[Fedora-packaging] RFC mass bug reporting: checksec failures
Tom Hughes
tom at compton.nu
Wed Sep 16 17:51:16 UTC 2015
On 16/09/15 18:19, Jason L Tibbitts III wrote:
> Of course, several packages I comaintain are on the list (mainly due to
> Partial RELRO) and I have zero idea how to fix them. I read about what
> RELRO means from the blog post but that doesn't tell me what I actually
> need to do to make the errors go away, or even how to see what's causing
> them.
The key thing to get full RELO rather than partial seems to be linking
with "-z now" but the way that happens with rpmbuild appears to be
extremely fragile...
Basically if you use %configure and the package uses libtool then
ltmain.sh will get edited with sed to add this to the compiler flags:
-specs=/usr/lib/rpm/redhat/redhat-hardened-ld
In turn that specs file adds "-z now" to the linker flags.
So if you're building a package that doesn't use autoconf, or does but
doesn't use libtool, then it likely won't happen and you will only get
partial RELRO.
What I'm not sure about is why it's done like that rather than editing
LDFLAGS as is done for the -zrelro that gets you partial RELRO.
Tom
--
Tom Hughes (tom at compton.nu)
http://compton.nu/
More information about the devel
mailing list