meta/recipes-extended/sudo/files/libtool.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125

Upstream-Status: Backport
Signed-off-by: Ross Burton <ross.burton@arm.com>

From 2e492267e7bd8acb54db685c0467c09881c95d63 Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@sudo.ws>
Date: Thu, 13 May 2021 12:45:56 -0600
Subject: [PATCH] Build sudo_noexec.so as a module on systems other then
 Darwin. On Darwin, shared modules and shared libraries are not interchangable
 and since we preload sudo_noexec.so via DYLD_INSERT_LIBRARIES it must be a
 library, not a module.  We must relax the requirement that libraries begin
 with a "lib" prefix to work around this difference.  This does mean you must
 use sudo's libtool on Darwin (macOS) but that is already a requirement on
 other systems (notably HP-UX and SCO) due to a number of libtool patches we
 require that haven't be accepted upstream.  This is a different fix for PR
 #102.

---
 configure         |  7 +++++++
 configure.ac      |  6 ++++++
 scripts/ltmain.sh |  3 ---
 src/Makefile.in   | 14 +++++---------
 4 files changed, 18 insertions(+), 12 deletions(-)

diff --git a/configure b/configure
index ddf0b128c..48a322ac9 100755
--- a/configure
+++ b/configure
@@ -808,6 +808,7 @@ LDAP
 SELINUX_USAGE
 BSDAUTH_USAGE
 DONT_LEAK_PATH_INFO
+NOEXEC_MODULE
 CHECK_NOEXEC
 INSTALL_NOEXEC
 INSTALL_BACKUP
@@ -3536,6 +3537,7 @@ ac_config_headers="$ac_config_headers config.h pathnames.h"
 
 
 
+
 
 
 #
@@ -3593,6 +3595,7 @@ devsearch="/dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev"
 INSTALL_BACKUP=
 INSTALL_NOEXEC=
 CHECK_NOEXEC=
+NOEXEC_MODULE=-module
 exampledir='$(docdir)/examples'
 devdir='$(srcdir)'
 PROGS="sudo"
@@ -16604,6 +16607,10 @@ done
 		fi
 		RTLD_PRELOAD_VAR="DYLD_INSERT_LIBRARIES"
 
+		# Build sudo_noexec.so as a shared library, not a module.
+		# On Darwin, modules and shared libraries are incompatible.
+		NOEXEC_MODULE=
+
 		# Mach monotonic timer that runs while sleeping
 		ac_fn_c_check_func "$LINENO" "mach_continuous_time" "ac_cv_func_mach_continuous_time"
 if test "x$ac_cv_func_mach_continuous_time" = xyes
diff --git a/configure.ac b/configure.ac
index 1b2087a1a..bb3569104 100644
--- a/configure.ac
+++ b/configure.ac
@@ -76,6 +76,7 @@ AC_SUBST([sesh_file])
 AC_SUBST([INSTALL_BACKUP])
 AC_SUBST([INSTALL_NOEXEC])
 AC_SUBST([CHECK_NOEXEC])
+AC_SUBST([NOEXEC_MODULE])
 AC_SUBST([DONT_LEAK_PATH_INFO])
 AC_SUBST([BSDAUTH_USAGE])
 AC_SUBST([SELINUX_USAGE])
@@ -227,6 +228,7 @@ dnl
 INSTALL_BACKUP=
 INSTALL_NOEXEC=
 CHECK_NOEXEC=
+NOEXEC_MODULE=-module
 exampledir='$(docdir)/examples'
 devdir='$(srcdir)'
 PROGS="sudo"
@@ -2170,6 +2172,10 @@ case "$host" in
 		fi
 		RTLD_PRELOAD_VAR="DYLD_INSERT_LIBRARIES"
 
+		# Build sudo_noexec.so as a shared library, not a module.
+		# On Darwin, modules and shared libraries are incompatible.
+		NOEXEC_MODULE=
+
 		# Mach monotonic timer that runs while sleeping
 		AC_CHECK_FUNCS([mach_continuous_time])
 
diff --git a/src/Makefile.in b/src/Makefile.in
index ec2c2970a..108fa9c8f 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -64,6 +64,9 @@ LT_LDFLAGS = @LT_LDFLAGS@
 # Flags to pass to libtool
 LTFLAGS = --tag=disable-static
 
+# Build sudo_noexec as a module instead of a shared lib (except on macOS)
+NOEXEC_MODULE = @NOEXEC_MODULE@
+
 # Address sanitizer flags
 ASAN_CFLAGS = @ASAN_CFLAGS@
 ASAN_LDFLAGS = @ASAN_LDFLAGS@
@@ -175,15 +178,8 @@ Makefile: $(srcdir)/Makefile.in
 sudo: $(OBJS) $(LT_LIBS) @STATIC_SUDOERS@
 	$(LIBTOOL) $(LTFLAGS) --mode=link $(CC) -o $@ $(OBJS) $(SUDO_LDFLAGS) $(ASAN_LDFLAGS) $(PIE_LDFLAGS) $(SSP_LDFLAGS) $(LIBS) @STATIC_SUDOERS@
 
-# We can't use -module here since you cannot preload a module on Darwin
-libsudo_noexec.la: sudo_noexec.lo
-	$(LIBTOOL) $(LTFLAGS) --mode=link $(CC) $(LDFLAGS) $(LT_LDFLAGS) $(SSP_LDFLAGS) @LIBDL@ -o $@ sudo_noexec.lo -avoid-version -rpath $(noexecdir) -shrext .so
-
-# Some hackery is required to install this as sudo_noexec, not libsudo_noexec
-sudo_noexec.la: libsudo_noexec.la
-	sed 's/libsudo_noexec/sudo_noexec/g' libsudo_noexec.la > sudo_noexec.la
-	if test -f .libs/libsudo_noexec.lai; then sed 's/libsudo_noexec/sudo_noexec/g' .libs/libsudo_noexec.lai > .libs/sudo_noexec.lai; fi
-	cp -p .libs/libsudo_noexec.so .libs/sudo_noexec.so
+sudo_noexec.la: sudo_noexec.lo
+	$(LIBTOOL) $(LTFLAGS) --mode=link $(CC) $(LDFLAGS) $(LT_LDFLAGS) $(SSP_LDFLAGS) @LIBDL@ -o $@ sudo_noexec.lo $(NOEXEC_MODULE) -avoid-version -rpath $(noexecdir) -shrext .so
 
 sesh: $(SESH_OBJS) $(LT_LIBS)
 	$(LIBTOOL) $(LTFLAGS) --mode=link $(CC) -o $@ $(SESH_OBJS) $(LDFLAGS) $(ASAN_LDFLAGS) $(PIE_LDFLAGS) $(SSP_LDFLAGS) $(LIBS)