[s390utils/f20] - build daemons hardened (#881250) - zipl: Use "possible_cpus" kernel parameter (#1016180)
Dan Horák
sharkcz at fedoraproject.org
Thu Nov 7 10:45:15 UTC 2013
commit b8434861ebb9289589cc70d7502b1f0e17eb562b
Author: Dan Horák <dan at danny.cz>
Date: Thu Nov 7 11:45:30 2013 +0100
- build daemons hardened (#881250)
- zipl: Use "possible_cpus" kernel parameter (#1016180)
s390-tools-1.23.0-fedora.patch | 48 +++++++++++++++++++++--
s390-tools-1.23.0-hardening.patch | 75 +++++++++++++++++++++++++++++++++++++
s390utils.spec | 10 +++-
3 files changed, 126 insertions(+), 7 deletions(-)
---
diff --git a/s390-tools-1.23.0-fedora.patch b/s390-tools-1.23.0-fedora.patch
index 8a55362..013e9e8 100644
--- a/s390-tools-1.23.0-fedora.patch
+++ b/s390-tools-1.23.0-fedora.patch
@@ -1,7 +1,7 @@
From 9b225fac81186176075f673dfe5cf8e373b2068a Mon Sep 17 00:00:00 2001
From: Dan Horak <dan at danny.cz>
Date: Sun, 20 Jul 2008 09:24:05 +0200
-Subject: [PATCH 1/4] s390-tools-1.5.3-zipl-zfcpdump-2
+Subject: [PATCH 1/5] s390-tools-1.5.3-zipl-zfcpdump-2
---
common.mak | 4 ++--
@@ -29,7 +29,7 @@ index 44adc6e..4373da5 100644
From a3d9221076f9eb7cc8434baac71327f786351c63 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dan=20Hor=C3=A1k?= <dan at danny.cz>
Date: Thu, 23 Apr 2009 11:46:01 +0200
-Subject: [PATCH 2/4] s390-tools-1.8.1-fdasd-su
+Subject: [PATCH 2/5] s390-tools-1.8.1-fdasd-su
---
fdasd/fdasd.c | 10 ++++++----
@@ -63,7 +63,7 @@ index ba22475..f2ac417 100644
From d13c754f68ea838a47b8125006b9b493cfbbb7f4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dan=20Hor=C3=A1k?= <dan at danny.cz>
Date: Wed, 21 Aug 2013 12:13:30 +0200
-Subject: [PATCH 3/4] dbginfo.sh: Avoiding exclusion list for pipes in sysfs
+Subject: [PATCH 3/5] dbginfo.sh: Avoiding exclusion list for pipes in sysfs
Description: dbginfo.sh: Avoiding exclusion list for pipes in sysfs
Symptom: The dbginfo.sh script hangs
@@ -133,7 +133,7 @@ index 6d07132..0ada40b 100755
From 7d540e7f40c731092ac655d1d38af7d69ceee706 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Dan=20Hor=C3=A1k?= <dan at danny.cz>
Date: Wed, 21 Aug 2013 12:13:58 +0200
-Subject: [PATCH 4/4] zipl: Fix zipl "--force" option for DASD multi-volume
+Subject: [PATCH 4/5] zipl: Fix zipl "--force" option for DASD multi-volume
dump
Description: zipl: Fix zipl "--force" option for DASD multi-volume dump
@@ -180,3 +180,43 @@ index f1cec78..529d6b3 100644
--
1.8.1.4
+
+From 21caf0d0dc05c5e950f369f72027a203a7d3e772 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Dan=20Hor=C3=A1k?= <dan at danny.cz>
+Date: Tue, 5 Nov 2013 12:23:18 +0100
+Subject: [PATCH 5/5] zipl: Use "possible_cpus" kernel parameter
+
+Description: zipl: Use "possible_cpus" kernel parameter
+Symptom: The zfcpdump system might run out-of memory.
+Problem: For each possible CPU the zfcpdump kernel consumes memory for
+ the per-CPU data structures. Since it only runs with one CPU
+ this is not necessary. Because only 32 MiB are available for
+ zfcpdump the per-CPU data should not be allocated.
+Solution: Use the kernel parameter "possible_cpus=1".
+Reproduction: To verify that the fix is included check that the zipl -D output
+ line "kernel parmline" contains "possible_cpus=1".
+---
+ zipl/src/bootmap.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/zipl/src/bootmap.c b/zipl/src/bootmap.c
+index cc2ed16..68dffe1 100644
+--- a/zipl/src/bootmap.c
++++ b/zipl/src/bootmap.c
+@@ -603,10 +603,11 @@ create_dump_fs_parmline(const char* parmline, const char* root_dev,
+ if (!result)
+ return NULL;
+ snprintf(result, DUMP_PARAM_MAX_LEN, "%s%sroot=%s dump_part=%d "
+- "dump_mem=%lld maxcpus=%d cgroup_disable=memory",
++ "dump_mem=%lld maxcpus=%d possible_cpus=%d "
++ "cgroup_disable=memory",
+ parmline ? parmline : "",
+ parmline ? " " : "", root_dev, part_num,
+- (unsigned long long) mem, max_cpus);
++ (unsigned long long) mem, max_cpus, max_cpus);
+ result[DUMP_PARAM_MAX_LEN - 1] = 0;
+ return result;
+ }
+--
+1.8.1.4
+
diff --git a/s390-tools-1.23.0-hardening.patch b/s390-tools-1.23.0-hardening.patch
new file mode 100644
index 0000000..09feedf
--- /dev/null
+++ b/s390-tools-1.23.0-hardening.patch
@@ -0,0 +1,75 @@
+From a1d489d42248acd0b5f2e3348df5f2ece22dc9e0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Dan=20Hor=C3=A1k?= <dan at danny.cz>
+Date: Tue, 5 Nov 2013 15:34:11 +0100
+Subject: [PATCH] build daemons hardened
+
+---
+ common.mak | 3 +++
+ cpuplugd/Makefile | 4 ++--
+ mon_tools/Makefile | 2 ++
+ osasnmpd/Makefile.rules | 3 +++
+ 4 files changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/common.mak b/common.mak
+index 4373da5..7b992b4 100644
+--- a/common.mak
++++ b/common.mak
+@@ -76,6 +76,9 @@ CXXFLAGS = $(WARNFLAGS) -O3 -DS390_TOOLS_RELEASE=$(S390_TOOLS_RELEASE) \
+ -DS390_TOOLS_SYSCONFDIR=$(SYSCONFDIR) \
+ -g $(OPT_FLAGS)
+
++DAEMON_CFLAGS = -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1
++DAEMON_LDFLAGS = -specs=/usr/lib/rpm/redhat/redhat-hardened-ld
++
+ # make G=1
+ # Compile tools so that gcov can be used to collect code coverage data.
+ # See the gcov man page for details.
+diff --git a/cpuplugd/Makefile b/cpuplugd/Makefile
+index 4a72075..28480f5 100644
+--- a/cpuplugd/Makefile
++++ b/cpuplugd/Makefile
+@@ -1,6 +1,6 @@
+ include ../common.mak
+
+-CFLAGS += -I../include
++CFLAGS += $(DAEMON_CFLAGS) -I../include
+
+ all: cpuplugd
+
+@@ -10,7 +10,7 @@ OBJECTS = daemon.o cpu.o info.o terms.o config.o main.o getopt.o mem.o
+ $(OBJECTS): cpuplugd.h
+
+ cpuplugd: $(OBJECTS)
+- $(LINK) $(LDFLAGS) $^ $(LOADLIBES) $(LDLIBS) -o $@
++ $(LINK) $(DAEMON_LDFLAGS) $(LDFLAGS) $^ $(LOADLIBES) $(LDLIBS) -o $@
+
+ clean:
+ rm -f cpuplugd $(OBJECTS)
+diff --git a/mon_tools/Makefile b/mon_tools/Makefile
+index c8c58fc..b025f65 100644
+--- a/mon_tools/Makefile
++++ b/mon_tools/Makefile
+@@ -1,6 +1,8 @@
+ include ../common.mak
+
+ CPPFLAGS += -I../include
++CFLAGS += $(DAEMON_CFLAGS)
++LDFLAGS += $(DAEMON_LDFLAGS)
+
+ all: mon_fsstatd mon_procd
+
+diff --git a/osasnmpd/Makefile.rules b/osasnmpd/Makefile.rules
+index 6668ed6..11ee8eb 100644
+--- a/osasnmpd/Makefile.rules
++++ b/osasnmpd/Makefile.rules
+@@ -10,4 +10,7 @@ CPPFLAGS += -DNETSNMP5
+ endif
+ CPPFLAGS += -I../include
+
++CFLAGS += $(DAEMON_CFLAGS)
++LDFLAGS += $(DAEMON_LDFLAGS)
++
+ OBJS = ibmOSAMib.o ibmOSAMibUtil.o osasnmpd.o
+--
+1.8.1.4
+
diff --git a/s390utils.spec b/s390utils.spec
index f4e635f..ad829cf 100644
--- a/s390utils.spec
+++ b/s390utils.spec
@@ -1,13 +1,11 @@
%define cmsfsver 1.1.8c
%define vipaver 2.0.4
-%{!?_initddir: %define _initddir %{_initrddir}}
-
Name: s390utils
Summary: Utilities and daemons for IBM System/z
Group: System Environment/Base
Version: 1.23.0
-Release: 3%{?dist}
+Release: 4%{?dist}
Epoch: 2
License: GPLv2 and GPLv2+ and CPL
ExclusiveArch: s390 s390x
@@ -36,6 +34,7 @@ Source19: mon_statd.initd
Source21: normalize_dasd_arg
Patch1: s390-tools-1.23.0-fedora.patch
+Patch2: s390-tools-1.23.0-hardening.patch
Patch1000: cmsfs-1.1.8-warnings.patch
Patch1001: cmsfs-1.1.8-kernel26.patch
@@ -65,6 +64,7 @@ be used together with the zSeries (s390) Linux kernel and device drivers.
# Fedora/RHEL changes
%patch1 -p1 -b .fedora
+%patch2 -p1 -b .hardening
#
# cmsfs
@@ -734,6 +734,10 @@ User-space development files for the s390/s390x architecture.
%changelog
+* Wed Nov 06 2013 Dan Horák <dan[at]danny.cz> - 2:1.23.0-4
+- build daemons hardened (#881250)
+- zipl: Use "possible_cpus" kernel parameter (#1016180)
+
* Wed Aug 21 2013 Dan Horák <dan[at]danny.cz> - 2:1.23.0-3
- dbginfo.sh: Avoiding exclusion list for pipes in sysfs (#996732)
- zipl: Fix zipl "--force" option for DASD multi-volume dump (#997361)
More information about the scm-commits
mailing list