Richard W.M. Jones
2018-Sep-20 12:16 UTC
[Libguestfs] [PATCH 1/2] tools: Link OCaml programs with -runtime-variant _pic if available.
OCaml has a small runtime which is statically linked into the virt
tools (providing things like GC and primitives). Since OCaml 4.03 it
has been possible to select variants of this runtime, one of which is
compiled with -fPIC, using ‘ocamlopt -runtime-variant _pic’.
This has performance implications on i686, but is relatively free on
other architectures. Since it (in theory) adds to the security of the
final binary this commit enables it whenever it is available.
---
.gitignore | 1 +
configure.ac | 2 ++
m4/guestfs-ocaml.m4 | 18 ++++++++++++++++++
ocaml-link.sh => ocaml-link.sh.in | 8 +++++++-
4 files changed, 28 insertions(+), 1 deletion(-)
diff --git a/.gitignore b/.gitignore
index 5088869ae..0ba1b28ae 100644
--- a/.gitignore
+++ b/.gitignore
@@ -412,6 +412,7 @@ Makefile.in
/make-fs/virt-make-fs.1
/missing
/ocaml-dep.sh
+/ocaml-link.sh
/ocaml/bindtests.bc
/ocaml/bindtests.opt
/ocaml/bindtests.ml
diff --git a/configure.ac b/configure.ac
index 2021fb522..4542d6faf 100644
--- a/configure.ac
+++ b/configure.ac
@@ -203,6 +203,8 @@ AC_CONFIG_FILES([installcheck.sh],
[chmod +x,-w installcheck.sh])
AC_CONFIG_FILES([ocaml-dep.sh],
[chmod +x,-w ocaml-dep.sh])
+AC_CONFIG_FILES([ocaml-link.sh],
+ [chmod +x,-w ocaml-link.sh])
AC_CONFIG_FILES([p2v/virt-p2v-make-disk],
[chmod +x,-w p2v/virt-p2v-make-disk])
AC_CONFIG_FILES([p2v/virt-p2v-make-kickstart],
diff --git a/m4/guestfs-ocaml.m4 b/m4/guestfs-ocaml.m4
index e08f40a02..fea11a334 100644
--- a/m4/guestfs-ocaml.m4
+++ b/m4/guestfs-ocaml.m4
@@ -59,6 +59,24 @@ AM_CONDITIONAL([HAVE_OCAMLOPT],
AM_CONDITIONAL([HAVE_OCAMLDOC],
[test "x$OCAMLDOC" != "xno"])
+dnl Check if ocamlc/ocamlopt -runtime-variant _pic works. It was
+dnl added in OCaml >= 4.03, but in theory might be disabled by
+dnl downstream distros.
+OCAML_RUNTIME_VARIANT_PIC_OPTION=""
+if test "x$OCAMLC" != "xno"; then
+ AC_MSG_CHECKING([if OCaml ‘-runtime-variant _pic’ works])
+ rm -f conftest.ml contest
+ echo 'print_endline "hello world"' > conftest.ml
+ if $OCAMLC conftest.ml -runtime-variant _pic -o conftest >&5
2>&5 ; then
+ AC_MSG_RESULT([yes])
+ OCAML_RUNTIME_VARIANT_PIC_OPTION="-runtime-variant _pic"
+ else
+ AC_MSG_RESULT([no])
+ fi
+ rm -f conftest.ml contest
+fi
+AC_SUBST([OCAML_RUNTIME_VARIANT_PIC_OPTION])
+
dnl Check if ocamldep has options -all and -one-line (not present in RHEL 6).
AC_MSG_CHECKING([if ocamldep has the ‘-all’ option])
if ocamldep -all >&AS_MESSAGE_LOG_FD 2>&1; then
diff --git a/ocaml-link.sh b/ocaml-link.sh.in
similarity index 87%
rename from ocaml-link.sh
rename to ocaml-link.sh.in
index 855637534..83fbfca37 100755
--- a/ocaml-link.sh
+++ b/ocaml-link.sh.in
@@ -1,4 +1,6 @@
#!/bin/bash -
+# Script used to link OCaml programs.
+# @configure_input@
# (C) Copyright 2015-2018 Red Hat Inc.
#
# This program is free software; you can redistribute it and/or modify
@@ -41,4 +43,8 @@ while true ; do
esac
done
-exec "$@" -linkpkg -cclib "${cclib}"
+# NB The order of the arguments is important.
+exec "$@" \
+ @OCAML_RUNTIME_VARIANT_PIC_OPTION@ \
+ -linkpkg \
+ -cclib "${cclib}"
--
2.19.0.rc0
Richard W.M. Jones
2018-Sep-20 12:16 UTC
[Libguestfs] [PATCH 2/2] tools: Ensure CFLAGS and LDFLAGS are passed to all OCaml binaries (RHBZ#1624130).
After this commit, all annocheck errors are fixed except for:
Hardened: virt-get-kernel: MAYB: Gaps were detected in the annobin coverage.
Run with -v to list.
After discussion with the annocheck maintainers this gap in coverage
(which corresponds to the OCaml runtime) seems to be caused either by
the runtime not being linked with the right flags, or might be a bug
in annocheck itself. In any case it's not something that can be
resolved within the scope of libguestfs.
---
builder/Makefile.am | 2 +-
common/mlaugeas/Makefile.am | 2 +-
common/mlgettext/Makefile.am | 2 +-
common/mlpcre/Makefile.am | 2 +-
common/mlprogress/Makefile.am | 2 +-
common/mlstdutils/Makefile.am | 2 +-
common/mltools/Makefile.am | 2 +-
common/mlutils/Makefile.am | 2 +-
common/mlvisit/Makefile.am | 2 +-
common/mlxml/Makefile.am | 2 +-
customize/Makefile.am | 2 +-
daemon/Makefile.am | 2 +-
dib/Makefile.am | 2 +-
generator/Makefile.am | 2 +-
get-kernel/Makefile.am | 2 +-
ocaml-link.sh.in | 2 +-
ocaml/Makefile.am | 2 +-
resize/Makefile.am | 2 +-
sparsify/Makefile.am | 2 +-
sysprep/Makefile.am | 2 +-
v2v/Makefile.am | 2 +-
v2v/test-harness/Makefile.am | 2 +-
22 files changed, 22 insertions(+), 22 deletions(-)
diff --git a/builder/Makefile.am b/builder/Makefile.am
index f64750c7f..dc68e9d03 100644
--- a/builder/Makefile.am
+++ b/builder/Makefile.am
@@ -206,7 +206,7 @@ OCAMLCLIBS = \
$(LIBINTL) \
-lgnu
-OCAMLFLAGS = $(OCAML_FLAGS) $(OCAML_WARN_ERROR)
+OCAMLFLAGS = $(OCAML_FLAGS) $(OCAML_WARN_ERROR) -ccopt '$(CFLAGS)'
if !HAVE_OCAMLOPT
OBJECTS = $(BOBJECTS)
diff --git a/common/mlaugeas/Makefile.am b/common/mlaugeas/Makefile.am
index 8aa15b80e..2c1a6e0fd 100644
--- a/common/mlaugeas/Makefile.am
+++ b/common/mlaugeas/Makefile.am
@@ -61,7 +61,7 @@ BOBJECTS = $(SOURCES_ML:.ml=.cmo)
XOBJECTS = $(BOBJECTS:.cmo=.cmx)
OCAMLPACKAGES -OCAMLFLAGS = $(OCAML_FLAGS) $(OCAML_WARN_ERROR)
+OCAMLFLAGS = $(OCAML_FLAGS) $(OCAML_WARN_ERROR) -ccopt '$(CFLAGS)'
if !HAVE_OCAMLOPT
OBJECTS = $(BOBJECTS)
diff --git a/common/mlgettext/Makefile.am b/common/mlgettext/Makefile.am
index cdcea33ec..b918f90c3 100644
--- a/common/mlgettext/Makefile.am
+++ b/common/mlgettext/Makefile.am
@@ -60,7 +60,7 @@ if HAVE_OCAML_PKG_GETTEXT
OCAMLPACKAGES += -package gettext-stub
endif
-OCAMLFLAGS = $(OCAML_FLAGS) $(OCAML_WARN_ERROR)
+OCAMLFLAGS = $(OCAML_FLAGS) $(OCAML_WARN_ERROR) -ccopt '$(CFLAGS)'
if !HAVE_OCAMLOPT
OBJECTS = $(BOBJECTS)
diff --git a/common/mlpcre/Makefile.am b/common/mlpcre/Makefile.am
index f9699f592..6f04256da 100644
--- a/common/mlpcre/Makefile.am
+++ b/common/mlpcre/Makefile.am
@@ -70,7 +70,7 @@ OCAMLPACKAGES = \
-I $(builddir)
OCAMLPACKAGES_TESTS = $(MLPCRE_CMA)
-OCAMLFLAGS = $(OCAML_FLAGS) $(OCAML_WARN_ERROR)
+OCAMLFLAGS = $(OCAML_FLAGS) $(OCAML_WARN_ERROR) -ccopt '$(CFLAGS)'
if !HAVE_OCAMLOPT
OBJECTS = $(BOBJECTS)
diff --git a/common/mlprogress/Makefile.am b/common/mlprogress/Makefile.am
index be88ef2de..af006d228 100644
--- a/common/mlprogress/Makefile.am
+++ b/common/mlprogress/Makefile.am
@@ -76,7 +76,7 @@ OCAMLPACKAGES = \
-I $(top_builddir)/ocaml \
-I $(builddir)
-OCAMLFLAGS = $(OCAML_FLAGS) $(OCAML_WARN_ERROR)
+OCAMLFLAGS = $(OCAML_FLAGS) $(OCAML_WARN_ERROR) -ccopt '$(CFLAGS)'
if !HAVE_OCAMLOPT
OBJECTS = $(BOBJECTS)
diff --git a/common/mlstdutils/Makefile.am b/common/mlstdutils/Makefile.am
index e38230db8..75252eb46 100644
--- a/common/mlstdutils/Makefile.am
+++ b/common/mlstdutils/Makefile.am
@@ -79,7 +79,7 @@ if HAVE_OCAML_PKG_OUNIT
OCAMLPACKAGES_TESTS += -package oUnit
endif
-OCAMLFLAGS = $(OCAML_FLAGS) $(OCAML_WARN_ERROR)
+OCAMLFLAGS = $(OCAML_FLAGS) $(OCAML_WARN_ERROR) -ccopt '$(CFLAGS)'
if !HAVE_OCAMLOPT
OBJECTS = $(BOBJECTS)
diff --git a/common/mltools/Makefile.am b/common/mltools/Makefile.am
index 84afeb6d9..bb0173653 100644
--- a/common/mltools/Makefile.am
+++ b/common/mltools/Makefile.am
@@ -139,7 +139,7 @@ OCAMLCLIBS = \
$(LIBINTL) \
-lgnu
-OCAMLFLAGS = $(OCAML_FLAGS) $(OCAML_WARN_ERROR)
+OCAMLFLAGS = $(OCAML_FLAGS) $(OCAML_WARN_ERROR) -ccopt '$(CFLAGS)'
if !HAVE_OCAMLOPT
OBJECTS = $(BOBJECTS)
diff --git a/common/mlutils/Makefile.am b/common/mlutils/Makefile.am
index 8627e5b10..77feafa56 100644
--- a/common/mlutils/Makefile.am
+++ b/common/mlutils/Makefile.am
@@ -74,7 +74,7 @@ OCAMLPACKAGES = \
-I $(top_builddir)/common/mlstdutils \
-I $(builddir)
-OCAMLFLAGS = $(OCAML_FLAGS) $(OCAML_WARN_ERROR)
+OCAMLFLAGS = $(OCAML_FLAGS) $(OCAML_WARN_ERROR) -ccopt '$(CFLAGS)'
if !HAVE_OCAMLOPT
OBJECTS = $(BOBJECTS)
diff --git a/common/mlvisit/Makefile.am b/common/mlvisit/Makefile.am
index add1fe56e..7230415e7 100644
--- a/common/mlvisit/Makefile.am
+++ b/common/mlvisit/Makefile.am
@@ -80,7 +80,7 @@ OCAMLPACKAGES = \
-I $(builddir)
OCAMLPACKAGES_TESTS = $(MLVISIT_CMA)
-OCAMLFLAGS = $(OCAML_FLAGS) $(OCAML_WARN_ERROR)
+OCAMLFLAGS = $(OCAML_FLAGS) $(OCAML_WARN_ERROR) -ccopt '$(CFLAGS)'
if !HAVE_OCAMLOPT
OBJECTS = $(BOBJECTS)
diff --git a/common/mlxml/Makefile.am b/common/mlxml/Makefile.am
index 8690f0b39..95915f80c 100644
--- a/common/mlxml/Makefile.am
+++ b/common/mlxml/Makefile.am
@@ -73,7 +73,7 @@ OCAMLPACKAGES = \
-I $(top_builddir)/gnulib/lib/.libs \
-I $(builddir)
-OCAMLFLAGS = $(OCAML_FLAGS) $(OCAML_WARN_ERROR)
+OCAMLFLAGS = $(OCAML_FLAGS) $(OCAML_WARN_ERROR) -ccopt '$(CFLAGS)'
if !HAVE_OCAMLOPT
OBJECTS = $(BOBJECTS)
diff --git a/customize/Makefile.am b/customize/Makefile.am
index 775160abb..4db6fa9b3 100644
--- a/customize/Makefile.am
+++ b/customize/Makefile.am
@@ -173,7 +173,7 @@ OCAMLCLIBS = \
$(LIBINTL) \
-lgnu
-OCAMLFLAGS = $(OCAML_FLAGS) $(OCAML_WARN_ERROR)
+OCAMLFLAGS = $(OCAML_FLAGS) $(OCAML_WARN_ERROR) -ccopt '$(CFLAGS)'
virt_customize_DEPENDENCIES = \
$(top_srcdir)/ocaml-link.sh \
diff --git a/daemon/Makefile.am b/daemon/Makefile.am
index b50a1db54..5d1c222db 100644
--- a/daemon/Makefile.am
+++ b/daemon/Makefile.am
@@ -348,7 +348,7 @@ OCAMLPACKAGES = \
-I $(top_builddir)/common/mlpcre/.libs \
-I $(top_builddir)/gnulib/lib/.libs
-OCAMLFLAGS = $(OCAML_FLAGS) $(OCAML_WARN_ERROR)
+OCAMLFLAGS = $(OCAML_FLAGS) $(OCAML_WARN_ERROR) -ccopt '$(CFLAGS)'
if !HAVE_OCAMLOPT
OBJECTS = $(BOBJECTS)
diff --git a/dib/Makefile.am b/dib/Makefile.am
index 316f49903..7c2ab09d6 100644
--- a/dib/Makefile.am
+++ b/dib/Makefile.am
@@ -99,7 +99,7 @@ OCAMLCLIBS = \
$(LIBINTL) \
-lgnu
-OCAMLFLAGS = $(OCAML_FLAGS) $(OCAML_WARN_ERROR)
+OCAMLFLAGS = $(OCAML_FLAGS) $(OCAML_WARN_ERROR) -ccopt '$(CFLAGS)'
if !HAVE_OCAMLOPT
OBJECTS = $(BOBJECTS)
diff --git a/generator/Makefile.am b/generator/Makefile.am
index d026e9558..5d75b75d8 100644
--- a/generator/Makefile.am
+++ b/generator/Makefile.am
@@ -178,7 +178,7 @@ OCAMLPACKAGES = \
-I . \
-I $(top_srcdir)/common/mlstdutils \
-I $(top_builddir)/common/mlstdutils
-OCAMLFLAGS = $(OCAML_FLAGS) $(OCAML_WARN_ERROR)
+OCAMLFLAGS = $(OCAML_FLAGS) $(OCAML_WARN_ERROR) -ccopt '$(CFLAGS)'
noinst_PROGRAM = generator
diff --git a/get-kernel/Makefile.am b/get-kernel/Makefile.am
index 81dfb48b4..75379e21f 100644
--- a/get-kernel/Makefile.am
+++ b/get-kernel/Makefile.am
@@ -82,7 +82,7 @@ OCAMLCLIBS = \
$(LIBINTL) \
-lgnu
-OCAMLFLAGS = $(OCAML_FLAGS) $(OCAML_WARN_ERROR)
+OCAMLFLAGS = $(OCAML_FLAGS) $(OCAML_WARN_ERROR) -ccopt '$(CFLAGS)'
if !HAVE_OCAMLOPT
OBJECTS = $(BOBJECTS)
diff --git a/ocaml-link.sh.in b/ocaml-link.sh.in
index 83fbfca37..d1f5bc42d 100755
--- a/ocaml-link.sh.in
+++ b/ocaml-link.sh.in
@@ -47,4 +47,4 @@ done
exec "$@" \
@OCAML_RUNTIME_VARIANT_PIC_OPTION@ \
-linkpkg \
- -cclib "${cclib}"
+ -cclib "@LDFLAGS@ $cclib"
diff --git a/ocaml/Makefile.am b/ocaml/Makefile.am
index b0f2900f2..752fc109c 100644
--- a/ocaml/Makefile.am
+++ b/ocaml/Makefile.am
@@ -37,7 +37,7 @@ CLEANFILES += t/*.annot t/*.cmi t/*.cmo t/*.cmx t/*.o t/*.a
t/*.so
if HAVE_OCAML
-OCAMLFLAGS = $(OCAML_FLAGS) $(OCAML_WARN_ERROR)
+OCAMLFLAGS = $(OCAML_FLAGS) $(OCAML_WARN_ERROR) -ccopt '$(CFLAGS)'
noinst_DATA = mlguestfs.cma META
if HAVE_OCAMLOPT
diff --git a/resize/Makefile.am b/resize/Makefile.am
index 847fb313a..7a4367023 100644
--- a/resize/Makefile.am
+++ b/resize/Makefile.am
@@ -80,7 +80,7 @@ OCAMLCLIBS = \
$(LIBINTL) \
-lgnu
-OCAMLFLAGS = $(OCAML_FLAGS) $(OCAML_WARN_ERROR)
+OCAMLFLAGS = $(OCAML_FLAGS) $(OCAML_WARN_ERROR) -ccopt '$(CFLAGS)'
if !HAVE_OCAMLOPT
OBJECTS = $(BOBJECTS)
diff --git a/sparsify/Makefile.am b/sparsify/Makefile.am
index 2ab357a68..2dce5e582 100644
--- a/sparsify/Makefile.am
+++ b/sparsify/Makefile.am
@@ -88,7 +88,7 @@ OCAMLCLIBS = \
$(LIBINTL) \
-lgnu
-OCAMLFLAGS = $(OCAML_FLAGS) $(OCAML_WARN_ERROR)
+OCAMLFLAGS = $(OCAML_FLAGS) $(OCAML_WARN_ERROR) -ccopt '$(CFLAGS)'
if !HAVE_OCAMLOPT
OBJECTS = $(BOBJECTS)
diff --git a/sysprep/Makefile.am b/sysprep/Makefile.am
index 0cc9da80a..6ed4ac713 100644
--- a/sysprep/Makefile.am
+++ b/sysprep/Makefile.am
@@ -136,7 +136,7 @@ OCAMLCLIBS = \
$(LIBINTL) \
-lgnu
-OCAMLFLAGS = $(OCAML_FLAGS) $(OCAML_WARN_ERROR)
+OCAMLFLAGS = $(OCAML_FLAGS) $(OCAML_WARN_ERROR) -ccopt '$(CFLAGS)'
if !HAVE_OCAMLOPT
OBJECTS = $(BOBJECTS)
diff --git a/v2v/Makefile.am b/v2v/Makefile.am
index aab356637..c5b8dcc98 100644
--- a/v2v/Makefile.am
+++ b/v2v/Makefile.am
@@ -213,7 +213,7 @@ OCAMLCLIBS = \
$(LIBINTL) \
-lgnu
-OCAMLFLAGS = $(OCAML_FLAGS) $(OCAML_WARN_ERROR)
+OCAMLFLAGS = $(OCAML_FLAGS) $(OCAML_WARN_ERROR) -ccopt '$(CFLAGS)'
if !HAVE_OCAMLOPT
OBJECTS = $(BOBJECTS)
diff --git a/v2v/test-harness/Makefile.am b/v2v/test-harness/Makefile.am
index d69188969..22c3b8c49 100644
--- a/v2v/test-harness/Makefile.am
+++ b/v2v/test-harness/Makefile.am
@@ -47,7 +47,7 @@ OCAMLPACKAGES = \
-I $(top_builddir)/common/mltools \
-I $(top_builddir)/v2v
-OCAMLFLAGS = $(OCAML_FLAGS) $(OCAML_WARN_ERROR)
+OCAMLFLAGS = $(OCAML_FLAGS) $(OCAML_WARN_ERROR) -ccopt '$(CFLAGS)'
BOBJECTS = \
$(SOURCES_ML:.ml=.cmo) \
--
2.19.0.rc0
Pino Toscano
2018-Sep-21 08:37 UTC
Re: [Libguestfs] [PATCH 1/2] tools: Link OCaml programs with -runtime-variant _pic if available.
On Thursday, 20 September 2018 14:16:15 CEST Richard W.M. Jones wrote:> OCaml has a small runtime which is statically linked into the virt > tools (providing things like GC and primitives). Since OCaml 4.03 it > has been possible to select variants of this runtime, one of which is > compiled with -fPIC, using ‘ocamlopt -runtime-variant _pic’. > > This has performance implications on i686, but is relatively free on > other architectures. Since it (in theory) adds to the security of the > final binary this commit enables it whenever it is available. > ---LGTM. -- Pino Toscano
Apparently Analagous Threads
- [PATCH 0/2] Build mllib and customize into libraries.
- [PATCH 1/2] build: Fix dependencies on mllib and customize.
- [common PATCH] mlv2v: build as OCaml library
- [libnbd PATCH] build: Fix OCaml build on Fedora 29
- [PATCH v2] daemon: Use a configure-time test to find the best OCaml