Add patch to enable PIE and RELRO

Signed-off-by: Jeff Layton <jlayton@redhat.com>
2012-07-09 10:22:17 -04:00 · 2012-07-09 10:22:17 -04:00 · e0acf4cdfc
commit e0acf4cdfc
parent bfd8da6470
3 changed files with 123 additions and 1 deletions
--- a/0001-autoconf-add-enable-pie-and-enable-relro.patch
+++ b/0001-autoconf-add-enable-pie-and-enable-relro.patch
@ -0,0 +1,83 @@
+From 60a8e227c1351dbe96e54d066daafcfa1158e432 Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlayton@samba.org>
+Date: Mon, 9 Jul 2012 10:12:33 -0400
+Subject: [PATCH] autoconf: add --enable-pie and --enable-relro
+
+-pie and -fpie enable the building of position-independent executables,
+and -Wl,-z,relro turns on read-only relocation support in gcc. These
+options are important for security purposes to guard against possible
+buffer overflows that lead to exploits.
+
+Follow the example of samba here and enable these by default, but add
+configure options that allow people to turn them off at build-time if
+necessary.
+
+We may also want to eventually add checks to ensure that the compiler
+and linker understand these options, but I'll wait until we have some
+evidence that it's needed before I expend the effort.
+
+Reported-by: Andreas Schneider <asn@samba.org>
+Signed-off-by: Jeff Layton <jlayton@samba.org>
+---
+ Makefile.am  |    2 +-
+ configure.ac |   27 +++++++++++++++++++++++++++
+ 2 files changed, 28 insertions(+), 1 deletions(-)
+
+diff --git a/Makefile.am b/Makefile.am
+index b412262..0d0b599 100644
+--- a/Makefile.am
+++ b/Makefile.am
+@@ -1,4 +1,4 @@
+-AM_CFLAGS = -Wall -Wextra -D_FORTIFY_SOURCE=2
+AM_CFLAGS = -Wall -Wextra -D_FORTIFY_SOURCE=2 $(PIE_CFLAGS) $(RELRO_CFLAGS)
+ ACLOCAL_AMFLAGS = -I aclocal
+ 
+ root_sbindir = $(ROOTSBINDIR)
+diff --git a/configure.ac b/configure.ac
+index 0dd1155..a8d0bbc 100644
+--- a/configure.ac
+++ b/configure.ac
+@@ -10,6 +10,18 @@ AC_CONFIG_MACRO_DIR(aclocal)
+ AM_INIT_AUTOMAKE
+ 
+ # "enable" options
+AC_ARG_ENABLE(pie,
+	[AC_HELP_STRING([--enable-pie],
+			[Produce position independent executables @<:@default=yes@:>@])],
+	enable_pie=$enableval,
+	enable_pie="maybe")
+
+AC_ARG_ENABLE(relro,
+	[AC_HELP_STRING([--enable-relro],
+			[Enable relocations read-only support @<:@default=yes@:>@])],
+	enable_relro=$enableval,
+	enable_relro="maybe")
+
+ AC_ARG_ENABLE(cifsupcall,
+ 	[AC_HELP_STRING([--enable-cifsupcall],
+ 			[Create cifs.upcall binary @<:@default=yes@:>@])],
+@@ -82,6 +94,21 @@ AC_CHECK_HEADERS([arpa/inet.h ctype.h fcntl.h inttypes.h limits.h mntent.h netdb
+ AC_CHECK_HEADERS([sys/fsuid.h])
+ AC_CHECK_FUNC(setfsuid, , [AC_MSG_ERROR([System does not support setfsuid()])])
+ 
+# FIXME: add test(s) to autodisable these flags when compiler/linker don't support it
+if test $enable_pie != "no"; then
+	PIE_CFLAGS="-fpie -pie"
+else
+	PIE_CFLAGS=""
+fi
+AC_SUBST([PIE_CFLAGS])
+
+if test $enable_relro != "no"; then
+	RELRO_CFLAGS="-Wl,-z,relro"
+else
+	RELRO_CFLAGS=""
+fi
+AC_SUBST([RELRO_CFLAGS])
+
+ if test $enable_cifsupcall != "no"; then
+ 	AC_CHECK_HEADERS([krb5.h krb5/krb5.h])
+ 	if test x$ac_cv_header_krb5_krb5_h != xyes ; then
+-- 
+1.7.7.6
+
--- a/0001-automake-revert-Werror-by-default.patch
+++ b/0001-automake-revert-Werror-by-default.patch
@ -0,0 +1,31 @@
+From 74edf24d9780900f3ce15d2403c6e331b031d454 Mon Sep 17 00:00:00 2001
+From: Jeff Layton <jlayton@samba.org>
+Date: Thu, 14 Jun 2012 10:59:18 -0400
+Subject: [PATCH] automake: revert -Werror by default
+
+I think in hindsight, that adding -Werror by default was a mistake.
+cifs-utils is built in a wide range of environments and tools, and it's
+very difficult to eliminate all of the possible warnings.
+
+Let's go ahead and remove it and reduce the steady trickle of patches
+that are simply to silence obscure warnings.
+
+Cc: Suresh Jayaraman <sjayaraman@suse.com>
+Signed-off-by: Jeff Layton <jlayton@samba.org>
+---
+ Makefile.am |    2 +-
+ 1 files changed, 1 insertions(+), 1 deletions(-)
+
+diff --git a/Makefile.am b/Makefile.am
+index 05729ca..b412262 100644
+--- a/Makefile.am
+++ b/Makefile.am
+@@ -1,4 +1,4 @@
+-AM_CFLAGS = -Wall -Wextra -Werror -D_FORTIFY_SOURCE=2
+AM_CFLAGS = -Wall -Wextra -D_FORTIFY_SOURCE=2
+ ACLOCAL_AMFLAGS = -I aclocal
+ 
+ root_sbindir = $(ROOTSBINDIR)
+-- 
+1.7.7.6
+
--- a/cifs-utils.spec
+++ b/cifs-utils.spec
@ -3,7 +3,7 @@

 Name:           cifs-utils
 Version:        5.5
-Release:        1%{pre_release}%{?dist}
+Release:        2%{pre_release}%{?dist}
 Summary:        Utilities for mounting and managing CIFS mounts

 Group:          System Environment/Daemons
@ -12,6 +12,8 @@ URL:            http://linux-cifs.samba.org/cifs-utils/
 BuildRoot:      %{_tmppath}/%{name}-%{version}%{pre_release}-%{release}-root-%(%{__id_u} -n)

 Source0:        ftp://ftp.samba.org/pub/linux-cifs/cifs-utils/%{name}-%{version}%{pre_release}.tar.bz2
+Patch1:         0001-automake-revert-Werror-by-default.patch
+Patch2:         0001-autoconf-add-enable-pie-and-enable-relro.patch

 BuildRequires:  libcap-ng-devel libtalloc-devel krb5-devel keyutils-libs-devel autoconf automake libwbclient-devel
 Requires:       keyutils
@ -26,6 +28,8 @@ file system.

 %prep
 %setup -q -n %{name}-%{version}%{pre_release}
+%patch1 -p1
+%patch2 -p1

 %build
 %configure --prefix=/usr
@ -60,6 +64,10 @@ rm -rf %{buildroot}
 %config(noreplace) %{_sysconfdir}/request-key.d/cifs.spnego.conf

 %changelog
+* Mon Jul 09 2012 Jeff Layton <jlayton@redhat.com> 5.5-2
+- remove -Werror flag
+- enable PIE and RELRO
+
 * Wed May 30 2012 Jeff Layton <jlayton@redhat.com> 5.5-1
 - update to 5.5