Strip all extension builder flags except -fexceptions and -fcf-protection

This preserves binary compatibility with the main interpreters
the extensions are built against while removing Fedora's flags
that are not required to be inherited on user built extensions.

This implements https://fedoraproject.org/wiki/Changes/Python_Extension_Flags_Reduction
This commit is contained in:
Charalampos Stratakis 2023-05-18 14:36:24 +02:00
parent f447520e2d
commit 7331757cf1
5 changed files with 37 additions and 16 deletions

View File

@ -660,16 +660,11 @@ with such toolchains.
The macros `%{extension_cflags}`, `%{extension_cxxflags}`, The macros `%{extension_cflags}`, `%{extension_cxxflags}`,
`%{extension_fflags}`, `%{extension_ldflags}` contain a subset of `%{extension_fflags}`, `%{extension_ldflags}` contain a subset of
flags that have been adjusted for compatibility with alternative flags that have been adjusted for compatibility with alternative
toolchains, while still preserving some of the compile-time security toolchains.
hardening that the standard Fedora build flags provide.
The current set of differences are: Currently the -fexceptions and -fcf-protection flags are preserved
for binary compatibility with the languages the extensions are
* No GCC plugins (such as annobin) are activated. built against.
* No GCC spec files (`-specs=` arguments) are used.
Additional flags may be removed in the future if they prove to be
incompatible with alternative toolchains.
Extension builders should detect whether they are performing a regular Extension builders should detect whether they are performing a regular
RPM build (e.g., by looking for an `RPM_OPT_FLAGS` variable). In this RPM build (e.g., by looking for an `RPM_OPT_FLAGS` variable). In this

18
macros
View File

@ -113,13 +113,19 @@
# Internal-only. Do not use. Expand a variable and strip the flags # Internal-only. Do not use. Expand a variable and strip the flags
# not suitable to extension builders. # not suitable to extension builders.
%__extension_strip_flags() %{lua: %__extension_strip_flags() %{lua:
--the only argument to this macro is the "name" of the flags we strip (e.g. cflags, ldflags, etc.)
local name = rpm.expand("%{1}") local name = rpm.expand("%{1}")
local value = " " .. rpm.expand("%{build_" .. name .. "}") --store all the individual flags in a variable as a continuous string
local specs_pattern = "%s+-specs=[^%s]+" local flags = rpm.expand("%{build_" .. name .. "}")
local lto_flags_pattern = rpm.expand("%{?_lto_cflags}"):gsub("[%-%.]", "%%%1") --create an empty table for the minimal set of flags we wanna preserve
local package_note_flags_pattern = "%-Wl,%S*package_note%S*" local stripped_flags = { }
local result = value:gsub(specs_pattern, " "):gsub(lto_flags_pattern, ""):gsub(package_note_flags_pattern, "") --iterate over the individual flags and store the ones we want in the table as unique keys
print(result) for flag in flags:gmatch("%S+") do
if flag:find("^%-fexceptions") or flag:find("^%-fcf%-protection") then
stripped_flags[flag] = true end
end
--print out the finalized set of flags for use by the extension builders
for k,_ in pairs(stripped_flags) do print(k .. " ") end
} }
# Variants of CFLAGS, CXXFLAGS, FFLAGS, LDFLAGS for use within # Variants of CFLAGS, CXXFLAGS, FFLAGS, LDFLAGS for use within

View File

@ -4,7 +4,7 @@
# 2) When making changes, increment the version (in baserelease) by 1. # 2) When making changes, increment the version (in baserelease) by 1.
# rpmdev-bumpspec and other tools update the macro below, which is used # rpmdev-bumpspec and other tools update the macro below, which is used
# in Version: to get the desired effect. # in Version: to get the desired effect.
%global baserelease 261 %global baserelease 262
Summary: Red Hat specific rpm configuration files Summary: Red Hat specific rpm configuration files
Name: redhat-rpm-config Name: redhat-rpm-config
@ -254,6 +254,10 @@ install -p -m 644 -t %{buildroot}%{_rpmluadir}/fedora/srpm forge.lua
%doc buildflags.md %doc buildflags.md
%changelog %changelog
* Wed Aug 02 2023 Charalampos Stratakis <cstratak@redhat.com> - 262-1
- Strip all extension builder flags except -fexceptions and -fcf-protection
- https://fedoraproject.org/wiki/Changes/Python_Extension_Flags_Reduction
* Fri Jul 7 2023 Florian Weimer <fweimer@redhat.com> - 261-1 * Fri Jul 7 2023 Florian Weimer <fweimer@redhat.com> - 261-1
- Fix warnings that appear during the build of the llvm package - Fix warnings that appear during the build of the llvm package

View File

@ -0,0 +1,5 @@
summary: Test that the extension builder flags contain the proper flags
require:
- redhat-rpm-config
test: ./runtest.sh

View File

@ -0,0 +1,11 @@
#!/bin/bash
set -ex
# Verify that the extension builder flags are stripped of non-required flags.
# The flags may appear in random order due to being accessed through a lua
# associative array.
for f in %{extension_cflags} %{extension_cxxflags} %{extension_fflags}; do
[[ $(rpm --eval "$f") =~ ^[[:space:]]*(-fexceptions -fcf-protection|-fcf-protection -fexceptions)[[:space:]]*$ ]]
done
# The extension ldflag should always be empty
[[ -z $(rpm --eval "%extension_ldflags") ]]