From 681b54fd40b7a5e5c960bbd3e8aedca0fd4db575 Mon Sep 17 00:00:00 2001 From: Alexander Aring Date: Tue, 8 Feb 2022 14:42:53 -0500 Subject: [PATCH 3/5] treewide: do always -Wl,-z,now in LDFLAGS This patch reverts commit 7bb5570a ("treewide: try to resolve symbols at linking time") because the recommended way to avoid security related issues is always to use -Wl,-z,now. This is solving the following annocheck failure: https://sourceware.org/annobin/annobin.html/Test-bind-now.html --- dlm_controld/Makefile | 6 +++--- dlm_tool/Makefile | 4 ++-- fence/Makefile | 4 ++-- libdlm/Makefile | 7 +++---- 4 files changed, 10 insertions(+), 11 deletions(-) diff --git a/dlm_controld/Makefile b/dlm_controld/Makefile index 8cfc97e6909a..a92fdebe2cba 100644 --- a/dlm_controld/Makefile +++ b/dlm_controld/Makefile @@ -43,15 +43,15 @@ CFLAGS += -D_GNU_SOURCE -O2 -ggdb \ -Wno-sign-compare -Wno-unused-parameter -Wp,-D_FORTIFY_SOURCE=2 \ -fexceptions -fasynchronous-unwind-tables -fdiagnostics-show-option \ -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong \ - -fstack-clash-protection -Wl,-z,now + -fstack-clash-protection BIN_CFLAGS += $(CFLAGS) -fPIE -DPIE BIN_CFLAGS += -I../include -I../libdlm LIB_CFLAGS += $(CFLAGS) -fPIC -BIN_LDFLAGS += $(LDFLAGS) -Wl,-z,relro -Wl,-z,defs -pie +BIN_LDFLAGS += $(LDFLAGS) -Wl,-z,relro -Wl,-z,now -pie BIN_LDFLAGS += -lpthread -lrt -lcpg -lcmap -lcfg -lquorum -luuid -LIB_LDFLAGS += $(LDFLAGS) -Wl,-z,relro -Wl,-z,defs -pie +LIB_LDFLAGS += $(LDFLAGS) -Wl,-z,relro -Wl,-z,now -pie PKG_CONFIG ?= pkg-config ifeq ($(USE_SD_NOTIFY),yes) diff --git a/dlm_tool/Makefile b/dlm_tool/Makefile index 7b42638c0e4a..1c3d61d5c860 100644 --- a/dlm_tool/Makefile +++ b/dlm_tool/Makefile @@ -15,12 +15,12 @@ CFLAGS += -D_GNU_SOURCE -O2 -ggdb \ -Wno-sign-compare -Wno-unused-parameter -Wp,-D_FORTIFY_SOURCE=2 \ -fexceptions -fasynchronous-unwind-tables -fdiagnostics-show-option \ -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong \ - -fstack-clash-protection -Wl,-z,now + -fstack-clash-protection CFLAGS += -fPIE -DPIE CFLAGS += -I../include -I../libdlm -I../dlm_controld -LDFLAGS += -Wl,-z,relro -Wl,-z,defs -pie +LDFLAGS += -Wl,-z,relro -Wl,-z,now -pie LDFLAGS += -L../libdlm -L../dlm_controld LDFLAGS += -lpthread -ldlm -ldlmcontrol diff --git a/fence/Makefile b/fence/Makefile index 547f7ba946ff..ee4dfb886d4c 100644 --- a/fence/Makefile +++ b/fence/Makefile @@ -15,13 +15,13 @@ CFLAGS += -D_GNU_SOURCE -O2 -ggdb \ -Wno-sign-compare -Wno-unused-parameter -Wp,-D_FORTIFY_SOURCE=2 \ -fexceptions -fasynchronous-unwind-tables -fdiagnostics-show-option \ -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong \ - -fstack-clash-protection -Wl,-z,now + -fstack-clash-protection CFLAGS += -fPIE -DPIE CFLAGS += -I../include CFLAGS += $(shell pkg-config --cflags pacemaker-fencing) -LDFLAGS += -Wl,-z,relro -Wl,-z,defs -pie +LDFLAGS += -Wl,-z,relro -Wl,-z,now -pie LDFLAGS += -ldl all: $(BIN_TARGET) diff --git a/libdlm/Makefile b/libdlm/Makefile index 313c2a08f17e..5069ccf1f7f9 100644 --- a/libdlm/Makefile +++ b/libdlm/Makefile @@ -78,14 +78,13 @@ CFLAGS += -D_GNU_SOURCE -O2 -ggdb \ -fexceptions \ -fasynchronous-unwind-tables \ -fdiagnostics-show-option \ - -fPIC \ - -Wl,-z,now + -fPIC LIB_CFLAGS += $(CFLAGS) -D_REENTRANT LLT_CFLAGS += $(CFLAGS) -LIB_LDFLAGS += $(LDFLAGS) -lpthread -Wl,-z,defs -LLT_LDFLAGS += $(LDFLAGS) -Wl,-z,defs +LIB_LDFLAGS += $(LDFLAGS) -lpthread -Wl,-z,now +LLT_LDFLAGS += $(LDFLAGS) -Wl,-z,now all: $(LIB_TARGET) $(LLT_TARGET) $(LIB_PC) $(LLT_PC) -- 2.7.5