OCaml has a small runtime which is statically linked into the virt
tools (providing things like GC and primitives). Since OCaml 4.03 it
has been possible to select variants of this runtime, one of which is
compiled with -fPIC, using ‘ocamlopt -runtime-variant _pic’.
This has performance implications on i686, but is relatively free on
other architectures. Since it (in theory) adds to the security of the
final binary this commit enables it whenever it is available.
---
.gitignore | 1 +
configure.ac | 2 ++
m4/guestfs-ocaml.m4 | 18 ++++++++++++++++++
ocaml-link.sh => ocaml-link.sh.in | 8 +++++++-
4 files changed, 28 insertions(+), 1 deletion(-)
diff --git a/.gitignore b/.gitignore
index 5088869ae..0ba1b28ae 100644
--- a/.gitignore
+++ b/.gitignore
@@ -412,6 +412,7 @@ Makefile.in
/make-fs/virt-make-fs.1
/missing
/ocaml-dep.sh
+/ocaml-link.sh
/ocaml/bindtests.bc
/ocaml/bindtests.opt
/ocaml/bindtests.ml
diff --git a/configure.ac b/configure.ac
index 2021fb522..4542d6faf 100644
--- a/configure.ac
+++ b/configure.ac
@@ -203,6 +203,8 @@ AC_CONFIG_FILES([installcheck.sh],
[chmod +x,-w installcheck.sh])
AC_CONFIG_FILES([ocaml-dep.sh],
[chmod +x,-w ocaml-dep.sh])
+AC_CONFIG_FILES([ocaml-link.sh],
+ [chmod +x,-w ocaml-link.sh])
AC_CONFIG_FILES([p2v/virt-p2v-make-disk],
[chmod +x,-w p2v/virt-p2v-make-disk])
AC_CONFIG_FILES([p2v/virt-p2v-make-kickstart],
diff --git a/m4/guestfs-ocaml.m4 b/m4/guestfs-ocaml.m4
index e08f40a02..fea11a334 100644
--- a/m4/guestfs-ocaml.m4
+++ b/m4/guestfs-ocaml.m4
@@ -59,6 +59,24 @@ AM_CONDITIONAL([HAVE_OCAMLOPT],
AM_CONDITIONAL([HAVE_OCAMLDOC],
[test "x$OCAMLDOC" != "xno"])
+dnl Check if ocamlc/ocamlopt -runtime-variant _pic works. It was
+dnl added in OCaml >= 4.03, but in theory might be disabled by
+dnl downstream distros.
+OCAML_RUNTIME_VARIANT_PIC_OPTION=""
+if test "x$OCAMLC" != "xno"; then
+ AC_MSG_CHECKING([if OCaml ‘-runtime-variant _pic’ works])
+ rm -f conftest.ml contest
+ echo 'print_endline "hello world"' > conftest.ml
+ if $OCAMLC conftest.ml -runtime-variant _pic -o conftest >&5 2>&5 ;
then
+ AC_MSG_RESULT([yes])
+ OCAML_RUNTIME_VARIANT_PIC_OPTION="-runtime-variant _pic"
+ else
+ AC_MSG_RESULT([no])
+ fi
+ rm -f conftest.ml contest
+fi
+AC_SUBST([OCAML_RUNTIME_VARIANT_PIC_OPTION])
+
dnl Check if ocamldep has options -all and -one-line (not present in RHEL 6).
AC_MSG_CHECKING([if ocamldep has the ‘-all’ option])
if ocamldep -all >&AS_MESSAGE_LOG_FD 2>&1; then
diff --git a/ocaml-link.sh b/ocaml-link.sh.in
similarity index 87%
rename from ocaml-link.sh
rename to ocaml-link.sh.in
index 855637534..83fbfca37 100755
--- a/ocaml-link.sh
+++ b/ocaml-link.sh.in
@@ -1,4 +1,6 @@
#!/bin/bash -
+# Script used to link OCaml programs.
+# @configure_input@
# (C) Copyright 2015-2018 Red Hat Inc.
#
# This program is free software; you can redistribute it and/or modify
@@ -41,4 +43,8 @@ while true ; do
esac
done
-exec "$@" -linkpkg -cclib "${cclib}"
+# NB The order of the arguments is important.
+exec "$@" \
+ @OCAML_RUNTIME_VARIANT_PIC_OPTION@ \
+ -linkpkg \
+ -cclib "${cclib}"
--
2.19.0.rc0