Re: RFC mass bug reporting: checksec failures

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 16/09/15 18:19, Jason L Tibbitts III wrote:

Of course, several packages I comaintain are on the list (mainly due to
Partial RELRO) and I have zero idea how to fix them.  I read about what
RELRO means from the blog post but that doesn't tell me what I actually
need to do to make the errors go away, or even how to see what's causing
them.

The key thing to get full RELO rather than partial seems to be linking with "-z now" but the way that happens with rpmbuild appears to be extremely fragile...

Basically if you use %configure and the package uses libtool then ltmain.sh will get edited with sed to add this to the compiler flags:

  -specs=/usr/lib/rpm/redhat/redhat-hardened-ld

In turn that specs file adds "-z now" to the linker flags.

So if you're building a package that doesn't use autoconf, or does but doesn't use libtool, then it likely won't happen and you will only get partial RELRO.

What I'm not sure about is why it's done like that rather than editing LDFLAGS as is done for the -zrelro that gets you partial RELRO.

Tom

--
Tom Hughes (tom@xxxxxxxxxx)
http://compton.nu/
--
packaging mailing list
packaging@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/packaging




[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite Forum]     [KDE Users]

  Powered by Linux