rpms
/
redhat-rpm-config
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Enable _FORTIFY_SOURCE=3 by default 

Make the _FORTIFY_SOURCE flags configurable so that the command line is
not cluttered with _FORTIFY_SOURCE definitions and undefines.  Introduce
a %_fortify_level variable that a package may override by either
undefining or defining to a specific value.

Also bump the default value to 3, to implement the systemwide proposal
for Fedora 38:

https://fedoraproject.org/wiki/Changes/Add_FORTIFY_SOURCE%3D3_to_distribution_build_flags
This commit is contained in:
Siddhesh Poyarekar 2022-12-14 11:28:14 -05:00
parent 04a4350d3e
commit 4c05f3cfa2
3 changed files with 38 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
buildflags.md
View File

@ -172,6 +172,30 @@ This turns off certain hardening features, as described in detail
below. The main difference is that executables will be below. The main difference is that executables will be
position-dependent (no full ASLR) and use lazy binding. position-dependent (no full ASLR) and use lazy binding.
### Source Fortification
By default, the build flags include `-Wp,-D_FORTIFY_SOURCE=3`: Source
fortification activates various hardening features in glibc:
* String functions such as `memcpy` attempt to detect buffer lengths
and terminate the process if a buffer overflow is detected.
* `printf` format strings may only contain the `%n` format specifier
if the format string resides in read-only memory.
* `open` and `openat` flags are checked for consistency with the
presence of a *mode* argument.
* Plus other minor hardening changes.
These changes can, on rare occasions, break valid programs. The source
fortification level can be overridden by adding this in the RPM spec file:
%define _fortify_level 2
to reduce source fortification level to 2 or:
%undefine _fortify_level
to disable fortification altogether.
### Annotated builds/watermarking ### Annotated builds/watermarking
By default, the build flags cause a special output section to be By default, the build flags cause a special output section to be
@ -377,16 +401,9 @@ The general (architecture-independent) build flags are:
This can occasionally result in compilation errors. In that case, This can occasionally result in compilation errors. In that case,
the best option is to rewrite the source code so that only constant the best option is to rewrite the source code so that only constant
format strings (string literals) are used. format strings (string literals) are used.
* `-Wp,-D_FORTIFY_SOURCE=2`: Source fortification activates various * `-U_FORTIFY_SOURCE, -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=3`:
hardening features in glibc: See the Source Fortification section above and the `%_fortify_level`
* String functions such as `memcpy` attempt to detect buffer lengths override.
and terminate the process if a buffer overflow is detected.
* `printf` format strings may only contain the `%n` format specifier
if the format string resides in read-only memory.
* `open` and `openat` flags are checked for consistency with the
presence of a *mode* argument.
* Plus other minor hardening changes.
(These changes can occasionally break valid programs.)
* `-fexceptions`: Provide exception unwinding support for C programs. * `-fexceptions`: Provide exception unwinding support for C programs.
See the [`-fexceptions` option in the GCC See the [`-fexceptions` option in the GCC
manual](https://gcc.gnu.org/onlinedocs/gcc/Code-Gen-Options.html#index-fexceptions) manual](https://gcc.gnu.org/onlinedocs/gcc/Code-Gen-Options.html#index-fexceptions)

8
macros
View File

@ -362,13 +362,19 @@ print(result)
%_clang_lto_cflags -flto %_clang_lto_cflags -flto
%_lto_cflags %{expand:%%{_%{toolchain}_lto_cflags}} %_lto_cflags %{expand:%%{_%{toolchain}_lto_cflags}}
# Default fortification level.
# "%define _fortify_level 2" to downgrade and
# "%define _fortify_level 0" or "%undefine _fortify_level" to disable
%_fortify_level 3
%_fortify_level_flags %[ 0%{?_fortify_level} > 0 ? "-U_FORTIFY_SOURCE -Wp,-U_FORTIFY_SOURCE -Wp,-D_FORTIFY_SOURCE=%{_fortify_level}" : "" ]
# Some linkers default to a build-id algoritim that is not supported by rpmbuild, # Some linkers default to a build-id algoritim that is not supported by rpmbuild,
# so we need to specify the right algorithm to use. # so we need to specify the right algorithm to use.
%_build_id_flags -Wl,--build-id=sha1 %_build_id_flags -Wl,--build-id=sha1
%_general_options -O2 %{?_lto_cflags} -fexceptions -g -grecord-gcc-switches -pipe %_general_options -O2 %{?_lto_cflags} -fexceptions -g -grecord-gcc-switches -pipe
%_warning_options -Wall -Werror=format-security %_warning_options -Wall -Werror=format-security
%_preprocessor_defines -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS %_preprocessor_defines %{_fortify_level_flags} -Wp,-D_GLIBCXX_ASSERTIONS
# Common variables are no longer generated by default by gcc and clang # Common variables are no longer generated by default by gcc and clang
# If they are needed then add "%define _legacy_common_support 1" to the spec file. # If they are needed then add "%define _legacy_common_support 1" to the spec file.

5
redhat-rpm-config.spec
View File

@ -4,7 +4,7 @@
# 2) When making changes, increment the version (in baserelease) by 1. # 2) When making changes, increment the version (in baserelease) by 1.
# rpmdev-bumpspec and other tools update the macro below, which is used # rpmdev-bumpspec and other tools update the macro below, which is used
# in Version: to get the desired effect. # in Version: to get the desired effect.
%global baserelease 236 %global baserelease 237
Summary: Red Hat specific rpm configuration files Summary: Red Hat specific rpm configuration files
Name: redhat-rpm-config Name: redhat-rpm-config
@ -221,6 +221,9 @@ install -p -m 644 -t %{buildroot}%{_rpmluadir}/fedora/srpm forge.lua
%doc buildflags.md %doc buildflags.md
%changelog %changelog
* Tue Jan 3 2023 Siddhesh Poyarekar <siddhesh@redhat.com> - 237-1
- Make _FORTIFY_SOURCE configurable and bump default to 3.
* Wed Dec 28 2022 Davide Cavalca <dcavalca@fedoraproject.org> - 236-1 * Wed Dec 28 2022 Davide Cavalca <dcavalca@fedoraproject.org> - 236-1
- Add conditional support for always including frame pointers - Add conditional support for always including frame pointers