From e0acf4cdfcdf15ac2c33f457f7db2746dde06866 Mon Sep 17 00:00:00 2001 From: Jeff Layton Date: Mon, 9 Jul 2012 10:22:17 -0400 Subject: [PATCH] Add patch to enable PIE and RELRO Signed-off-by: Jeff Layton --- ...conf-add-enable-pie-and-enable-relro.patch | 83 +++++++++++++++++++ 0001-automake-revert-Werror-by-default.patch | 31 +++++++ cifs-utils.spec | 10 ++- 3 files changed, 123 insertions(+), 1 deletion(-) create mode 100644 0001-autoconf-add-enable-pie-and-enable-relro.patch create mode 100644 0001-automake-revert-Werror-by-default.patch diff --git a/0001-autoconf-add-enable-pie-and-enable-relro.patch b/0001-autoconf-add-enable-pie-and-enable-relro.patch new file mode 100644 index 0000000..3421a67 --- /dev/null +++ b/0001-autoconf-add-enable-pie-and-enable-relro.patch @@ -0,0 +1,83 @@ +From 60a8e227c1351dbe96e54d066daafcfa1158e432 Mon Sep 17 00:00:00 2001 +From: Jeff Layton +Date: Mon, 9 Jul 2012 10:12:33 -0400 +Subject: [PATCH] autoconf: add --enable-pie and --enable-relro + +-pie and -fpie enable the building of position-independent executables, +and -Wl,-z,relro turns on read-only relocation support in gcc. These +options are important for security purposes to guard against possible +buffer overflows that lead to exploits. + +Follow the example of samba here and enable these by default, but add +configure options that allow people to turn them off at build-time if +necessary. + +We may also want to eventually add checks to ensure that the compiler +and linker understand these options, but I'll wait until we have some +evidence that it's needed before I expend the effort. + +Reported-by: Andreas Schneider +Signed-off-by: Jeff Layton +--- + Makefile.am | 2 +- + configure.ac | 27 +++++++++++++++++++++++++++ + 2 files changed, 28 insertions(+), 1 deletions(-) + +diff --git a/Makefile.am b/Makefile.am +index b412262..0d0b599 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -1,4 +1,4 @@ +-AM_CFLAGS = -Wall -Wextra -D_FORTIFY_SOURCE=2 ++AM_CFLAGS = -Wall -Wextra -D_FORTIFY_SOURCE=2 $(PIE_CFLAGS) $(RELRO_CFLAGS) + ACLOCAL_AMFLAGS = -I aclocal + + root_sbindir = $(ROOTSBINDIR) +diff --git a/configure.ac b/configure.ac +index 0dd1155..a8d0bbc 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -10,6 +10,18 @@ AC_CONFIG_MACRO_DIR(aclocal) + AM_INIT_AUTOMAKE + + # "enable" options ++AC_ARG_ENABLE(pie, ++ [AC_HELP_STRING([--enable-pie], ++ [Produce position independent executables @<:@default=yes@:>@])], ++ enable_pie=$enableval, ++ enable_pie="maybe") ++ ++AC_ARG_ENABLE(relro, ++ [AC_HELP_STRING([--enable-relro], ++ [Enable relocations read-only support @<:@default=yes@:>@])], ++ enable_relro=$enableval, ++ enable_relro="maybe") ++ + AC_ARG_ENABLE(cifsupcall, + [AC_HELP_STRING([--enable-cifsupcall], + [Create cifs.upcall binary @<:@default=yes@:>@])], +@@ -82,6 +94,21 @@ AC_CHECK_HEADERS([arpa/inet.h ctype.h fcntl.h inttypes.h limits.h mntent.h netdb + AC_CHECK_HEADERS([sys/fsuid.h]) + AC_CHECK_FUNC(setfsuid, , [AC_MSG_ERROR([System does not support setfsuid()])]) + ++# FIXME: add test(s) to autodisable these flags when compiler/linker don't support it ++if test $enable_pie != "no"; then ++ PIE_CFLAGS="-fpie -pie" ++else ++ PIE_CFLAGS="" ++fi ++AC_SUBST([PIE_CFLAGS]) ++ ++if test $enable_relro != "no"; then ++ RELRO_CFLAGS="-Wl,-z,relro" ++else ++ RELRO_CFLAGS="" ++fi ++AC_SUBST([RELRO_CFLAGS]) ++ + if test $enable_cifsupcall != "no"; then + AC_CHECK_HEADERS([krb5.h krb5/krb5.h]) + if test x$ac_cv_header_krb5_krb5_h != xyes ; then +-- +1.7.7.6 + diff --git a/0001-automake-revert-Werror-by-default.patch b/0001-automake-revert-Werror-by-default.patch new file mode 100644 index 0000000..49cf121 --- /dev/null +++ b/0001-automake-revert-Werror-by-default.patch @@ -0,0 +1,31 @@ +From 74edf24d9780900f3ce15d2403c6e331b031d454 Mon Sep 17 00:00:00 2001 +From: Jeff Layton +Date: Thu, 14 Jun 2012 10:59:18 -0400 +Subject: [PATCH] automake: revert -Werror by default + +I think in hindsight, that adding -Werror by default was a mistake. +cifs-utils is built in a wide range of environments and tools, and it's +very difficult to eliminate all of the possible warnings. + +Let's go ahead and remove it and reduce the steady trickle of patches +that are simply to silence obscure warnings. + +Cc: Suresh Jayaraman +Signed-off-by: Jeff Layton +--- + Makefile.am | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +diff --git a/Makefile.am b/Makefile.am +index 05729ca..b412262 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -1,4 +1,4 @@ +-AM_CFLAGS = -Wall -Wextra -Werror -D_FORTIFY_SOURCE=2 ++AM_CFLAGS = -Wall -Wextra -D_FORTIFY_SOURCE=2 + ACLOCAL_AMFLAGS = -I aclocal + + root_sbindir = $(ROOTSBINDIR) +-- +1.7.7.6 + diff --git a/cifs-utils.spec b/cifs-utils.spec index 85da2d1..ae5d79d 100644 --- a/cifs-utils.spec +++ b/cifs-utils.spec @@ -3,7 +3,7 @@ Name: cifs-utils Version: 5.5 -Release: 1%{pre_release}%{?dist} +Release: 2%{pre_release}%{?dist} Summary: Utilities for mounting and managing CIFS mounts Group: System Environment/Daemons @@ -12,6 +12,8 @@ URL: http://linux-cifs.samba.org/cifs-utils/ BuildRoot: %{_tmppath}/%{name}-%{version}%{pre_release}-%{release}-root-%(%{__id_u} -n) Source0: ftp://ftp.samba.org/pub/linux-cifs/cifs-utils/%{name}-%{version}%{pre_release}.tar.bz2 +Patch1: 0001-automake-revert-Werror-by-default.patch +Patch2: 0001-autoconf-add-enable-pie-and-enable-relro.patch BuildRequires: libcap-ng-devel libtalloc-devel krb5-devel keyutils-libs-devel autoconf automake libwbclient-devel Requires: keyutils @@ -26,6 +28,8 @@ file system. %prep %setup -q -n %{name}-%{version}%{pre_release} +%patch1 -p1 +%patch2 -p1 %build %configure --prefix=/usr @@ -60,6 +64,10 @@ rm -rf %{buildroot} %config(noreplace) %{_sysconfdir}/request-key.d/cifs.spnego.conf %changelog +* Mon Jul 09 2012 Jeff Layton 5.5-2 +- remove -Werror flag +- enable PIE and RELRO + * Wed May 30 2012 Jeff Layton 5.5-1 - update to 5.5