Harden_all_packages_with_position-independent_code + guile modules
nmav at redhat.com
Mon Mar 16 08:47:50 UTC 2015
On Thu, 2015-03-12 at 10:41 -0400, Adam Jackson wrote:
> On Thu, 2015-03-12 at 13:45 +0000, Petr Pisar wrote:
> > On 2015-03-12, Nikos Mavrogiannopoulos <nmav at redhat.com> wrote:
> > > In rawhide building the gnutls guile bindings fails, and that's related
> > > to the new hardening flags being enabled with . The failure is quite
> > > peculiar since the loading of a dynamic module fails  which already
> > > is position independent.
> > [...]
> > >
> > > . https://bugzilla.redhat.com/show_bug.cgi?id=1196556
> > >
> > The test-suite.log reads "file not found" which is far from "loading DSO
> > failed".
> > However I can add my recent story: After hardening perl, loading a DSO
> > by perl failed. I believe the reason was the DSO had an undefined symbol
> > which was not defined in any SO_NEEDed libraries. But because the symbol
> > was never used at run-time, before hardening the executable, run-time
> > linking passed. But after hardening, the -znow feature caused resolving
> > all symbols at link time, including the missing symbol, so dlopen(3)
> > failed.
> We may want to revisit this, honestly. The actual proposal was just to
> build executables as PIE, right? Forcing -z now is a bit more than
> maybe was expected.
What was the rationale of adding -z now to the hardening flags? Looking
its description doesn't reveal any "hardening" features, and the gnutls
guile module failure to build seems to be directly related to that flag:
More information about the devel