From a15ac4695e8a913a7b87aa92fc9e32b4ac1f9f42 Mon Sep 17 00:00:00 2001 From: Jan Grulich Date: Fri, 3 Nov 2023 14:12:40 +0100 Subject: [PATCH 1/6] Don't pull in qt5-srpm-macros on RHEL 10 --- redhat-rpm-config.spec | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/redhat-rpm-config.spec b/redhat-rpm-config.spec index c15643e..2bc4c86 100644 --- a/redhat-rpm-config.spec +++ b/redhat-rpm-config.spec @@ -4,7 +4,7 @@ # 2) When making changes, increment the version (in baserelease) by 1. # rpmdev-bumpspec and other tools update the macro below, which is used # in Version: to get the desired effect. -%global baserelease 275 +%global baserelease 276 Summary: Red Hat specific rpm configuration files Name: redhat-rpm-config @@ -103,7 +103,9 @@ Requires: openblas-srpm-macros Requires: perl-srpm-macros # ↓ Has Python BRPs originaly present in redhat-rpm-config Requires: python-srpm-macros >= 3.11-7 +%if ! 0%{?rhel} Requires: qt5-srpm-macros +%endif Requires: qt6-srpm-macros # rust-srpm-macros v24 contains %%build_rustflags defintion Requires: rust-srpm-macros >= 24 @@ -256,6 +258,9 @@ install -p -m 644 -t %{buildroot}%{_rpmluadir}/fedora common.lua %doc buildflags.md %changelog +* Thu Jan 11 2024 Jan Grulich - 276-1 +- Drop qt5-srpm-macros from RHEL 10 + * Fri Jan 05 2024 Yaakov Selkowitz - 275-1 - Define RUSTFLAGS only when rust macros are installed From b13edec098b3f12eab614330e6920e46b12f0102 Mon Sep 17 00:00:00 2001 From: Florian Weimer Date: Mon, 15 Jan 2024 12:17:56 +0100 Subject: [PATCH 2/6] Switch C type safety level to 3 (GCC 14 default), and adjust for GCC 14 No conflict because except for %global build_type_safety 0, the package is still compatibility with GCC 13 (but does not enforce the type safety levels anymore). --- buildflags.md | 14 ++++++++++---- macros | 4 ++-- redhat-rpm-config.spec | 5 ++++- 3 files changed, 16 insertions(+), 7 deletions(-) diff --git a/buildflags.md b/buildflags.md index 4e53c85..9d32a5a 100644 --- a/buildflags.md +++ b/buildflags.md @@ -117,7 +117,7 @@ or: ### Controlling Type Safety The macro `%build_type_safety_c` can be set to change the C type -safety level. The default level is 1, see below. It can be set to 0 +safety level. The default level is 3, see below. It can be set to 0 to get historic levels of type safety. Changing the type safety level may depend on correct `CFLAGS` propagation during the build. The `%build_type_safety_c` macro needs to be set before `CFLAGS`-related @@ -130,14 +130,14 @@ the `%build_type_safety_c` level to increase it, spec file should use a construct like this to avoid *lowering* a future default: ``` -%if %build_type_safety_c < 2 -%global build_type_safety_c 2 +%if %build_type_safety_c < 4 +%global build_type_safety_c 4 %endif ``` At level 0, all C constructs that GCC accepts for backwards compatibility with obsolete language standards are accepted during -package builds. +package builds. This is achieved by passing `-fpermissive` to GCC. At level 1, the following additional error categories are enabled: @@ -151,6 +151,12 @@ At level 1, the following additional error categories are enabled: Previously, such expressions where we compiled as if a declaration `extern int function_not_defined_anywhere ();` (a prototype-less function declaration) were in scope. +* `-Werror=return-mismatch`: Reject `return` statements with missing + or extra expressions, based on the declared return type of the + function. +* `-Wdeclaration-missing-parameter-type`: Reject function declarations + that contain unknown type names (which used to be treated as ignored + identifier names). At level 2, the following error category is enabled in addition: diff --git a/macros b/macros index cc0f895..61a83e3 100644 --- a/macros +++ b/macros @@ -400,14 +400,14 @@ for k,_ in pairs(stripped_flags) do print(k .. " ") end # This can be set to a positive integer to obtain increasing type # safety levels for C. See buildflags.md. -%build_type_safety_c 1 +%build_type_safety_c 3 # Some linkers default to a build-id algorithm that is not supported by rpmbuild, # so we need to specify the right algorithm to use. %_build_id_flags -Wl,--build-id=sha1 %_general_options -O2 %{?_lto_cflags} -fexceptions -g -grecord-gcc-switches -pipe -%_warning_options -Wall%[%__build_for_lang_any && "%toolchain" == "gcc" ? " -Wno-complain-wrong-lang" : ""]%[%__build_for_lang_c + %__build_for_lang_cxx ? " -Werror=format-security" : ""]%[%__build_for_lang_c && (%build_type_safety_c >= 1) ? " -Werror=implicit-function-declaration -Werror=implicit-int" : ""]%[%__build_for_lang_c && (%build_type_safety_c >= 2) ? " -Werror=int-conversion" : ""]%[%__build_for_lang_c && (%build_type_safety_c >= 3) ? " -Werror=incompatible-pointer-types" : ""] +%_warning_options -Wall%[%__build_for_lang_any && "%toolchain" == "gcc" ? " -Wno-complain-wrong-lang" : ""]%[%__build_for_lang_c + %__build_for_lang_cxx ? " -Werror=format-security" : ""]%[%__build_for_lang_c && (%build_type_safety_c == 0) ? " -fpermissive" : ""]%[%__build_for_lang_c && (%build_type_safety_c == 1) ? " -Wno-error=int-conversion" : ""]%[%__build_for_lang_c && (%build_type_safety_c > 0 && %build_type_safety_c < 3) ? " -Wno-error=incompatible-pointer-types" : ""] %_preprocessor_defines %{_fortify_level_flags} -Wp,-D_GLIBCXX_ASSERTIONS # Common variables are no longer generated by default by gcc and clang diff --git a/redhat-rpm-config.spec b/redhat-rpm-config.spec index 2bc4c86..c2f6716 100644 --- a/redhat-rpm-config.spec +++ b/redhat-rpm-config.spec @@ -4,7 +4,7 @@ # 2) When making changes, increment the version (in baserelease) by 1. # rpmdev-bumpspec and other tools update the macro below, which is used # in Version: to get the desired effect. -%global baserelease 276 +%global baserelease 277 Summary: Red Hat specific rpm configuration files Name: redhat-rpm-config @@ -258,6 +258,9 @@ install -p -m 644 -t %{buildroot}%{_rpmluadir}/fedora common.lua %doc buildflags.md %changelog +* Mon Jan 15 2024 Florian Weimer - 277-1 +- Switch C type safety level to 3 (GCC 14 default), and adjust for GCC 14 + * Thu Jan 11 2024 Jan Grulich - 276-1 - Drop qt5-srpm-macros from RHEL 10 From f3416f1436a39c7ff4f69c31d037ac277de5a637 Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Mon, 15 Jan 2024 12:35:44 +0000 Subject: [PATCH 3/6] Add hardening feature to convert linker warning messages into errors. https://fedoraproject.org/wiki/Changes/Linker_Error_On_Security_Issues --- buildflags.md | 40 +++++++++++++++++++++++++++++++++++----- macros | 9 ++++++++- redhat-rpm-config.spec | 7 ++++++- 3 files changed, 49 insertions(+), 7 deletions(-) diff --git a/buildflags.md b/buildflags.md index 9d32a5a..8db4dc8 100644 --- a/buildflags.md +++ b/buildflags.md @@ -654,11 +654,9 @@ to the compiler driver `gcc`, and not directly to the link editor * `-z defs`: Refuse to link shared objects (DSOs) with undefined symbols (optional, see above). -For hardened builds, the -`-specs=/usr/lib/rpm/redhat/redhat-hardened-ld` flag is added to the -compiler driver command line. (This can be disabled by undefining the -`%_hardened_build` macro; see above) This activates the following -linker flags: +For hardened builds, some more linker options are added to the +compiler driver command line. These can be disabled by undefining the +`%_hardened_build` macro - see above. * `-pie`: Produce a PIE binary. This is only activated for the main executable, and only if it is dynamically linked. This requires @@ -667,6 +665,10 @@ linker flags: By itself, `-pie` has only a slight performance impact because it disables some link editor optimization, however the `-fPIE` compiler flag has some overhead. + Note: this option is added via adding a spec file to the compiler + driver command line (`-specs=/usr/lib/rpm/redhat/redhat-hardened-ld`) + rather than using the `-Wl` mechanism mentioned above. As a result + this option is only enabled if the compiler driver is gcc. * `-z now`: Disable lazy binding and turn on the `BIND_NOW` dynamic linker feature. Lazy binding involves an array of function pointers which is writable at run time (which could be overwritten as part of @@ -674,6 +676,34 @@ linker flags: preferable to turn of lazy binding, although it increases startup time. +In addition hardened builds default to converting a couple of linker +warning messages into errors, because they represent potential +missed hardening opportunities, and warnings in the linker's output are +often ignored. This behaviour can be turned off by undefining the +`%_hardened_build` macro as mentioned above, or by undefining the +`%_hardened_linker_errors` macro. The linker options enabled by this +feature are: + +* `--error-rwx-segments`: Generates an error if an output binary would + contain a loadable memory segment with read, write and execute + permissions. It will also generate an error if a thread local + storage (TLS) segment is created with execute permission. The + error can be disabled on an individual basis by adding the + `--no-warn-rwx-segments` option to the linker command line. +* `--error-execstack`: Generates an error if an output binary would + contain a stack that is held in memory with execute permission. + If a binary is being intentionally created with an executable stack + then the linker command line option `-z execstack` can be used to + indicate this. + +Note: these options are added via a spec file on the compiler driver +command line (`-specs=/usr/lib/rpm/redhat/redhat-hardened-ld-errors`) +rather than using the `-Wl` mechanism mentioned above. As a result +these options are only enabled if the compiler driver is gcc. In +addition the spec file only adds the options if the `-fuse-ld=...` +option has not been enabled. This prevents the options from being +used when the gold or lld linkers are enabled. + # Support for extension builders Some packages include extension builders that allow users to build diff --git a/macros b/macros index 61a83e3..dfacd55 100644 --- a/macros +++ b/macros @@ -325,8 +325,15 @@ for k,_ in pairs(stripped_flags) do print(k .. " ") end %_hardening_gcc_cflags -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 %_hardening_clang_cflags --config /usr/lib/rpm/redhat/redhat-hardened-clang.cfg %_hardening_cflags %{expand:%%{_hardening_%{toolchain}_cflags}} -fstack-protector-strong + +# Have the linker generate errors instead of warnings for binaries that +# contain memory regions with both write and execute permissions. +# https://fedoraproject.org/wiki/Changes/Linker_Error_On_Security_Issues +%_hardening_linker_errors %[ "%{toolchain}" == "gcc" ? "-specs=/usr/lib/rpm/redhat/redhat-hardened-ld-errors" : "" ] +%_hardened_linker_errors 1 + # we don't escape symbols '~', '"', etc. so be careful when changing this -%_hardening_ldflags -Wl,-z,now %[ "%{toolchain}" == "gcc" ? "-specs=/usr/lib/rpm/redhat/redhat-hardened-ld" : "" ] +%_hardening_ldflags -Wl,-z,now %{?_hardened_linker_errors:%{_hardening_linker_errors}} %[ "%{toolchain}" == "gcc" ? "-specs=/usr/lib/rpm/redhat/redhat-hardened-ld" : "" ] # Harden packages by default for Fedora 23+: # https://fedorahosted.org/fesco/ticket/1384 (accepted on 2014-02-11) diff --git a/redhat-rpm-config.spec b/redhat-rpm-config.spec index c2f6716..2480a6c 100644 --- a/redhat-rpm-config.spec +++ b/redhat-rpm-config.spec @@ -4,7 +4,7 @@ # 2) When making changes, increment the version (in baserelease) by 1. # rpmdev-bumpspec and other tools update the macro below, which is used # in Version: to get the desired effect. -%global baserelease 277 +%global baserelease 278 Summary: Red Hat specific rpm configuration files Name: redhat-rpm-config @@ -22,6 +22,7 @@ Source1: rpmrc Source50: redhat-hardened-cc1 Source51: redhat-hardened-ld Source52: redhat-hardened-clang.cfg +Source53: redhat-hardened-ld-errors # gcc specs files for annobin builds Source60: redhat-annobin-cc1 @@ -258,6 +259,10 @@ install -p -m 644 -t %{buildroot}%{_rpmluadir}/fedora common.lua %doc buildflags.md %changelog +* Mon Jan 15 2024 Nick Clifton - 278-1 +- Add hardening feature to convert linker warning messages into errors. +- https://fedoraproject.org/wiki/Changes/Linker_Error_On_Security_Issues + * Mon Jan 15 2024 Florian Weimer - 277-1 - Switch C type safety level to 3 (GCC 14 default), and adjust for GCC 14 From a455b31b14bd26a5cfb76e80e8c04101da951d08 Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Mon, 15 Jan 2024 13:01:37 +0000 Subject: [PATCH 4/6] Add redhat-hardened-ld-errors file --- redhat-hardened-ld-errors | 2 ++ 1 file changed, 2 insertions(+) create mode 100644 redhat-hardened-ld-errors diff --git a/redhat-hardened-ld-errors b/redhat-hardened-ld-errors new file mode 100644 index 0000000..1a8ca26 --- /dev/null +++ b/redhat-hardened-ld-errors @@ -0,0 +1,2 @@ +*self_spec: ++ %{!fuse-ld*:%{!r:-Wl,--error-rwx-segments -Wl,--error-execstack}} From c0295c50b307743d819c27a6acb9db585188ea3e Mon Sep 17 00:00:00 2001 From: Nils Philippsen Date: Tue, 16 Jan 2024 10:39:51 +0100 Subject: [PATCH 5/6] Obsolete rpmautospec-rpm-macros without version This is so redhat-rpm-config will obsolete any version of rpmautospec-rpm-macros in Fedora <= 39. Signed-off-by: Nils Philippsen --- redhat-rpm-config.spec | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/redhat-rpm-config.spec b/redhat-rpm-config.spec index 2480a6c..fa48a4b 100644 --- a/redhat-rpm-config.spec +++ b/redhat-rpm-config.spec @@ -4,7 +4,7 @@ # 2) When making changes, increment the version (in baserelease) by 1. # rpmdev-bumpspec and other tools update the macro below, which is used # in Version: to get the desired effect. -%global baserelease 278 +%global baserelease 279 Summary: Red Hat specific rpm configuration files Name: redhat-rpm-config @@ -140,7 +140,10 @@ Requires: (gawk if clang) # -fstack-clash-protection and -fcf-protection require GCC 8. Conflicts: gcc < 8.0.1-0.22 -Obsoletes: rpmautospec-rpm-macros < 0.3.6 +# Obsoletes intentionally without version: rpmautospec in Fedora <= 39 ships +# the macro package, and its version has long passed the one previously +# recorded here. +Obsoletes: rpmautospec-rpm-macros Provides: system-rpm-config = %{version}-%{release} @@ -259,6 +262,9 @@ install -p -m 644 -t %{buildroot}%{_rpmluadir}/fedora common.lua %doc buildflags.md %changelog +* Tue Jan 16 2024 Nils Philippsen - 279-1 +- Obsolete rpmautospec-rpm-macros without version + * Mon Jan 15 2024 Nick Clifton - 278-1 - Add hardening feature to convert linker warning messages into errors. - https://fedoraproject.org/wiki/Changes/Linker_Error_On_Security_Issues From 13bd1aaf1a3c2af46824ff0390cf933a4f8a3b44 Mon Sep 17 00:00:00 2001 From: Florian Weimer Date: Tue, 16 Jan 2024 11:34:37 +0100 Subject: [PATCH 6/6] Drop -fcf-protection for i686 because there won't be kernel support --- buildflags.md | 4 ++-- redhat-rpm-config.spec | 5 ++++- rpmrc | 2 +- 3 files changed, 7 insertions(+), 4 deletions(-) diff --git a/buildflags.md b/buildflags.md index 8db4dc8..0fee80c 100644 --- a/buildflags.md +++ b/buildflags.md @@ -581,9 +581,9 @@ These compiler flags are enabled for all builds (hardened/annotated or not), but their selection depends on the architecture: * `-fcf-protection`: Instrument binaries to guard against - ROP/JOP attacks. Used on i686 and x86_64. + ROP/JOP exploitation techniques. Used on x86_64. * `-mbranch-protection=standard`: Instrument binaries to guard against - ROP/JOP attacks. Used on aarch64. + ROP/JOP exploitation techniques. Used on aarch64. * `-m64` and `-m32`: Some GCC builds support both 32-bit and 64-bit in the same compilation. For such architectures, the RPM build process explicitly selects the architecture variant by passing this compiler diff --git a/redhat-rpm-config.spec b/redhat-rpm-config.spec index fa48a4b..5ba7783 100644 --- a/redhat-rpm-config.spec +++ b/redhat-rpm-config.spec @@ -4,7 +4,7 @@ # 2) When making changes, increment the version (in baserelease) by 1. # rpmdev-bumpspec and other tools update the macro below, which is used # in Version: to get the desired effect. -%global baserelease 279 +%global baserelease 280 Summary: Red Hat specific rpm configuration files Name: redhat-rpm-config @@ -262,6 +262,9 @@ install -p -m 644 -t %{buildroot}%{_rpmluadir}/fedora common.lua %doc buildflags.md %changelog +* Tue Jan 16 2024 Florian Weimer - 280-1 +- Drop -fcf-protection for i686 because there won't be kernel support + * Tue Jan 16 2024 Nils Philippsen - 279-1 - Obsolete rpmautospec-rpm-macros without version diff --git a/rpmrc b/rpmrc index a407129..cd37043 100644 --- a/rpmrc +++ b/rpmrc @@ -3,7 +3,7 @@ include: /usr/lib/rpm/rpmrc optflags: i386 %{__global_compiler_flags} -m32 -march=i386 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection optflags: i486 %{__global_compiler_flags} -m32 -march=i486 -fasynchronous-unwind-tables -fstack-clash-protection optflags: i586 %{__global_compiler_flags} -m32 -march=i586 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -optflags: i686 %{__global_compiler_flags} -m32 -march=i686 -mtune=generic -msse2 -mfpmath=sse -mstackrealign -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection +optflags: i686 %{__global_compiler_flags} -m32 -march=i686 -mtune=generic -msse2 -mfpmath=sse -mstackrealign -fasynchronous-unwind-tables -fstack-clash-protection optflags: athlon %{__global_compiler_flags} -m32 -march=athlon -fasynchronous-unwind-tables -fstack-clash-protection optflags: x86_64 %{__global_compiler_flags} -m64 %{__cflags_arch_x86_64} %__cflags_arch_x86_64_common optflags: x86_64_v2 %{__global_compiler_flags} -m64 -march=x86-64-v2 %__cflags_arch_x86_64_common