Turn on system security properties as part of the build's install section
Move cacerts replacement to install section and retain original of this and tzdb.dat Run tests on the installed image, rather than the build image Introduce variables to refer to the static library installation directories Use relative symlinks so they work within the image Run debug symbols check during build stage, before the install strips them Related: rhbz#2100677
This commit is contained in:
		
							parent
							
								
									fb297243dc
								
							
						
					
					
						commit
						dca2f55ea3
					
				| @ -336,7 +336,7 @@ | ||||
| %global top_level_dir_name   %{origin} | ||||
| %global top_level_dir_name_backup %{top_level_dir_name}-backup | ||||
| %global buildver        7 | ||||
| %global rpmrelease      4 | ||||
| %global rpmrelease      5 | ||||
| # Priority must be 8 digits in total; up to openjdk 1.8, we were using 18..... so when we moved to 11, we had to add another digit | ||||
| %if %is_system_jdk | ||||
| # Using 10 digits may overflow the int used for priority, so we combine the patch and build versions | ||||
| @ -400,6 +400,10 @@ | ||||
| # images directories from upstream build | ||||
| %global jdkimage                jdk | ||||
| %global static_libs_image       static-libs | ||||
| # installation directory for static libraries | ||||
| %global static_libs_root        lib/static | ||||
| %global static_libs_arch_dir    %{static_libs_root}/linux-%{archinstall} | ||||
| %global static_libs_install_dir %{static_libs_arch_dir}/glibc | ||||
| # output dir stub | ||||
| %define buildoutputdir() %{expand:build/jdk%{featurever}.build%{?1}} | ||||
| # we can copy the javadoc to not arched dir, or make it not noarch | ||||
| @ -806,6 +810,7 @@ exit 0 | ||||
| %{_jvmdir}/%{sdkdir -- %{?1}}/lib/psfont.properties.ja | ||||
| %{_jvmdir}/%{sdkdir -- %{?1}}/lib/psfontj2d.properties | ||||
| %{_jvmdir}/%{sdkdir -- %{?1}}/lib/tzdb.dat | ||||
| %{_jvmdir}/%{sdkdir -- %{?1}}/lib/tzdb.dat.upstream | ||||
| %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libjli.so | ||||
| %{_jvmdir}/%{sdkdir -- %{?1}}/lib/jvm.cfg | ||||
| %{_jvmdir}/%{sdkdir -- %{?1}}/lib/libattach.so | ||||
| @ -864,6 +869,7 @@ exit 0 | ||||
| %dir %{etcjavadir -- %{?1}}/lib | ||||
| %dir %{etcjavadir -- %{?1}}/lib/security | ||||
| %{etcjavadir -- %{?1}}/lib/security/cacerts | ||||
| %{etcjavadir -- %{?1}}/lib/security/cacerts.upstream | ||||
| %dir %{etcjavadir -- %{?1}}/conf | ||||
| %dir %{etcjavadir -- %{?1}}/conf/sdp | ||||
| %dir %{etcjavadir -- %{?1}}/conf/management | ||||
| @ -1034,10 +1040,10 @@ exit 0 | ||||
| } | ||||
| 
 | ||||
| %define files_static_libs() %{expand: | ||||
| %dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static | ||||
| %dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall} | ||||
| %dir %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}/glibc | ||||
| %{_jvmdir}/%{sdkdir -- %{?1}}/lib/static/linux-%{archinstall}/glibc/lib*.a | ||||
| %dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_root} | ||||
| %dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_arch_dir} | ||||
| %dir %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_install_dir} | ||||
| %{_jvmdir}/%{sdkdir -- %{?1}}/%{static_libs_install_dir}/lib*.a | ||||
| } | ||||
| 
 | ||||
| %define files_javadoc() %{expand: | ||||
| @ -1812,6 +1818,7 @@ sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE11} > nss.cfg | ||||
| sed -e "s:@NSS_LIBDIR@:%{NSS_LIBDIR}:g" %{SOURCE17} > nss.fips.cfg | ||||
| 
 | ||||
| %build | ||||
| 
 | ||||
| # How many CPU's do we have? | ||||
| export NUM_PROC=%(/usr/bin/getconf _NPROCESSORS_ONLN 2> /dev/null || :) | ||||
| export NUM_PROC=${NUM_PROC:-1} | ||||
| @ -1952,9 +1959,18 @@ function installjdk() { | ||||
| 	# Install nss.fips.cfg: NSS configuration for global FIPS mode (crypto-policies) | ||||
| 	install -m 644 nss.fips.cfg ${imagepath}/conf/security/ | ||||
| 
 | ||||
| 	# Turn on system security properties | ||||
| 	sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \ | ||||
| 	    ${imagepath}/conf/security/java.security | ||||
| 
 | ||||
| 	# Use system-wide tzdata | ||||
| 	rm ${imagepath}/lib/tzdb.dat | ||||
| 	ln -s %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat | ||||
| 	mv ${imagepath}/lib/tzdb.dat{,.upstream} | ||||
| 	ln -sv %{_datadir}/javazi-1.8/tzdb.dat ${imagepath}/lib/tzdb.dat | ||||
| 
 | ||||
| 	# Rename OpenJDK cacerts database | ||||
| 	mv ${imagepath}/lib/security/cacerts{,.upstream} | ||||
| 	# Install cacerts symlink needed by some apps which hard-code the path | ||||
| 	ln -sv /etc/pki/java/cacerts ${imagepath}/lib/security | ||||
| 
 | ||||
| 	# Create fake alt-java as a placeholder for future alt-java | ||||
| 	pushd ${imagepath} | ||||
| @ -1965,6 +1981,82 @@ function installjdk() { | ||||
|     fi | ||||
| } | ||||
| 
 | ||||
| # Checks on debuginfo must be performed before the files are stripped | ||||
| # by the RPM installation stage | ||||
| function debugcheckjdk() { | ||||
|     local imagepath=${1} | ||||
| 
 | ||||
|     if [ -d ${imagepath} ] ; then | ||||
| 
 | ||||
| 	so_suffix="so" | ||||
| 	# Check debug symbols are present and can identify code | ||||
| 	find "${imagepath}" -iname "*.$so_suffix" -print0 | while read -d $'\0' lib | ||||
| 	do | ||||
| 	    if [ -f "$lib" ] ; then | ||||
| 		echo "Testing $lib for debug symbols" | ||||
| 		# All these tests rely on RPM failing the build if the exit code of any set | ||||
| 		# of piped commands is non-zero. | ||||
| 
 | ||||
| 		# Test for .debug_* sections in the shared object. This is the main test | ||||
| 		# Stripped objects will not contain these | ||||
| 		eu-readelf -S "$lib" | grep "] .debug_" | ||||
| 		test $(eu-readelf -S "$lib" | grep -E "\]\ .debug_(info|abbrev)" | wc --lines) == 2 | ||||
| 
 | ||||
| 		# Test FILE symbols. These will most likely be removed by anything that | ||||
| 		# manipulates symbol tables because it's generally useless. So a nice test | ||||
| 		# that nothing has messed with symbols | ||||
| 		old_IFS="$IFS" | ||||
| 		IFS=$'\n' | ||||
| 		for line in $(eu-readelf -s "$lib" | grep "00000000      0 FILE    LOCAL  DEFAULT") | ||||
| 		do | ||||
| 		    # We expect to see .cpp files, except for architectures like aarch64 and | ||||
| 		    # s390 where we expect .o and .oS files | ||||
| 		    echo "$line" | grep -E "ABS ((.*/)?[-_a-zA-Z0-9]+\.(c|cc|cpp|cxx|o|oS))?$" | ||||
| 		done | ||||
| 		IFS="$old_IFS" | ||||
| 
 | ||||
| 		# If this is the JVM, look for javaCalls.(cpp|o) in FILEs, for extra sanity checking | ||||
| 		if [ "`basename $lib`" = "libjvm.so" ]; then | ||||
| 		    eu-readelf -s "$lib" | \ | ||||
| 			grep -E "00000000      0 FILE    LOCAL  DEFAULT      ABS javaCalls.(cpp|o)$" | ||||
| 		fi | ||||
| 
 | ||||
| 		# Test that there are no .gnu_debuglink sections pointing to another | ||||
| 		# debuginfo file. There shouldn't be any debuginfo files, so the link makes | ||||
| 		# no sense either | ||||
| 		eu-readelf -S "$lib" | grep 'gnu' | ||||
| 		if eu-readelf -S "$lib" | grep "\] .gnu_debuglink" | grep PROGBITS; then | ||||
| 		   echo "bad .gnu_debuglink section." | ||||
| 		   eu-readelf -x .gnu_debuglink "$lib" | ||||
| 		   false | ||||
| 		fi | ||||
| 	    fi | ||||
| 	done | ||||
| 
 | ||||
| 	# Make sure gdb can do a backtrace based on line numbers on libjvm.so | ||||
| 	# javaCalls.cpp:58 should map to: | ||||
| 	# http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/file/ff3b27e6bcc2/src/share/vm/runtime/javaCalls.cpp#l58 | ||||
| 	# Using line number 1 might cause build problems. See: | ||||
| 	# https://bugzilla.redhat.com/show_bug.cgi?id=1539664 | ||||
| 	# https://bugzilla.redhat.com/show_bug.cgi?id=1538767 | ||||
| 	gdb -q "${imagepath}/bin/java" <<EOF | tee gdb.out | ||||
| handle SIGSEGV pass nostop noprint | ||||
| handle SIGILL pass nostop noprint | ||||
| set breakpoint pending on | ||||
| break javaCalls.cpp:58 | ||||
| commands 1 | ||||
| backtrace | ||||
| quit | ||||
| end | ||||
| run -version | ||||
| EOF | ||||
| %ifarch %{gdb_arches} | ||||
| 	grep 'JavaCallWrapper::JavaCallWrapper' gdb.out | ||||
| %endif | ||||
| 
 | ||||
|     fi | ||||
| } | ||||
| 
 | ||||
| %if %{build_hotspot_first} | ||||
|   # Build a fresh libjvm.so first and use it to bootstrap | ||||
|   cp -LR --preserve=mode,timestamps %{bootjdk} newboot | ||||
| @ -2031,6 +2123,8 @@ for suffix in %{build_loop} ; do | ||||
|   # Final setup on the main image | ||||
|   top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}} | ||||
|   installjdk ${top_dir_abs_main_build_path}/images/%{jdkimage} | ||||
|   # Check debug symbols were built into the dynamic libraries | ||||
|   debugcheckjdk ${top_dir_abs_main_build_path}/images/%{jdkimage} | ||||
| 
 | ||||
| # build cycles | ||||
| done # end of release / debug cycle loop | ||||
| @ -2040,22 +2134,11 @@ done # end of release / debug cycle loop | ||||
| # We test debug first as it will give better diagnostics on a crash | ||||
| for suffix in %{build_loop} ; do | ||||
| 
 | ||||
| top_dir_abs_main_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{main_suffix}} | ||||
| %if %{include_staticlibs} | ||||
| top_dir_abs_staticlibs_build_path=$(pwd)/%{buildoutputdir -- ${suffix}%{staticlibs_loop}} | ||||
| %endif | ||||
| 
 | ||||
| export JAVA_HOME=${top_dir_abs_main_build_path}/images/%{jdkimage} | ||||
| 
 | ||||
| # Pre-test setup | ||||
| 
 | ||||
| # Turn on system security properties | ||||
| sed -i -e "s:^security.useSystemPropertiesFile=.*:security.useSystemPropertiesFile=true:" \ | ||||
|     ${JAVA_HOME}/conf/security/java.security | ||||
| export JAVA_HOME=${RPM_BUILD_ROOT}%{_jvmdir}/%{sdkdir -- $suffix} | ||||
| 
 | ||||
| #check Shenandoah is enabled | ||||
| %if %{use_shenandoah_hotspot} | ||||
| $JAVA_HOME//bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseShenandoahGC -version | ||||
| $JAVA_HOME/bin/java -XX:+UnlockExperimentalVMOptions -XX:+UseShenandoahGC -version | ||||
| %endif | ||||
| 
 | ||||
| # Check unlimited policy has been used | ||||
| @ -2087,76 +2170,9 @@ if ! nm $JAVA_HOME/bin/%{alt_java_name} | grep set_speculation ; then true ; els | ||||
| 
 | ||||
| %if %{include_staticlibs} | ||||
| # Check debug symbols in static libraries (smoke test) | ||||
| export STATIC_LIBS_HOME=${top_dir_abs_staticlibs_build_path}/images/%{static_libs_image} | ||||
| readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep w_remainder.c | ||||
| readelf --debug-dump $STATIC_LIBS_HOME/lib/libfdlibm.a | grep e_remainder.c | ||||
| %endif | ||||
| 
 | ||||
| so_suffix="so" | ||||
| # Check debug symbols are present and can identify code | ||||
| find "$JAVA_HOME" -iname "*.$so_suffix" -print0 | while read -d $'\0' lib | ||||
| do | ||||
|   if [ -f "$lib" ] ; then | ||||
|     echo "Testing $lib for debug symbols" | ||||
|     # All these tests rely on RPM failing the build if the exit code of any set | ||||
|     # of piped commands is non-zero. | ||||
| 
 | ||||
|     # Test for .debug_* sections in the shared object. This is the main test | ||||
|     # Stripped objects will not contain these | ||||
|     eu-readelf -S "$lib" | grep "] .debug_" | ||||
|     test $(eu-readelf -S "$lib" | grep -E "\]\ .debug_(info|abbrev)" | wc --lines) == 2 | ||||
| 
 | ||||
|     # Test FILE symbols. These will most likely be removed by anything that | ||||
|     # manipulates symbol tables because it's generally useless. So a nice test | ||||
|     # that nothing has messed with symbols | ||||
|     old_IFS="$IFS" | ||||
|     IFS=$'\n' | ||||
|     for line in $(eu-readelf -s "$lib" | grep "00000000      0 FILE    LOCAL  DEFAULT") | ||||
|     do | ||||
|      # We expect to see .cpp files, except for architectures like aarch64 and | ||||
|      # s390 where we expect .o and .oS files | ||||
|       echo "$line" | grep -E "ABS ((.*/)?[-_a-zA-Z0-9]+\.(c|cc|cpp|cxx|o|oS))?$" | ||||
|     done | ||||
|     IFS="$old_IFS" | ||||
| 
 | ||||
|     # If this is the JVM, look for javaCalls.(cpp|o) in FILEs, for extra sanity checking | ||||
|     if [ "`basename $lib`" = "libjvm.so" ]; then | ||||
|       eu-readelf -s "$lib" | \ | ||||
|         grep -E "00000000      0 FILE    LOCAL  DEFAULT      ABS javaCalls.(cpp|o)$" | ||||
|     fi | ||||
| 
 | ||||
|     # Test that there are no .gnu_debuglink sections pointing to another | ||||
|     # debuginfo file. There shouldn't be any debuginfo files, so the link makes | ||||
|     # no sense either | ||||
|     eu-readelf -S "$lib" | grep 'gnu' | ||||
|     if eu-readelf -S "$lib" | grep '] .gnu_debuglink' | grep PROGBITS; then | ||||
|       echo "bad .gnu_debuglink section." | ||||
|       eu-readelf -x .gnu_debuglink "$lib" | ||||
|       false | ||||
|     fi | ||||
|   fi | ||||
| done | ||||
| 
 | ||||
| # Make sure gdb can do a backtrace based on line numbers on libjvm.so | ||||
| # javaCalls.cpp:58 should map to: | ||||
| # http://hg.openjdk.java.net/jdk8u/jdk8u/hotspot/file/ff3b27e6bcc2/src/share/vm/runtime/javaCalls.cpp#l58 | ||||
| # Using line number 1 might cause build problems. See: | ||||
| # https://bugzilla.redhat.com/show_bug.cgi?id=1539664 | ||||
| # https://bugzilla.redhat.com/show_bug.cgi?id=1538767 | ||||
| gdb -q "$JAVA_HOME/bin/java" <<EOF | tee gdb.out | ||||
| handle SIGSEGV pass nostop noprint | ||||
| handle SIGILL pass nostop noprint | ||||
| set breakpoint pending on | ||||
| break javaCalls.cpp:58 | ||||
| commands 1 | ||||
| backtrace | ||||
| quit | ||||
| end | ||||
| run -version | ||||
| EOF | ||||
| 
 | ||||
| %ifarch %{gdb_arches} | ||||
| grep 'JavaCallWrapper::JavaCallWrapper' gdb.out | ||||
| export STATIC_LIBS_HOME=${JAVA_HOME}/%{static_libs_install_dir} | ||||
| readelf --debug-dump $STATIC_LIBS_HOME/libfdlibm.a | grep w_remainder.c | ||||
| readelf --debug-dump $STATIC_LIBS_HOME/libfdlibm.a | grep e_remainder.c | ||||
| %endif | ||||
| 
 | ||||
| # Check src.zip has all sources. See RHBZ#1130490 | ||||
| @ -2203,17 +2219,10 @@ pushd ${jdk_image} | ||||
|   install -d -m 755 $RPM_BUILD_ROOT%{tapsetdir} | ||||
|   for name in $tapsetFiles ; do | ||||
|     targetName=`echo $name | sed "s/.stp/$suffix.stp/"` | ||||
|     ln -sf %{_jvmdir}/%{sdkdir -- $suffix}/tapset/$name $RPM_BUILD_ROOT%{tapsetdir}/$targetName | ||||
|     ln -srvf $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/tapset/$name $RPM_BUILD_ROOT%{tapsetdir}/$targetName | ||||
|   done | ||||
| %endif | ||||
| 
 | ||||
|   # Remove empty cacerts database | ||||
|   rm -f $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/lib/security/cacerts | ||||
|   # Install cacerts symlink needed by some apps which hard-code the path | ||||
|   pushd $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/lib/security | ||||
|       ln -sf /etc/pki/java/cacerts . | ||||
|   popd | ||||
| 
 | ||||
|   # Install version-ed symlinks | ||||
|   pushd $RPM_BUILD_ROOT%{_jvmdir} | ||||
|     ln -sf %{sdkdir -- $suffix} %{jrelnk -- $suffix} | ||||
| @ -2233,11 +2242,12 @@ pushd ${jdk_image} | ||||
|   rm -rf $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/man | ||||
| 
 | ||||
| popd | ||||
| 
 | ||||
| # Install static libs artefacts | ||||
| %if %{include_staticlibs} | ||||
| mkdir -p $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/lib/static/linux-%{archinstall}/glibc | ||||
| mkdir -p $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/%{static_libs_install_dir} | ||||
| cp -a ${top_dir_abs_staticlibs_build_path}/images/%{static_libs_image}/lib/*.a \ | ||||
|   $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/lib/static/linux-%{archinstall}/glibc | ||||
|   $RPM_BUILD_ROOT%{_jvmdir}/%{sdkdir -- $suffix}/%{static_libs_install_dir} | ||||
| %endif | ||||
| 
 | ||||
| if ! echo $suffix | grep -q "debug" ; then | ||||
| @ -2282,10 +2292,10 @@ mkdir -p $RPM_BUILD_ROOT/%{etcjavadir -- $suffix}/lib | ||||
| mv $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/conf/  $RPM_BUILD_ROOT/%{etcjavadir -- $suffix} | ||||
| mv $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/lib/security  $RPM_BUILD_ROOT/%{etcjavadir -- $suffix}/lib | ||||
| pushd $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix} | ||||
|   ln -s %{etcjavadir -- $suffix}/conf  ./conf | ||||
|   ln -srv $RPM_BUILD_ROOT%{etcjavadir -- $suffix}/conf  ./conf | ||||
| popd | ||||
| pushd $RPM_BUILD_ROOT/%{_jvmdir}/%{sdkdir -- $suffix}/lib | ||||
|   ln -s %{etcjavadir -- $suffix}/lib/security  ./security | ||||
|   ln -srv $RPM_BUILD_ROOT%{etcjavadir -- $suffix}/lib/security  ./security | ||||
| popd | ||||
| # end moving files to /etc | ||||
| 
 | ||||
| @ -2541,6 +2551,15 @@ cjc.mainProgram(args) | ||||
| %endif | ||||
| 
 | ||||
| %changelog | ||||
| * Fri Jul 08 2022 Andrew Hughes <gnu.andrew@redhat.com> - 1:17.0.3.0.7-5 | ||||
| - Turn on system security properties as part of the build's install section | ||||
| - Move cacerts replacement to install section and retain original of this and tzdb.dat | ||||
| - Run tests on the installed image, rather than the build image | ||||
| - Introduce variables to refer to the static library installation directories | ||||
| - Use relative symlinks so they work within the image | ||||
| - Run debug symbols check during build stage, before the install strips them | ||||
| - Related: rhbz#2100677 | ||||
| 
 | ||||
| * Thu Jun 30 2022 Francisco Ferrari Bihurriet <fferrari@redhat.com> - 1:17.0.3.0.7-4 | ||||
| - RH2007331: SecretKey generate/import operations don't add the CKA_SIGN attribute in FIPS mode | ||||
| - Resolves: rhbz#2102433 | ||||
|  | ||||
		Loading…
	
		Reference in New Issue
	
	Block a user