The package rpms/qemu.git has added or updated architecture specific content in its
spec file (ExclusiveArch/ExcludeArch or %ifarch/%ifnarch) in commit(s):
https://src.fedoraproject.org/cgit/rpms/qemu.git/commit/?id=55054b88c9424....
Change:
-%ifnarch aarch64
Thanks.
Full change:
============
commit 55054b88c942419c84d71e53ce00ffb8050fe9a6
Author: Daniel P. Berrangé <berrange(a)redhat.com>
Date: Mon Mar 19 18:30:49 2018 +0000
Re-enable normal Fedora hardening macros
We previously disabled the hardened build macros because they broke
static linking. This is now resolved, so we can use them as is, which in
turn ensures ksmctl gets linked correctly.
While doing this it is not neccessary to pass -pie in ldflags, as we are
already giving the --enable-pie configure option. This lets us move
setting of linker/compiler flags into the common run_configure
function, rather than duplicating them for static & dynamic builds
Finally, even though QEMU sets _FORTIFY_SOURCE itself, there's no reason
to strip it from the RPM provided build flags - it is harmless for it to
appear twice on compiler args. This ensures ksmctl.c gets fortified.
Signed-off-by: Daniel P. Berrangé <berrange(a)redhat.com>
diff --git a/qemu.spec b/qemu.spec
index 2e1e0d9..651dcaf 100644
--- a/qemu.spec
+++ b/qemu.spec
@@ -89,10 +89,6 @@ Requires: %{name}-block-nfs = %{epoch}:%{version}-%{release} \
Requires: %{name}-block-ssh = %{epoch}:%{version}-%{release}
%endif
-# Temp hack for
https://bugzilla.redhat.com/show_bug.cgi?id=1343892
-# We'll manually turn on hardened build later in this spec
-%undefine _hardened_build
-
# Release candidate version tracking
# global rcver rc3
%if 0%{?rcver:1}
@@ -104,7 +100,7 @@ Requires: %{name}-block-ssh = %{epoch}:%{version}-%{release}
Summary: QEMU is a FAST! processor emulator
Name: qemu
Version: 2.11.1
-Release: 1%{?rcrel}%{?dist}
+Release: 2%{?rcrel}%{?dist}
Epoch: 2
License: GPLv2 and BSD and MIT and CC-BY
URL:
http://www.qemu.org/
@@ -941,9 +937,6 @@ This package provides the system emulator for NIOS2.
%build
-# QEMU already knows how to set _FORTIFY_SOURCE
-%global optflags %(echo %{optflags} | sed 's/-Wp,-D_FORTIFY_SOURCE=2//')
-
# drop -g flag to prevent memory exhaustion by linker
%ifarch s390
%global optflags %(echo %{optflags} | sed 's/-g//')
@@ -1064,6 +1057,12 @@ run_configure() {
--enable-tcg-interpreter \
%endif
--enable-trace-backend=$tracebackends \
+%ifnarch aarch64
+ --extra-ldflags="$extraldflags -Wl,-z,relro -Wl,-z,now" \
+%else
+ --extra-ldflags="$extraldflags" \
+%endif
+ --extra-cflags="%{optflags}" \
"$@" || cat config.log
}
@@ -1071,12 +1070,6 @@ mkdir build-dynamic
pushd build-dynamic
run_configure \
-%ifnarch aarch64
- --extra-ldflags="$extraldflags -specs=/usr/lib/rpm/redhat/redhat-hardened-ld
-pie -Wl,-z,relro -Wl,-z,now" \
-%else
- --extra-ldflags="$extraldflags
-specs=/usr/lib/rpm/redhat/redhat-hardened-ld" \
-%endif
- --extra-cflags="%{optflags} -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1"
\
--target-list="$dynamic_targets" \
--enable-pie \
--enable-modules \
@@ -1101,12 +1094,6 @@ mkdir build-static
pushd build-static
run_configure \
-%ifnarch aarch64
- --extra-ldflags="$extraldflags -Wl,-z,relro -Wl,-z,now" \
-%else
- --extra-ldflags="$extraldflags" \
-%endif
- --extra-cflags="%{optflags}" \
--target-list="$static_targets" \
--static \
--disable-pie \
@@ -1983,6 +1970,11 @@ getent passwd qemu >/dev/null || \
%changelog
+* Mon Mar 19 2018 Daniel P. Berrangé <berrange(a)redhat.com> - 2:2.11.1-2
+- Re-enable normal hardened build macros to fix ksmctl.c hardening
+- Don't strip _FORTIFY_SOURCE from compiler flags
+- Don't pass -pie as an extra ldflags when we use --enable-pie
+
* Wed Feb 28 2018 Cole Robinson <crobinso(a)redhat.com> - 2:2.11.1-1
- Rebase to qemu 2.11.1 bugfix release
commit 6b1a7d80a53959e401926169fc3a1d06ed8d769d
Author: Cole Robinson <crobinso(a)redhat.com>
Date: Tue Mar 13 09:32:49 2018 -0400
git rm kvm.modules
Was dropped from the spec in 2015
Reported-by: Danilo C. L. de Paula <ddepaula(a)redhat.com>
diff --git a/kvm.modules b/kvm.modules
deleted file mode 100755
index b9d9646..0000000
--- a/kvm.modules
+++ /dev/null
@@ -1,18 +0,0 @@
-#!/bin/sh
-
-case $(uname -m) in
- ppc64)
- grep OPAL /proc/cpuinfo >/dev/null 2>&1 && opal=1
-
- modprobe -b kvm >/dev/null 2>&1
- modprobe -b kvm-pr >/dev/null 2>&1 && kvm=1
- if [ "$opal" ]; then
- modprobe -b kvm-hv >/dev/null 2>&1
- fi
- ;;
- s390x)
- modprobe -b kvm >/dev/null 2>&1 && kvm=1
- ;;
-esac
-
-exit 0