Harden_all_packages_with_position-independent_code + guile modules
Moez Roy
moez.roy at gmail.com
Wed Mar 18 18:37:34 UTC 2015
On Wed, Mar 18, 2015 at 7:21 AM, Moez Roy <moez.roy at gmail.com> wrote:
> On Wed, Mar 18, 2015 at 6:54 AM, Nikos Mavrogiannopoulos
> <nmav at redhat.com> wrote:
>> On Mon, 2015-03-16 at 10:57 +0100, Nikos Mavrogiannopoulos wrote:
>>
>>> > Am 16.03.2015 um 09:47 schrieb Nikos Mavrogiannopoulos:
>>> > > What was the rationale of adding -z now to the hardening flags? Looking
>>> > > its description doesn't reveal any "hardening" features, and the gnutls
>>> > > guile module failure to build seems to be directly related to that flag:
>>> > > https://bugzilla.redhat.com/show_bug.cgi?id=1196556
>>> >
>>> > FULL RELRO
>>> > http://tk-blog.blogspot.co.at/2009/02/relro-not-so-well-known-memory.html
>>> If that's all we got I suggest to remove this flag or (better) provide a
>>> way for applications that use modules to compile themselves, without
>>> removing the whole set of hardening flags.
>>
>> Any advise from the change owners? How should applications that use
>> modules with undefined systems should handle that? Should they add %
>> undefine _hardened_build by default?
>>
>
> I was doing some research last night but not tested it yet:
>
> "nonow"
>
> 1) add -nonow to the CFLAGS
> 2) or add -z nonow to the LDFLAGS
>
> doing the koji builds now to test and see if it works.
>
> Also need to test if there is a -lazy option.
>
Why are you using -Wl,--no-add-needed in the LD flags?
I am able to get much further ahead in the build process when I remove this.
I was not successful with -Wl,-z -Wl,nonow
Kept getting "/usr/bin/ld: warning: -z nonow ignored."
Maybe there is no option as -z nonow. Or maybe -z now takes precedence
based on the RPM flags.
Adding '%global _hardened_build 1' to the spec file and setting the
target to F21 caused it to fail:
https://koji.fedoraproject.org/koji/taskinfo?taskID=9264983
If I used the F20 source and set target for F23 it succeeded with the
default hardening flags:
https://koji.fedoraproject.org/koji/taskinfo?taskID=9265633
>From the changelog I see F20 does not have guile bindings.
* Mon Jan 05 2015 Nikos Mavrogiannopoulos <nmav at redhat.com> 3.3.11-2 -
enabled guile bindings (#1177847)
So maybe you should considering reverting the above change, and
sticking with the default hardening flags?
Regards,
Moez
More information about the devel
mailing list