From f108a12fde71529153c83ae165182d687bb50e4e Mon Sep 17 00:00:00 2001
From: Christopher Lusk <clusk@redhat.com>
Date: Thu, 26 Mar 2026 15:49:20 -0400
Subject: [PATCH] criu: Fix full RELRO by preserving -Wl flags for gcc-linked
 targets
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

nmk's build.mk globally strips -Wl,% from LDFLAGS, which drops
-Wl,-z,now needed for BIND_NOW. Add a patch from Cestmir Kalina
that moves the filter to ldflags-y only, so direct ld calls still
avoid gcc driver flags while the final gcc link retains full hardening.

Resolves: RHEL-152222

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Co-Authored-By: Čestmír Kalina <ckalina@redhat.com>
Signed-off-by: Christopher Lusk <clusk@redhat.com>
---
 ...-intact-filter-Wl-only-for-direct-ld.patch | 44 +++++++++++++++++++
 criu.spec                                     | 17 +++++--
 2 files changed, 58 insertions(+), 3 deletions(-)
 create mode 100644 0001-build-keep-LDFLAGS-intact-filter-Wl-only-for-direct-ld.patch

diff --git a/0001-build-keep-LDFLAGS-intact-filter-Wl-only-for-direct-ld.patch b/0001-build-keep-LDFLAGS-intact-filter-Wl-only-for-direct-ld.patch
new file mode 100644
index 0000000..326a73d
--- /dev/null
+++ b/0001-build-keep-LDFLAGS-intact-filter-Wl-only-for-direct-ld.patch
@@ -0,0 +1,44 @@
+From 6adacd47fccb803087681c94692ac57eb87c23ae Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?=C4=8Cestm=C3=ADr=20Kalina?= <ckalina@redhat.com>
+Date: Wed, 25 Mar 2026 00:50:39 +0100
+Subject: [PATCH] build: keep LDFLAGS intact and filter -Wl only for direct ld links
+
+Do not rewrite LDFLAGS globally in build.mk.
+
+The global filter drops distro-provided linker hardening flags from
+normal gcc-linked targets, including the main criu binary. In
+particular, -Wl,-z,now is lost, so the final ELF misses BIND_NOW and
+only gets partial RELRO.
+
+Filter out -Wl,... only when populating ldflags-y for direct $(LD)
+invocations, so built-in/blob links still avoid gcc driver flags while
+gcc-linked binaries retain the full LDFLAGS set.
+
+Signed-off-by: Čestmír Kalina <ckalina@redhat.com>
+---
+ scripts/nmk/scripts/build.mk | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/scripts/nmk/scripts/build.mk b/scripts/nmk/scripts/build.mk
+index d01d2b72c..3f714cb56 100644
+--- a/scripts/nmk/scripts/build.mk
++++ b/scripts/nmk/scripts/build.mk
+@@ -46,7 +46,6 @@ export __nmk-makefile-deps
+ # using $(LD) directly instead so filter out -Wl
+ # flags to make maintainer's life easier.
+ LDFLAGS-MASK	:= -Wl,%
+-LDFLAGS		:= $(filter-out $(LDFLAGS-MASK),$(LDFLAGS))
+ 
+ #
+ # Accumulate common flags.
+@@ -111,7 +110,7 @@ builtin-name	:= $(strip $(builtin-name))
+ 
+ #
+ # Link flags.
+-ldflags-y	:= $(strip $(LDFLAGS) $(ldflags-y))
++ldflags-y	:= $(strip $(filter-out $(LDFLAGS-MASK),$(LDFLAGS)) $(ldflags-y))
+ 
+ #
+ # $(obj) related rules.
+-- 
+2.52.0
diff --git a/criu.spec b/criu.spec
index 3fd3bbb..6fbe654 100644
--- a/criu.spec
+++ b/criu.spec
@@ -13,7 +13,7 @@
 
 Name: criu
 Version: 4.2
-Release: 3%{?dist}
+Release: 4%{?dist}
 Summary: Tool for Checkpoint/Restore in User-space
 License: GPL-2.0-only AND LGPL-2.1-only AND MIT
 URL: http://criu.org/
@@ -23,6 +23,12 @@ Source0: https://github.com/checkpoint-restore/criu/archive/v%{version}/criu-%{v
 # setting the network locking to iptables via RPC.
 Patch0: disable.network.locking.via.rpc.patch
 
+# nmk build.mk globally strips -Wl,% from LDFLAGS, which drops -Wl,-z,now
+# needed for BIND_NOW (full RELRO). Move the filter to ldflags-y only so
+# direct ld calls still avoid gcc driver flags while gcc-linked binaries
+# retain the full LDFLAGS set.
+Patch1: 0001-build-keep-LDFLAGS-intact-filter-Wl-only-for-direct-ld.patch
+
 # Add protobuf-c as a dependency.
 # We use this patch because the protobuf-c package name
 # in RPM and DEB is different.
@@ -104,6 +110,7 @@ This script can help to workaround the so called "PID mismatch" problem.
 %prep
 %setup -q
 %patch -P 0 -p1
+%patch -P 1 -p1
 %patch -P 99 -p1
 
 %build
@@ -114,8 +121,8 @@ This script can help to workaround the so called "PID mismatch" problem.
 # CRIU's nmk build system calls ld directly for intermediate partial linking
 # (ld -r). RHEL LDFLAGS contain -specs= options that only gcc understands;
 # raw ld rejects them. Create a wrapper that strips -specs= for direct ld
-# calls. The final criu binary link uses gcc (CC), not ld, so it still gets
-# full hardening (-pie, -z relro, -z now) from the spec files.
+# calls. Patch1 fixes nmk's global stripping of -Wl,% from LDFLAGS so that
+# the final gcc link retains -Wl,-z,now (BIND_NOW) for full RELRO.
 mkdir -p %{_builddir}/bin
 cat > %{_builddir}/bin/ld << 'LDWRAPPER'
 #!/bin/sh
@@ -179,6 +186,10 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/libcriu.a
 %doc %{_mandir}/man1/criu-ns.1*
 
 %changelog
+* Fri Mar 27 2026 Christopher Lusk <clusk@redhat.com> - 4.2-4
+- Fix full RELRO: patch nmk build.mk to preserve -Wl flags for gcc-linked targets
+- Resolves: RHEL-152222
+
 * Thu Mar 05 2026 Andrea Bolognani <abologna@redhat.com> - 4.2-3
 - Enable riscv64 build
   Resolves: RHEL-153692