From: Don Zickus dzickus@redhat.com
Revert "redhat: fix elf got hardening for vm tools"
This reverts commit eb5aebd77015bc57616c5d05a7b6206c8ff871cb.
A recent rework of the tools/vm area relies on a proper CFLAGS definition to include the proper header files. The kernel.spec file purposely overwrites the CFLAGS to get the right switches to pass rpminspect. As a consequence tools/vm fails to compile.
For now just revert the change and await a proper fix.
To duplicate:
cd tools/vm make CFLAGS= slabinfo page_owner_sort
make -C ../lib/api make[1]: Entering directory '/home/dzickus/devel/git/kernel-ark/tools/lib/api' /usr/bin/make -C /home/dzickus/devel/git/kernel-ark/tools/build CFLAGS= LDFLAGS= fixdep CC fd/array.o LD fd/libapi-in.o CC fs/fs.o fs/fs.c:17:10: fatal error: debug-internal.h: No such file or directory 17 | #include "debug-internal.h" | ^~~~~~~~~~~~~~~~~~ compilation terminated. make[3]: *** [/home/dzickus/devel/git/kernel-ark/tools/build/Makefile.build:97: fs/fs.o] Error 1 make[2]: *** [/home/dzickus/devel/git/kernel-ark/tools/build/Makefile.build:139: fs] Error 2 make[1]: *** [Makefile:79: libapi-in.o] Error 2 make[1]: Leaving directory '/home/dzickus/devel/git/kernel-ark/tools/lib/api' make: *** [Makefile:19: ../lib/api/libapi.a] Error 2
Signed-off-by: Don Zickus dzickus@redhat.com
diff --git a/redhat/kernel.spec.template b/redhat/kernel.spec.template index blahblah..blahblah 100755 --- a/redhat/kernel.spec.template +++ b/redhat/kernel.spec.template @@ -2340,7 +2340,7 @@ pushd tools/gpio/ popd # build VM tools pushd tools/vm/ -%{tools_make} CFLAGS="${RPM_OPT_FLAGS}" LDFLAGS="%{__global_ldflags}" slabinfo page_owner_sort +%{tools_make} slabinfo page_owner_sort popd pushd tools/tracing/rtla %{tools_make}
-- https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2236
From: Don Zickus on gitlab.com https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2236#note_1219422...
@hertonrk-rh - the revert is Frantisek's change. Not sure if you are familiar with it? I was wondering if we could replace 'CFLAGS=' with 'EXTRA_CFLAGS=' and have it still help with rpminspect? I don't know how to run the tool otherwise I would try it.
From: Don Zickus on gitlab.com https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2236#note_1219424...
/block
From: Herton R. Krzesinski on gitlab.com https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2236#note_1219436...
I'm not familiar with the original problem, but familiar with rpminspect in general. The problem is that the build of the tool does not respect the CFLAGS/LDFLAGS given by rpm with hardening options etc., so later rpminspect fails since the binaries were not built with proper cflags/ldflags.
In this case looking quickly here, there are two problems: the makefile (tools/vm/Makefile) does not accept user specified CFLAGS, and for the tools/lib/api that the slabinfo/page_owner_sort uses, that uses tools/lib/api/Makefile which has EXTRA_CFLAGS usage...
So I think you need two options here to really fix this, something like this patch:
``` $ git diff diff --git a/tools/vm/Makefile b/tools/vm/Makefile index 9860622cbb15..6c1da51f4177 100644 --- a/tools/vm/Makefile +++ b/tools/vm/Makefile @@ -8,8 +8,8 @@ TARGETS=page-types slabinfo page_owner_sort LIB_DIR = ../lib/api LIBS = $(LIB_DIR)/libapi.a
-CFLAGS = -Wall -Wextra -I../lib/ -LDFLAGS = $(LIBS) +CFLAGS += -Wall -Wextra -I../lib/ +LDFLAGS += $(LIBS)
all: $(TARGETS)
```
Then you can build the tools with: EXTRA_CFLAGS="${RPM_OPT_FLAGS}" %{tools_make} slabinfo page_owner_sort
You can verify that the proper flags are being used passing V=1, for example: EXTRA_CFLAGS="${RPM_OPT_FLAGS}" %{tools_make} V=1 slabinfo page_owner_sort
From: Herton R. Krzesinski on gitlab.com https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2236#note_1219437...
And yes, building kernel tools with proper cflags/ldflags have been a nightmare, since each Makefile implements its own way of using flags, it's not standard, not everyone uses EXTRA_CFLAGS etc.
From: Herton R. Krzesinski on gitlab.com https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2236#note_1249510...
We agreed in the last ark meeting we need this patch and the CFLAGS underlying issue will be fixed once upstream patch https://www.spinics.net/lists/kernel/msg4653901.html lands.
From: Herton R. Krzesinski on gitlab.com https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2236#note_1252361...
@dzickusrh gitlab considers your block rule as invalid here since you're blocking your own MR, anyway, I think you still need to unblock this, can you "/unblock" this MR?
From: Don Zickus on gitlab.com https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2236#note_1252596...
/unblock
hehe.
From: Don Zickus on gitlab.com https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2236#note_1252599...
@ptalbert @jwilsonrh - um help me unblock this thread?
From: Patrick Talbert on gitlab.com https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2236#note_1252688...
This notice was added just for you!
(I manually removed the blocking approval rule)
From: Jarod Wilson on gitlab.com https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2236#note_1252697...
Yeah, this MR was the catalyst for adding that message. This should generally only trigger for a fresh block attempt by an MR author, and the weird rule will never be created, things just got wonky with this being deployed after the bad rule was already allowed to be created.
From: Don Zickus on gitlab.com https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2236#note_1252887...
/me wears the cone of shame.
Thanks @ptalbert @jwilsonrh !
kernel@lists.fedoraproject.org