Re-enable normal Fedora hardening macros

We previously disabled the hardened build macros because they broke
static linking. This is now resolved, so we can use them as is, which in
turn ensures ksmctl gets linked correctly.

While doing this it is not neccessary to pass -pie in ldflags, as we are
already giving the --enable-pie configure option. This lets us move
setting  of linker/compiler flags into the common run_configure
function, rather than duplicating them for static & dynamic builds

Finally, even though QEMU sets _FORTIFY_SOURCE itself, there's no reason
to strip it from the RPM provided build flags - it is harmless for it to
appear twice on compiler args. This ensures ksmctl.c gets fortified.

Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
This commit is contained in:
Daniel P. Berrangé 2018-03-19 18:30:49 +00:00
parent 6b1a7d80a5
commit 55054b88c9

View File

@ -89,10 +89,6 @@ Requires: %{name}-block-nfs = %{epoch}:%{version}-%{release} \
Requires: %{name}-block-ssh = %{epoch}:%{version}-%{release} Requires: %{name}-block-ssh = %{epoch}:%{version}-%{release}
%endif %endif
# Temp hack for https://bugzilla.redhat.com/show_bug.cgi?id=1343892
# We'll manually turn on hardened build later in this spec
%undefine _hardened_build
# Release candidate version tracking # Release candidate version tracking
# global rcver rc3 # global rcver rc3
%if 0%{?rcver:1} %if 0%{?rcver:1}
@ -104,7 +100,7 @@ Requires: %{name}-block-ssh = %{epoch}:%{version}-%{release}
Summary: QEMU is a FAST! processor emulator Summary: QEMU is a FAST! processor emulator
Name: qemu Name: qemu
Version: 2.11.1 Version: 2.11.1
Release: 1%{?rcrel}%{?dist} Release: 2%{?rcrel}%{?dist}
Epoch: 2 Epoch: 2
License: GPLv2 and BSD and MIT and CC-BY License: GPLv2 and BSD and MIT and CC-BY
URL: http://www.qemu.org/ URL: http://www.qemu.org/
@ -941,9 +937,6 @@ This package provides the system emulator for NIOS2.
%build %build
# QEMU already knows how to set _FORTIFY_SOURCE
%global optflags %(echo %{optflags} | sed 's/-Wp,-D_FORTIFY_SOURCE=2//')
# drop -g flag to prevent memory exhaustion by linker # drop -g flag to prevent memory exhaustion by linker
%ifarch s390 %ifarch s390
%global optflags %(echo %{optflags} | sed 's/-g//') %global optflags %(echo %{optflags} | sed 's/-g//')
@ -1064,6 +1057,12 @@ run_configure() {
--enable-tcg-interpreter \ --enable-tcg-interpreter \
%endif %endif
--enable-trace-backend=$tracebackends \ --enable-trace-backend=$tracebackends \
%ifnarch aarch64
--extra-ldflags="$extraldflags -Wl,-z,relro -Wl,-z,now" \
%else
--extra-ldflags="$extraldflags" \
%endif
--extra-cflags="%{optflags}" \
"$@" || cat config.log "$@" || cat config.log
} }
@ -1071,12 +1070,6 @@ mkdir build-dynamic
pushd build-dynamic pushd build-dynamic
run_configure \ run_configure \
%ifnarch aarch64
--extra-ldflags="$extraldflags -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -pie -Wl,-z,relro -Wl,-z,now" \
%else
--extra-ldflags="$extraldflags -specs=/usr/lib/rpm/redhat/redhat-hardened-ld" \
%endif
--extra-cflags="%{optflags} -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1" \
--target-list="$dynamic_targets" \ --target-list="$dynamic_targets" \
--enable-pie \ --enable-pie \
--enable-modules \ --enable-modules \
@ -1101,12 +1094,6 @@ mkdir build-static
pushd build-static pushd build-static
run_configure \ run_configure \
%ifnarch aarch64
--extra-ldflags="$extraldflags -Wl,-z,relro -Wl,-z,now" \
%else
--extra-ldflags="$extraldflags" \
%endif
--extra-cflags="%{optflags}" \
--target-list="$static_targets" \ --target-list="$static_targets" \
--static \ --static \
--disable-pie \ --disable-pie \
@ -1983,6 +1970,11 @@ getent passwd qemu >/dev/null || \
%changelog %changelog
* Mon Mar 19 2018 Daniel P. Berrangé <berrange@redhat.com> - 2:2.11.1-2
- Re-enable normal hardened build macros to fix ksmctl.c hardening
- Don't strip _FORTIFY_SOURCE from compiler flags
- Don't pass -pie as an extra ldflags when we use --enable-pie
* Wed Feb 28 2018 Cole Robinson <crobinso@redhat.com> - 2:2.11.1-1 * Wed Feb 28 2018 Cole Robinson <crobinso@redhat.com> - 2:2.11.1-1
- Rebase to qemu 2.11.1 bugfix release - Rebase to qemu 2.11.1 bugfix release