or distributing such scripts, even though portions of the text of the
	+# Macro appear in them. The GNU General Public License (GPL) does govern
	+# all other use of the material that constitutes the Autoconf Macro.
	+#
	+# This special exception to the GPL applies to versions of the Autoconf
	+# Macro released by the Autoconf Archive. When you make and distribute a
	+# modified version of the Autoconf Macro, you may extend this special
	+# exception to the GPL to apply to your modified version as well.
	+
	+#serial 4
	+
	+AC_DEFUN([AX_CHECK_LINK_FLAG],
	+[AC_PREREQ(2.64)dnl for _AC_LANG_PREFIX and AS_VAR_IF
	+AS_VAR_PUSHDEF([CACHEVAR],[ax_cv_check_ldflags_$4_$1])dnl
	+AC_CACHE_CHECK([whether the linker accepts $1], CACHEVAR, [
	+ ax_check_save_flags=$LDFLAGS
	+ LDFLAGS="$LDFLAGS $4 $1"
	+ AC_LINK_IFELSE([m4_default([$5],[AC_LANG_PROGRAM()])],
	+ [AS_VAR_SET(CACHEVAR,[yes])],
	+ [AS_VAR_SET(CACHEVAR,[no])])
	+ LDFLAGS=$ax_check_save_flags])
	+AS_VAR_IF(CACHEVAR,yes,
	+ [m4_default([$2], :)],
	+ [m4_default([$3], :)])
	+AS_VAR_POPDEF([CACHEVAR])dnl
	+])dnl AX_CHECK_LINK_FLAGS
	diff --git a/src/Makefile.am b/src/Makefile.am
	index 607f19161857..144c52c48c64 100644
	--- a/src/Makefile.am
	+++ b/src/Makefile.am
	@@ -35,7 +35,7 @@ if HAVE_CTHELPER
	nfct_LDADD += ${LIBNETFILTER_CTHELPER_LIBS}
	endif

	-nfct_LDFLAGS = -export-dynamic
	+nfct_LDFLAGS = -export-dynamic @LAZY_LDFLAGS@

	conntrackd_SOURCES = alarm.c main.c run.c hash.c queue.c rbtree.c \
	local.c log.c mcast.c udp.c netlink.c vector.c \
	diff --git a/src/helpers/Makefile.am b/src/helpers/Makefile.am
	index 51f4887ccced..05801bc7f703 100644
	--- a/src/helpers/Makefile.am
	+++ b/src/helpers/Makefile.am
	@@ -10,38 +10,41 @@ pkglib_LTLIBRARIES = ct_helper_amanda.la \
	ct_helper_sane.la \
	ct_helper_ssdp.la

	+HELPER_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS) @LAZY_LDFLAGS@
	+HELPER_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS)
	+
	ct_helper_amanda_la_SOURCES = amanda.c
	-ct_helper_amanda_la_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS)
	-ct_helper_amanda_la_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS)
	+ct_helper_amanda_la_LDFLAGS = $(HELPER_LDFLAGS)
	+ct_helper_amanda_la_CFLAGS = $(HELPER_CFLAGS)

	ct_helper_dhcpv6_la_SOURCES = dhcpv6.c
	-ct_helper_dhcpv6_la_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS)
	-ct_helper_dhcpv6_la_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS)
	+ct_helper_dhcpv6_la_LDFLAGS = $(HELPER_LDFLAGS)
	+ct_helper_dhcpv6_la_CFLAGS = $(HELPER_CFLAGS)

	ct_helper_ftp_la_SOURCES = ftp.c
	-ct_helper_ftp_la_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS)
	-ct_helper_ftp_la_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS)
	+ct_helper_ftp_la_LDFLAGS = $(HELPER_LDFLAGS)
	+ct_helper_ftp_la_CFLAGS = $(HELPER_CFLAGS)

	ct_helper_mdns_la_SOURCES = mdns.c
	-ct_helper_mdns_la_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS)
	-ct_helper_mdns_la_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS)
	+ct_helper_mdns_la_LDFLAGS = $(HELPER_LDFLAGS)
	+ct_helper_mdns_la_CFLAGS = $(HELPER_CFLAGS)

	ct_helper_rpc_la_SOURCES = rpc.c
	-ct_helper_rpc_la_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS)
	-ct_helper_rpc_la_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS)
	+ct_helper_rpc_la_LDFLAGS = $(HELPER_LDFLAGS)
	+ct_helper_rpc_la_CFLAGS = $(HELPER_CFLAGS)

	ct_helper_tftp_la_SOURCES = tftp.c
	-ct_helper_tftp_la_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS)
	-ct_helper_tftp_la_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS)
	+ct_helper_tftp_la_LDFLAGS = $(HELPER_LDFLAGS)
	+ct_helper_tftp_la_CFLAGS = $(HELPER_CFLAGS)

	ct_helper_tns_la_SOURCES = tns.c
	-ct_helper_tns_la_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS)
	-ct_helper_tns_la_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS)
	+ct_helper_tns_la_LDFLAGS = $(HELPER_LDFLAGS)
	+ct_helper_tns_la_CFLAGS = $(HELPER_CFLAGS)

	ct_helper_sane_la_SOURCES = sane.c
	-ct_helper_sane_la_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS)
	-ct_helper_sane_la_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS)
	+ct_helper_sane_la_LDFLAGS = $(HELPER_LDFLAGS)
	+ct_helper_sane_la_CFLAGS = $(HELPER_CFLAGS)

	ct_helper_ssdp_la_SOURCES = ssdp.c
	-ct_helper_ssdp_la_LDFLAGS = -avoid-version -module $(LIBNETFILTER_CONNTRACK_LIBS)
	-ct_helper_ssdp_la_CFLAGS = $(AM_CFLAGS) $(LIBNETFILTER_CONNTRACK_CFLAGS)
	+ct_helper_ssdp_la_LDFLAGS = $(HELPER_LDFLAGS)
	+ct_helper_ssdp_la_CFLAGS = $(HELPER_CFLAGS)
	--
	2.8.0.rc3.226.g39d4020