This make the package pass the build flags check by enabling hardening flags. Fix previous compile issue with hardening flags and update eppic.
This make the pacakge passes annocheck in Fedora:
annocheck kexec-tools-2.0.18-3.fc30.x86_64.rpm Hardened: eppic_makedumpfile.so: PASS. Hardened: makedumpfile: PASS. Hardened: kexec: PASS. Hardened: vmcore-dmesg: PASS.
Kairui Song (2): Enable building with hardening flags Update eppic to latest upstream snapshot
...es-honor-the-CFLAGS-from-environment.patch | 41 +++++++++++++++++++ ...0.18-purgatory-Use-standalond-CFLAGS.patch | 34 +++++++++++++++ kexec-tools.spec | 16 +++++--- sources | 2 +- 4 files changed, 87 insertions(+), 6 deletions(-) create mode 100644 kexec-tools-2.0.18-makedumpfiles-honor-the-CFLAGS-from-environment.patch create mode 100644 kexec-tools-2.0.18-purgatory-Use-standalond-CFLAGS.patch
Backport the patches required to make the hardening build flags work with kexec-tools and makedumpfile, and enabld hardening flags in spec file. This will make the pacakge pass all warnings for kexec and makedumpfile reported by annocheck.
Didn't find any issue with basic tests with kexec and makedumpfile.
Signed-off-by: Kairui Song kasong@redhat.com --- ...es-honor-the-CFLAGS-from-environment.patch | 41 +++++++++++++++++++ ...0.18-purgatory-Use-standalond-CFLAGS.patch | 34 +++++++++++++++ kexec-tools.spec | 7 +++- 3 files changed, 80 insertions(+), 2 deletions(-) create mode 100644 kexec-tools-2.0.18-makedumpfiles-honor-the-CFLAGS-from-environment.patch create mode 100644 kexec-tools-2.0.18-purgatory-Use-standalond-CFLAGS.patch
diff --git a/kexec-tools-2.0.18-makedumpfiles-honor-the-CFLAGS-from-environment.patch b/kexec-tools-2.0.18-makedumpfiles-honor-the-CFLAGS-from-environment.patch new file mode 100644 index 0000000..e4052fa --- /dev/null +++ b/kexec-tools-2.0.18-makedumpfiles-honor-the-CFLAGS-from-environment.patch @@ -0,0 +1,41 @@ +From 2f007b48c581a81d7e95678b6bcb77cfbe177135 Mon Sep 17 00:00:00 2001 +From: Kairui Song kasong@redhat.com +Date: Tue, 29 Jan 2019 11:14:15 +0800 +Subject: [PATCH] [PATCH v2] honor the CFLAGS from environment variables + +This makes it possible to pass in extra cflags, for example, hardening +flags could be passed in with environment variable when building a +hardened package. + +Also introduce a CFLAGS_BASE to hold common CFLAGS, which simplify the +CFLAGS definition. + +Suggested-by: Kazuhito Hagio k-hagio@ab.jp.nec.com +Signed-off-by: Kairui Song kasong@redhat.com +--- + Makefile | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/Makefile b/Makefile +index ea3c47d..bd681d2 100644 +--- a/makedumpfile-1.6.5/Makefile ++++ b/makedumpfile-1.6.5/Makefile +@@ -8,11 +8,10 @@ ifeq ($(strip $CC),) + CC = gcc + endif + +-CFLAGS = -g -O2 -Wall -D_FILE_OFFSET_BITS=64 \ +- -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE \ +- -DVERSION='"$(VERSION)"' -DRELEASE_DATE='"$(DATE)"' +-CFLAGS_ARCH = -g -O2 -Wall -D_FILE_OFFSET_BITS=64 \ +- -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE ++CFLAGS_BASE := $(CFLAGS) -g -O2 -Wall -D_FILE_OFFSET_BITS=64 \ ++ -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE ++CFLAGS := $(CFLAGS_BASE) -DVERSION='"$(VERSION)"' -DRELEASE_DATE='"$(DATE)"' ++CFLAGS_ARCH := $(CFLAGS_BASE) + # LDFLAGS = -L/usr/local/lib -I/usr/local/include + + HOST_ARCH := $(shell uname -m) +-- +2.20.1 + diff --git a/kexec-tools-2.0.18-purgatory-Use-standalond-CFLAGS.patch b/kexec-tools-2.0.18-purgatory-Use-standalond-CFLAGS.patch new file mode 100644 index 0000000..9639877 --- /dev/null +++ b/kexec-tools-2.0.18-purgatory-Use-standalond-CFLAGS.patch @@ -0,0 +1,34 @@ +From c493af72ac796e8ab3f3f4299205bd402dcee861 Mon Sep 17 00:00:00 2001 +From: Kairui Song kasong@redhat.com +Date: Mon, 28 Jan 2019 18:50:40 +0800 +Subject: [PATCH] purgatory: Use standalond CFLAGS + +There has been a lot of workarounds for purgatory disabling many +specified CFLAGS that will break purgatory. It will be better to not +let the CFLAGS used to compile purgatory honor the CFLAGS from +environment variables. So we will have stable CFLAGS for purgatory. + +If anyone still wants to change purgatory CFLAGS, PURGATORY_EXTRA_CFLAGS +is still honored. + +Signed-off-by: Simon Horman horms@verge.net.au +--- + purgatory/Makefile | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/purgatory/Makefile b/purgatory/Makefile +index 49ce80a..2dd6c47 100644 +--- a/purgatory/Makefile ++++ b/purgatory/Makefile +@@ -45,7 +45,7 @@ purgatory/sha256.o: $(srcdir)/util_lib/sha256.c + $(COMPILE.c) -o $@ $^ + + $(PURGATORY): CC=$(TARGET_CC) +-$(PURGATORY): CFLAGS+=$(PURGATORY_EXTRA_CFLAGS) \ ++$(PURGATORY): CFLAGS=$(PURGATORY_EXTRA_CFLAGS) \ + $($(ARCH)_PURGATORY_EXTRA_CFLAGS) \ + -Os -fno-builtin -ffreestanding \ + -fno-zero-initialized-in-bss \ +-- +2.20.1 + diff --git a/kexec-tools.spec b/kexec-tools.spec index d5dcced..bb4f43b 100644 --- a/kexec-tools.spec +++ b/kexec-tools.spec @@ -61,8 +61,6 @@ BuildRequires: automake autoconf libtool Obsoletes: diskdumputils netdump kexec-tools-eppic %endif
-%undefine _hardened_build - #START INSERT
# @@ -87,6 +85,8 @@ Obsoletes: diskdumputils netdump kexec-tools-eppic # # Patches 601 onward are generic patches # +Patch601: kexec-tools-2.0.18-purgatory-Use-standalond-CFLAGS.patch +Patch602: kexec-tools-2.0.18-makedumpfiles-honor-the-CFLAGS-from-environment.patch
%description kexec-tools provides /sbin/kexec binary that facilitates a new @@ -102,6 +102,9 @@ mkdir -p -m755 kcp tar -z -x -v -f %{SOURCE9} tar -z -x -v -f %{SOURCE19}
+%patch601 -p1 +%patch602 -p1 + %ifarch ppc %define archdef ARCH=ppc %endif
eppic project have moved to github, update to latest upstream snapshot, change source link and tar file naming style to fit github's URL format.
This fix the O0 warning reported by annocheck and passes all distro package flag checking.
Signed-off-by: Kairui Song kasong@redhat.com --- kexec-tools.spec | 9 ++++++--- sources | 2 +- 2 files changed, 7 insertions(+), 4 deletions(-)
diff --git a/kexec-tools.spec b/kexec-tools.spec index bb4f43b..df0fcb0 100644 --- a/kexec-tools.spec +++ b/kexec-tools.spec @@ -1,3 +1,6 @@ +%global eppic_ver 0209874f4b46b8af5a2d42662ba6775cf5a1dc44 +%global eppic_shortver %(c=%{eppic_ver}; echo ${c:0:7}) + Name: kexec-tools Version: 2.0.18 Release: 3%{?dist} @@ -19,7 +22,7 @@ Source14: 98-kexec.rules Source15: kdump.conf.5 Source16: kdump.service Source18: kdump.sysconfig.s390x -Source19: eppic_050615.tar.gz +Source19: https://github.com/lucchouina/eppic/archive/%%7Beppic_ver%7D/eppic-%%7Beppic... Source20: kdump-lib.sh Source21: kdump-in-cluster-environment.txt Source22: kdump-dep-generator.sh @@ -130,9 +133,9 @@ cp %{SOURCE27} .
make %ifarch %{ix86} x86_64 ppc64 s390x ppc64le aarch64 -make -C eppic/libeppic +make -C eppic-%{eppic_ver}/libeppic make -C makedumpfile-1.6.5 LINKTYPE=dynamic USELZO=on USESNAPPY=on -make -C makedumpfile-1.6.5 LDFLAGS="-I../eppic/libeppic -L../eppic/libeppic" eppic_makedumpfile.so +make -C makedumpfile-1.6.5 LDFLAGS="-I../eppic-%{eppic_ver}/libeppic -L../eppic-%{eppic_ver}/libeppic" eppic_makedumpfile.so %endif
%install diff --git a/sources b/sources index b1aa049..9ab7761 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ -SHA512 (eppic_050615.tar.gz) = de23c3cd59ded23f2f0092c194b2169e78fcd385a8df7daf34b36f3bb2d5ddac2cdd3657bbe640beec447725988e928962baf62cf9deff8849da734390280a4f SHA512 (kexec-tools-2.0.18.tar.xz) = a4142e703a752eb270da29f02ea4fb213f3f4f965e73bb483c388a378821094317a4c63406ab0afe118f79eb168ff63b9d2d9530551c984592165430e269d697 SHA512 (makedumpfile-1.6.5.tar.gz) = bfbf9b373d435857530121f29fb3915cb263cfbaa2b877684a8cde2e8cd8b73fc2f02ffdf9b9108613d42aab7e5653877b092846545ceab865e9909e86145970 +SHA512 (eppic-0209874.tar.gz) = 4b42b3c5565f961d661ae6828876cdb0b6e296f9bdadc35ba596c4f63167016a7e20142e3048c37af1f963ba591c688c87faae52c19bd6a24e45d81b56b4a7e1
On 02/13/19 at 01:21am, Kairui Song wrote:
This make the package pass the build flags check by enabling hardening flags. Fix previous compile issue with hardening flags and update eppic.
This make the pacakge passes annocheck in Fedora:
annocheck kexec-tools-2.0.18-3.fc30.x86_64.rpm Hardened: eppic_makedumpfile.so: PASS. Hardened: makedumpfile: PASS. Hardened: kexec: PASS. Hardened: vmcore-dmesg: PASS.
Kairui Song (2): Enable building with hardening flags Update eppic to latest upstream snapshot
...es-honor-the-CFLAGS-from-environment.patch | 41 +++++++++++++++++++ ...0.18-purgatory-Use-standalond-CFLAGS.patch | 34 +++++++++++++++ kexec-tools.spec | 16 +++++--- sources | 2 +- 4 files changed, 87 insertions(+), 6 deletions(-) create mode 100644 kexec-tools-2.0.18-makedumpfiles-honor-the-CFLAGS-from-environment.patch create mode 100644 kexec-tools-2.0.18-purgatory-Use-standalond-CFLAGS.patch
-- 2.20.1
nice work, assumed all tested:
Acked-by: Dave Young dyoung@redhat.com
Thanks Dave