- Mask sys-devel/gcc pie useflag globally in /base
- Selectively unmask pie useflag for
hardened/linux
hardened/linux/musl
profiles
- Ensure pie useflag is forced for hardened profiles
---
profiles/arch/amd64/package.use.mask | 4 ----
profiles/arch/base/package.use.mask | 4 ----
profiles/base/package.use.mask | 4 ++++
profiles/hardened/linux/musl/amd64/package.use.mask | 6 ------
profiles/hardened/linux/musl/package.use.mask | 4 ++++
profiles/hardened/linux/musl/use.force | 4 ++++
profiles/hardened/linux/package.use.mask | 4 ++++
profiles/hardened/linux/use.force | 2 +-
8 files changed, 17 insertions(+), 15 deletions(-)
delete mode 100644 profiles/hardened/linux/musl/amd64/package.use.mask
diff --git a/profiles/arch/amd64/package.use.mask
b/profiles/arch/amd64/package.use.mask
index 4548392..2fe5376 100644
--- a/profiles/arch/amd64/package.use.mask
+++ b/profiles/arch/amd64/package.use.mask
@@ -30,10 +30,6 @@ dev-lang/ocaml -spacetime
# nvidia drivers are unmasked here
media-video/ffmpeg -nvenc
-# Magnus Granberg <zo...@gentoo.org> (18 Jan 2017)
-# masked in base, unmask for amd64
->=sys-devel/gcc-6.3.0 -pie
-
# Luke Dashjr <luke-jr+gentoob...@utopios.org> (04 Jan 2017)
# Assembly optimisations are supported on amd64 for all versions
dev-libs/libsecp256k1 -asm
diff --git a/profiles/arch/base/package.use.mask
b/profiles/arch/base/package.use.mask
index f2d3a9b..8442d97 100644
--- a/profiles/arch/base/package.use.mask
+++ b/profiles/arch/base/package.use.mask
@@ -18,10 +18,6 @@ media-video/ffmpeg nvenc
# media-libs/raspberrypi-userland not keyworded
media-video/motion mmal
-# Magnus Granberg <zo...@gentoo.org> (18 Jan 2017)
-# Mask it globally, unmask it on supported arch
->=sys-devel/gcc-6.2.0 pie
-
# Luke Dashjr <luke-jr+gentoob...@utopios.org> (04 Jan 2017)
# Mask assembly optimisations that are platform-specific
dev-libs/libsecp256k1 asm
diff --git a/profiles/base/package.use.mask b/profiles/base/package.use.mask
index 9f55b27..c8faec7 100644
--- a/profiles/base/package.use.mask
+++ b/profiles/base/package.use.mask
@@ -7,6 +7,10 @@
# This file is only for generic masks. For arch-specific masks (i.e.
# mask everywhere, unmask on arch/*) use arch/base.
+# Matthias Maier <tam...@gentoo.org> (09 May 2017)
+# Mask pie useflag globally and unmask + use.force on hardened profiles.
+sys-devel/gcc pie
+
# Mike Gilbert <flop...@gentoo.org> (28 Apr 2017)
# Needs sandbox-2.11 (masked)
>=www-client/chromium-59 tcmalloc
diff --git a/profiles/hardened/linux/musl/amd64/package.use.mask
b/profiles/hardened/linux/musl/amd64/package.use.mask
deleted file mode 100644
index e2d77b0..00000000
--- a/profiles/hardened/linux/musl/amd64/package.use.mask
+++ /dev/null
@@ -1,6 +0,0 @@
-# Copyright 1999-2017 Gentoo Foundation.
-# Distributed under the terms of the GNU General Public License v2
-
-# Matthias Maier <tam...@genoto.org> (07 May 2017)
-# masked in arch/base, unmask for hardened/musl/amd64
->=sys-devel/gcc-6.3.0 -pie
diff --git a/profiles/hardened/linux/musl/package.use.mask
b/profiles/hardened/linux/musl/package.use.mask
index 9078b7c..46857dc 100644
--- a/profiles/hardened/linux/musl/package.use.mask
+++ b/profiles/hardened/linux/musl/package.use.mask
@@ -1,6 +1,10 @@
# Copyright 1999-2015 Gentoo Foundation.
# Distributed under the terms of the GNU General Public License v2
+# Matthias Maier <tam...@gentoo.org> (09 May 2017)
+# Unmask the pie useflag on hardened/linux/musl profiles.
+sys-devel/gcc -pie
+
# See bug #504200
sys-devel/gcc sanitize
diff --git a/profiles/hardened/linux/musl/use.force
b/profiles/hardened/linux/musl/use.force
index 79e5575..debacff 100644
--- a/profiles/hardened/linux/musl/use.force
+++ b/profiles/hardened/linux/musl/use.force
@@ -2,3 +2,7 @@
# Distributed under the terms of the GNU General Public License v2
elibc_musl
+
+# Make sure people don't accidentally turn off ssp/pie in important packages.
+pie
+ssp
diff --git a/profiles/hardened/linux/package.use.mask
b/profiles/hardened/linux/package.use.mask
index 4178151..aa2adc5 100644
--- a/profiles/hardened/linux/package.use.mask
+++ b/profiles/hardened/linux/package.use.mask
@@ -1,6 +1,10 @@
# Copyright 1999-2017 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
+# Matthias Maier <tam...@gentoo.org> (09 May 2017)
+# Unmask the pie useflag on hardened profiles.
+sys-devel/gcc -pie
+
# Ilya Tumaykin <itumaykin+gen...@gmail.com> (19 Jan 2017)
# Requires x11-drivers/nvidia-drivers. Needs testing first.
media-video/mpv cuda
diff --git a/profiles/hardened/linux/use.force
b/profiles/hardened/linux/use.force
index 35e5653..ec5509c 100644
--- a/profiles/hardened/linux/use.force
+++ b/profiles/hardened/linux/use.force
@@ -1,6 +1,6 @@
# Copyright 1999-2015 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
-# Make sure people don't accidentally turn of ssp/pie in important packages.
+# Make sure people don't accidentally turn off ssp/pie in important packages.
pie
ssp
--
2.10.2
