Turn on system security properties as part of the build's install section

Move cacerts replacement to install section and retain original of this and tzdb.dat
Run tests on the installed image, rather than the build image
Introduce variables to refer to the static library installation directories
Use relative symlinks so they work within the image
Run debug symbols check during build stage, before the install strips them

Related: rhbz#2100677
This commit is contained in:
Andrew Hughes 2022-07-08 17:39:32 +01:00
parent fb297243dc
commit dca2f55ea3

View File

@ -336,7 +336,7 @@
%global top_level_dir_name %{origin} %global top_level_dir_name %{origin}
%global top_level_dir_name_backup %{top_level_dir_name}-backup %global top_level_dir_name_backup %{top_level_dir_name}-backup
%global buildver 7 %global buildver 7
%global rpmrelease 4 %global rpmrelease 5
# Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit
%if %is_system_jdk %if %is_system_jdk
# Using 10 digits may overflow the int used for priority, so we combine the patch and build versions # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions
@ -400,6 +400,10 @@
# images directories from upstream build # images directories from upstream build
%global jdkimage jdk %global jdkimage jdk
%global static_libs_image static-libs %global static_libs_image static-libs
# installation directory for static libraries
%global static_libs_root lib/static
%global static_libs_arch_dir %{static_libs_root}/linux-%{archinstall}
%global static_libs_install_dir %{static_libs_arch_dir}/glibc
# output dir stub # output dir stub
%define buildoutputdir() %{expand:build/jdk%{featurever}.build%{?1}} %define buildoutputdir() %{expand:build/jdk%{featurever}.build%{?1}}
# we can copy the javadoc to not arched dir, or make it not noarch # we can copy the javadoc to not arched dir, or make it not noarch
@ -806,6 +810,7 @@ exit 0
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/psfont.properties.ja %{_jvmdir}/%{sdkdir -- %{?1}}/lib/psfont.properties.ja
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/psfontj2d.properties %{_jvmdir}/%{sdkdir -- %{?1}}/lib/psfontj2d.properties
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/tzdb.dat %{_jvmdir}/%{sdkdir -- %{?1}}/lib/tzdb.dat
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/tzdb.dat.upstream
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjli.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjli.so
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/jvm.cfg %{_jvmdir}/%{sdkdir -- %{?1}}/lib/jvm.cfg
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/libattach.so %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libattach.so
@ -864,6 +869,7 @@ exit 0
%dir %{etcjavadir -- %{?1}}/lib %dir %{etcjavadir -- %{?1}}/lib
%dir %{etcjavadir -- %{?1}}/lib/security %dir %{etcjavadir -- %{?1}}/lib/security
%{etcjavadir -- %{?1}}/lib/security/cacerts %{etcjavadir -- %{?1}}/lib/security/cacerts
%{etcjavadir -- %{?1}}/lib/security/cacerts.upstream
%dir %{etcjavadir -- %{?1}}/conf %dir %{etcjavadir -- %{?1}}/conf
%dir %{etcjavadir -- %{?1}}/conf/sdp %dir %{etcjavadir -- %{?1}}/conf/sdp
%dir %{etcjavadir -- %{?1}}/conf/management %dir %{etcjavadir -- %{?1}}/conf/management
@ -1034,10 +1040,10 @@ exit 0
} }
%define files_static_libs() %{expand: %define files_static_libs() %{expand:
%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static %dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_root}
%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall} %dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_arch_dir}
%dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}/glibc %dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_install_dir}
%{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}/glibc/lib*.a %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_install_dir}/lib*.a
} }
%define files_javadoc() %{expand: %define files_javadoc() %{expand:
@ -1812,6 +1818,7 @@ sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg
sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg
%build %build
# How many CPU's do we have? # How many CPU's do we have?
export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :) export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :)
export NUM_PROC=${NUM_PROC:-1} export NUM_PROC=${NUM_PROC:-1}
@ -1952,9 +1959,18 @@ function installjdk() {
# Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies) # Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies)
install -m 644 nss.fips.cfg ${imagepath}/conf/security/ install -m 644 nss.fips.cfg ${imagepath}/conf/security/
# Turn on system security properties
sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \
${imagepath}/conf/security/java.security
# Use system-wide tzdata # Use system-wide tzdata
rm ${imagepath}/lib/tzdb.dat mv ${imagepath}/lib/tzdb.dat{,.upstream}
ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat ln -sv %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat
# Rename OpenJDK cacerts database
mv ${imagepath}/lib/security/cacerts{,.upstream}
# Install cacerts symlink needed by some apps which hard-code the path
ln -sv /etc/pki/java/cacerts ${imagepath}/lib/security
# Create fake alt-java as a placeholder for future alt-java # Create fake alt-java as a placeholder for future alt-java
pushd ${imagepath} pushd ${imagepath}
@ -1965,6 +1981,82 @@ function installjdk() {
fi fi
} }
# Checks on debuginfo must be performed before the files are stripped
# by the RPM installation stage
function debugcheckjdk() {
local imagepath=${1}
if [ -d ${imagepath} ] ; then
so_suffix="so"
# Check debug symbols are present and can identify code
find "${imagepath}" -iname "*.$so_suffix" -print0 | while read -d $'\0' lib
do
if [ -f "$lib" ] ; then
echo "Testing $lib for debug symbols"
# All these tests rely on RPM failing the build if the exit code of any set
# of piped commands is non-zero.
# Test for .debug_* sections in the shared object. This is the main test
# Stripped objects will not contain these
eu-readelf -S "$lib" | grep "] .debug_"
test $(eu-readelf -S "$lib" | grep -E "\]\ .debug_(info|abbrev)" | wc --lines) == 2
# Test FILE symbols. These will most likely be removed by anything that
# manipulates symbol tables because it's generally useless. So a nice test
# that nothing has messed with symbols
old_IFS="$IFS"
IFS=$'\n'
for line in $(eu-readelf -s "$lib" | grep "00000000 0 FILE LOCAL DEFAULT")
do
# We expect to see .cpp files, except for architectures like aarch64 and
# s390 where we expect .o and .oS files
echo "$line" | grep -E "ABS ((.*/)?[-_a-zA-Z0-9]+\.(c|cc|cpp|cxx|o|oS))?$"
done
IFS="$old_IFS"
# If this is the JVM, look for javaCalls.(cpp|o) in FILEs, for extra sanity checking
if [ "`basename $lib`" = "libjvm.so" ]; then
eu-readelf -s "$lib" | \
grep -E "00000000 0 FILE LOCAL DEFAULT ABS javaCalls.(cpp|o)$"
fi
# Test that there are no .gnu_debuglink sections pointing to another
# debuginfo file. There shouldn't be any debuginfo files, so the link makes
# no sense either
eu-readelf -S "$lib" | grep 'gnu'
if eu-readelf -S "$lib" | grep "\] .gnu_debuglink" | grep PROGBITS; then
echo "bad .gnu_debuglink section."
eu-readelf -x .gnu_debuglink "$lib"
false
fi
fi
done
# Make sure gdb can do a backtrace based on line numbers on libjvm.so
# javaCalls.cpp:58 should map to:
# http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/file/ff3b27e6bcc2/src/share/vm/runtime/javaCalls.cpp#l58
# Using line number 1 might cause build problems. See:
# https://bugzilla.redhat.com/show_bug.cgi?id=1539664
# https://bugzilla.redhat.com/show_bug.cgi?id=1538767
gdb -q "${imagepath}/bin/java" <<EOF | tee gdb.out
handle SIGSEGV pass nostop noprint
handle SIGILL pass nostop noprint
set breakpoint pending on
break javaCalls.cpp:58
commands 1
backtrace
quit
end
run -version
EOF
%ifarch %{gdb_arches}
grep 'JavaCallWrapper::JavaCallWrapper' gdb.out
%endif
fi
}
%if %{build_hotspot_first} %if %{build_hotspot_first}
# Build a fresh libjvm.so first and use it to bootstrap # Build a fresh libjvm.so first and use it to bootstrap
cp -LR --preserve=mode,timestamps %{bootjdk} newboot cp -LR --preserve=mode,timestamps %{bootjdk} newboot
@ -2031,6 +2123,8 @@ for suffix in %{build_loop} ; do
# Final setup on the main image # Final setup on the main image
top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}} top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}}
installjdk ${top_dir_abs_main_build_path}/images/%{jdkimage} installjdk ${top_dir_abs_main_build_path}/images/%{jdkimage}
# Check debug symbols were built into the dynamic libraries
debugcheckjdk ${top_dir_abs_main_build_path}/images/%{jdkimage}
# build cycles # build cycles
done # end of release / debug cycle loop done # end of release / debug cycle loop
@ -2040,22 +2134,11 @@ done # end of release / debug cycle loop
# We test debug first as it will give better diagnostics on a crash # We test debug first as it will give better diagnostics on a crash
for suffix in %{build_loop} ; do for suffix in %{build_loop} ; do
top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}} export JAVA_HOME=${RPM_BUILD_ROOT}%{_jvmdir}/%{sdkdir -- $suffix}
%if %{include_staticlibs}
top_dir_abs_staticlibs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{staticlibs_loop}}
%endif
export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage}
# Pre-test setup
# Turn on system security properties
sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \
${JAVA_HOME}/conf/security/java.security
#check Shenandoah is enabled #check Shenandoah is enabled
%if %{use_shenandoah_hotspot} %if %{use_shenandoah_hotspot}
$JAVA_HOME//bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseShenandoahGC -version $JAVA_HOME/bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseShenandoahGC -version
%endif %endif
# Check unlimited policy has been used # Check unlimited policy has been used
@ -2087,76 +2170,9 @@ if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; els
%if %{include_staticlibs} %if %{include_staticlibs}
# Check debug symbols in static libraries (smoke test) # Check debug symbols in static libraries (smoke test)
export STATIC_LIBS_HOME=${top_dir_abs_staticlibs_build_path}/images/%{static_libs_image} export STATIC_LIBS_HOME=${JAVA_HOME}/%{static_libs_install_dir}
readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep w_remainder.c readelf --debug-dump $STATIC_LIBS_HOME/libfdlibm.a | grep w_remainder.c
readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep e_remainder.c readelf --debug-dump $STATIC_LIBS_HOME/libfdlibm.a | grep e_remainder.c
%endif
so_suffix="so"
# Check debug symbols are present and can identify code
find "$JAVA_HOME" -iname "*.$so_suffix" -print0 | while read -d $'\0' lib
do
if [ -f "$lib" ] ; then
echo "Testing $lib for debug symbols"
# All these tests rely on RPM failing the build if the exit code of any set
# of piped commands is non-zero.
# Test for .debug_* sections in the shared object. This is the main test
# Stripped objects will not contain these
eu-readelf -S "$lib" | grep "] .debug_"
test $(eu-readelf -S "$lib" | grep -E "\]\ .debug_(info|abbrev)" | wc --lines) == 2
# Test FILE symbols. These will most likely be removed by anything that
# manipulates symbol tables because it's generally useless. So a nice test
# that nothing has messed with symbols
old_IFS="$IFS"
IFS=$'\n'
for line in $(eu-readelf -s "$lib" | grep "00000000 0 FILE LOCAL DEFAULT")
do
# We expect to see .cpp files, except for architectures like aarch64 and
# s390 where we expect .o and .oS files
echo "$line" | grep -E "ABS ((.*/)?[-_a-zA-Z0-9]+\.(c|cc|cpp|cxx|o|oS))?$"
done
IFS="$old_IFS"
# If this is the JVM, look for javaCalls.(cpp|o) in FILEs, for extra sanity checking
if [ "`basename $lib`" = "libjvm.so" ]; then
eu-readelf -s "$lib" | \
grep -E "00000000 0 FILE LOCAL DEFAULT ABS javaCalls.(cpp|o)$"
fi
# Test that there are no .gnu_debuglink sections pointing to another
# debuginfo file. There shouldn't be any debuginfo files, so the link makes
# no sense either
eu-readelf -S "$lib" | grep 'gnu'
if eu-readelf -S "$lib" | grep '] .gnu_debuglink' | grep PROGBITS; then
echo "bad .gnu_debuglink section."
eu-readelf -x .gnu_debuglink "$lib"
false
fi
fi
done
# Make sure gdb can do a backtrace based on line numbers on libjvm.so
# javaCalls.cpp:58 should map to:
# http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/file/ff3b27e6bcc2/src/share/vm/runtime/javaCalls.cpp#l58
# Using line number 1 might cause build problems. See:
# https://bugzilla.redhat.com/show_bug.cgi?id=1539664
# https://bugzilla.redhat.com/show_bug.cgi?id=1538767
gdb -q "$JAVA_HOME/bin/java" <<EOF | tee gdb.out
handle SIGSEGV pass nostop noprint
handle SIGILL pass nostop noprint
set breakpoint pending on
break javaCalls.cpp:58
commands 1
backtrace
quit
end
run -version
EOF
%ifarch %{gdb_arches}
grep 'JavaCallWrapper::JavaCallWrapper' gdb.out
%endif %endif
# Check src.zip has all sources. See RHBZ#1130490 # Check src.zip has all sources. See RHBZ#1130490
@ -2203,17 +2219,10 @@ pushd ${jdk_image}
install -d -m 755 $RPM_BUILD_ROOT%{tapsetdir} install -d -m 755 $RPM_BUILD_ROOT%{tapsetdir}
for name in $tapsetFiles ; do for name in $tapsetFiles ; do
targetName=`echo $name | sed "s/.stp/$suffix.stp/"` targetName=`echo $name | sed "s/.stp/$suffix.stp/"`
ln -sf %{_jvmdir}/%{sdkdir -- $suffix}/tapset/$name $RPM_BUILD_ROOT%{tapsetdir}/$targetName ln -srvf $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/tapset/$name $RPM_BUILD_ROOT%{tapsetdir}/$targetName
done done
%endif %endif
# Remove empty cacerts database
rm -f $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/lib/security/cacerts
# Install cacerts symlink needed by some apps which hard-code the path
pushd $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/lib/security
ln -sf /etc/pki/java/cacerts .
popd
# Install version-ed symlinks # Install version-ed symlinks
pushd $RPM_BUILD_ROOT%{_jvmdir} pushd $RPM_BUILD_ROOT%{_jvmdir}
ln -sf %{sdkdir -- $suffix} %{jrelnk -- $suffix} ln -sf %{sdkdir -- $suffix} %{jrelnk -- $suffix}
@ -2233,11 +2242,12 @@ pushd ${jdk_image}
rm -rf $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/man rm -rf $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/man
popd popd
# Install static libs artefacts # Install static libs artefacts
%if %{include_staticlibs} %if %{include_staticlibs}
mkdir -p $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/lib/static/linux-%{archinstall}/glibc mkdir -p $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/%{static_libs_install_dir}
cp -a ${top_dir_abs_staticlibs_build_path}/images/%{static_libs_image}/lib/*.a \ cp -a ${top_dir_abs_staticlibs_build_path}/images/%{static_libs_image}/lib/*.a \
$RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/lib/static/linux-%{archinstall}/glibc $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/%{static_libs_install_dir}
%endif %endif
if ! echo $suffix | grep -q "debug" ; then if ! echo $suffix | grep -q "debug" ; then
@ -2282,10 +2292,10 @@ mkdir -p $RPM_BUILD_ROOT/%{etcjavadir -- $suffix}/lib
mv $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/conf/ $RPM_BUILD_ROOT/%{etcjavadir -- $suffix} mv $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/conf/ $RPM_BUILD_ROOT/%{etcjavadir -- $suffix}
mv $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/lib/security $RPM_BUILD_ROOT/%{etcjavadir -- $suffix}/lib mv $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/lib/security $RPM_BUILD_ROOT/%{etcjavadir -- $suffix}/lib
pushd $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix} pushd $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}
ln -s %{etcjavadir -- $suffix}/conf ./conf ln -srv $RPM_BUILD_ROOT%{etcjavadir -- $suffix}/conf ./conf
popd popd
pushd $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/lib pushd $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/lib
ln -s %{etcjavadir -- $suffix}/lib/security ./security ln -srv $RPM_BUILD_ROOT%{etcjavadir -- $suffix}/lib/security ./security
popd popd
# end moving files to /etc # end moving files to /etc
@ -2541,6 +2551,15 @@ cjc.mainProgram(args)
%endif %endif
%changelog %changelog
* Fri Jul 08 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.7-5
- Turn on system security properties as part of the build's install section
- Move cacerts replacement to install section and retain original of this and tzdb.dat
- Run tests on the installed image, rather than the build image
- Introduce variables to refer to the static library installation directories
- Use relative symlinks so they work within the image
- Run debug symbols check during build stage, before the install strips them
- Related: rhbz#2100677
* Thu Jun 30 2022 Francisco Ferrari Bihurriet <fferrari@redhat.com> - 1:17.0.3.0.7-4 * Thu Jun 30 2022 Francisco Ferrari Bihurriet <fferrari@redhat.com> - 1:17.0.3.0.7-4
- RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode - RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode
- Resolves: rhbz#2102433 - Resolves: rhbz#2102433