From: Frantisek Hrbata <fhrbata@xxxxxxxxxx>
redhat: fix elf got hardening for vm tools
Bugzilla: INTERNAL
Upstream Status: RHEL only
Following commit
commit 5d1c6696a0dfd1309c9e239956a1bae45823f9dc
Author: Herton R. Krzesinski <herton@xxxxxxxxxx>
Date: Wed Jun 8 09:01:27 2022 -0300
redhat: change tools_make macro to avoid full override of variables in Makefile
changed behavior of tools_make macro
%global tools_make \
- %{make} CFLAGS="${RPM_OPT_FLAGS}" LDFLAGS="%{__global_ldflags}" %{?make_opts}
+ CFLAGS="${RPM_OPT_FLAGS}" LDFLAGS="%{__global_ldflags}" %{make} %{?make_opts}
Since tools/vm/Makefile assigns CFLAGS and LDFLAGS, it overrides the
env variables from tools_make command and we lose some hardening
options. For example GOT RO about which rpmispect is complaining.
Result: BAD
1) /usr/bin/page_owner_sort lost full GNU_RELRO security protection on aarch64
Waiver Authorization: Security
Suggested Remedy:
Ensure executables are linked with with '-z relro -z now'
Result: BAD
2) /usr/bin/slabinfo lost full GNU_RELRO security protection on aarch64
Waiver Authorization: Security
Suggested Remedy:
Ensure executables are linked with with '-z relro -z now'
Fix this by explicitly overwrite CFLAGS and LDFLAGS for tools/vm/Makefile
with command arguments. This basically brings back the previous behavior
of tools_make for vm tools. This is ugly, because page-types actually
needs the LDFLAGS defined in the makefile, because it links against
libapi.a. But we are not building this and the problem was there before
this change too. Probably best way would be to fix the
tools/vm/Makefile.
Signed-off-by: Frantisek Hrbata <fhrbata@xxxxxxxxxx>
diff --git a/redhat/kernel.spec.template b/redhat/kernel.spec.template
index blahblah..blahblah 100755
--- a/redhat/kernel.spec.template
+++ b/redhat/kernel.spec.template
@@ -2327,7 +2327,7 @@ pushd tools/gpio/
popd
# build VM tools
pushd tools/vm/
-%{tools_make} slabinfo page_owner_sort
+%{tools_make} CFLAGS="${RPM_OPT_FLAGS}" LDFLAGS="%{__global_ldflags}" slabinfo page_owner_sort
popd
pushd tools/tracing/rtla
%{tools_make}
--
https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2055
_______________________________________________
kernel mailing list -- kernel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to kernel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/kernel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
