From 14a569e4128d56ed867db531fa06d6bffae0a249 Mon Sep 17 00:00:00 2001 From: Arrigo Marchiori Date: Sun, 7 Jun 2026 10:48:06 +0200 Subject: [PATCH 1/3] Run execstack -s on soffice executables Also check for execstack in the configure script. --- main/configure.ac | 11 +++++++++++ main/desktop/util/makefile.mk | 12 ++++++++++-- 2 files changed, 21 insertions(+), 2 deletions(-) diff --git a/main/configure.ac b/main/configure.ac index 9672de2d53a..879abfb95e7 100644 --- a/main/configure.ac +++ b/main/configure.ac @@ -7320,6 +7320,17 @@ else fi AC_SUBST(nodep) +dnl =================================================================== +dnl Check for execstack(8) on Linux +dnl =================================================================== +if test "$_os" = "Linux"; then + AC_PATH_PROG(EXECSTACK, execstack ) + if test -z "$EXECSTACK"; then + AC_MSG_ERROR([execstack is required on Linux]) + fi +fi + + dnl =================================================================== dnl Setting up the environment. dnl =================================================================== diff --git a/main/desktop/util/makefile.mk b/main/desktop/util/makefile.mk index 9ef672e2b1d..a0a8c7e81a7 100644 --- a/main/desktop/util/makefile.mk +++ b/main/desktop/util/makefile.mk @@ -179,7 +179,7 @@ $(APP1TARGETN) : $(MISC)$/binso_created.flg .IF "$(APP5TARGETN)"!="" $(APP5TARGETN) : $(MISC)$/binso_created.flg -.ENDIF # "$(APP6TARGETN)"!="" +.ENDIF # "$(APP5TARGETN)"!="" .IF "$(APP6TARGETN)"!="" $(APP6TARGETN) : $(MISC)$/binso_created.flg @@ -201,6 +201,14 @@ ALLTAR: $(BIN)$/$(TARGET).bin $(BIN)$/soffice_oo$(EXECPOST) : $(APP5TARGETN) $(COPY) $< $@ +.IF "$(OS)" == "LINUX" +# $(APP5TARGETN) must be fixed with execstack +$(BIN)$/soffice_oo$(EXECPOST) : $(MISC)$/selinux_fixed.flg + +$(MISC)$/selinux_fixed.flg : $(APP5TARGETN) + execstack -s $< && $(TOUCH) $@ +.ENDIF # Linux + .IF "$(GUI)" != "OS2" .IF "$(LINK_SO)"=="TRUE" $(BIN)$/so$/soffice_so$(EXECPOST) : $(APP1TARGETN) @@ -270,4 +278,4 @@ $(BIN)$/$(TARGET).bin: $(BIN)$/$(TARGET)$(EXECPOST) $(MISC)$/binso_created.flg : @@-$(MKDIRHIER) $(BIN)$/so && $(TOUCH) $@ -.ENDIF +.ENDIF # "$(L10N_framework)"=="" From 42684520df98c04a7be6fb80566a8c12376eac5f Mon Sep 17 00:00:00 2001 From: Arrigo Marchiori Date: Fri, 12 Jun 2026 21:34:33 +0200 Subject: [PATCH 2/3] Revert "Run execstack -s on soffice executables" We need to disable, not enable executable stack! This reverts commit 14a569e4128d56ed867db531fa06d6bffae0a249. --- main/configure.ac | 11 ----------- main/desktop/util/makefile.mk | 12 ++---------- 2 files changed, 2 insertions(+), 21 deletions(-) diff --git a/main/configure.ac b/main/configure.ac index 879abfb95e7..9672de2d53a 100644 --- a/main/configure.ac +++ b/main/configure.ac @@ -7320,17 +7320,6 @@ else fi AC_SUBST(nodep) -dnl =================================================================== -dnl Check for execstack(8) on Linux -dnl =================================================================== -if test "$_os" = "Linux"; then - AC_PATH_PROG(EXECSTACK, execstack ) - if test -z "$EXECSTACK"; then - AC_MSG_ERROR([execstack is required on Linux]) - fi -fi - - dnl =================================================================== dnl Setting up the environment. dnl =================================================================== diff --git a/main/desktop/util/makefile.mk b/main/desktop/util/makefile.mk index a0a8c7e81a7..9ef672e2b1d 100644 --- a/main/desktop/util/makefile.mk +++ b/main/desktop/util/makefile.mk @@ -179,7 +179,7 @@ $(APP1TARGETN) : $(MISC)$/binso_created.flg .IF "$(APP5TARGETN)"!="" $(APP5TARGETN) : $(MISC)$/binso_created.flg -.ENDIF # "$(APP5TARGETN)"!="" +.ENDIF # "$(APP6TARGETN)"!="" .IF "$(APP6TARGETN)"!="" $(APP6TARGETN) : $(MISC)$/binso_created.flg @@ -201,14 +201,6 @@ ALLTAR: $(BIN)$/$(TARGET).bin $(BIN)$/soffice_oo$(EXECPOST) : $(APP5TARGETN) $(COPY) $< $@ -.IF "$(OS)" == "LINUX" -# $(APP5TARGETN) must be fixed with execstack -$(BIN)$/soffice_oo$(EXECPOST) : $(MISC)$/selinux_fixed.flg - -$(MISC)$/selinux_fixed.flg : $(APP5TARGETN) - execstack -s $< && $(TOUCH) $@ -.ENDIF # Linux - .IF "$(GUI)" != "OS2" .IF "$(LINK_SO)"=="TRUE" $(BIN)$/so$/soffice_so$(EXECPOST) : $(APP1TARGETN) @@ -278,4 +270,4 @@ $(BIN)$/$(TARGET).bin: $(BIN)$/$(TARGET)$(EXECPOST) $(MISC)$/binso_created.flg : @@-$(MKDIRHIER) $(BIN)$/so && $(TOUCH) $@ -.ENDIF # "$(L10N_framework)"=="" +.ENDIF From 98ee1a87e5ae0e6eb69df93ff81036e6b5063407 Mon Sep 17 00:00:00 2001 From: Arrigo Marchiori Date: Fri, 12 Jun 2026 21:37:53 +0200 Subject: [PATCH 3/3] Ensure that raptor is built with noexecstack on Linux --- main/redland/raptor/makefile.mk | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/main/redland/raptor/makefile.mk b/main/redland/raptor/makefile.mk index 52916952021..1ddccf8c75f 100644 --- a/main/redland/raptor/makefile.mk +++ b/main/redland/raptor/makefile.mk @@ -101,6 +101,10 @@ LDFLAGS:=-Wl,-rpath,'$$$$ORIGIN:$$$$ORIGIN/../ure-link/lib' -Wl,-noinhibit-exec LDFLAGS:=-Wl,-R'$$$$ORIGIN:$$$$ORIGIN/../ure-link/lib' .ENDIF # "$(OS)$(COM)"=="SOLARISC52" +.IF "$(OS)"=="LINUX" +LDFLAGS+:=-Wl,-z,noexecstack +.ENDIF # "$(OS)"=="LINUX" + .IF "$(COM)"=="C52" && "$(CPU)"=="U" CFLAGS=-m64 .EXPORT: CFLAGS