rpms/pacemaker
5
0
Fork 0
Code Issues Pull Requests Releases Activity

1.1.15-2 - Stop building with -fstack-protector-all

Browse Source 
...using the upstream patches overhauling toolchain hardening (Fedora
   natively uses -fstack-protector-strong so this effectively relaxed
  stack protection is the only effect as hardened flags are already
  used by default:
  https://fedoraproject.org/wiki/Changes/Harden_All_Packages)

Signed-off-by: Jan Pokorný <jpokorny@redhat.com>
This commit is contained in:
Jan Pokorný 2016-07-07 16:04:47 +02:00
parent e4bc0b66d0
commit 537f655159
No known key found for this signature in database
GPG Key ID: 61BBB23A9E8F8DE2
4 changed files with 1849 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

535
001-makefile-cleanup.patch Normal file
View File

@ -0,0 +1,535 @@
From d720014c2cf7ff00004b64ca9cf817ffc00e6ffb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20Pokorn=C3=BD?= <jpokorny@redhat.com>
Date: Fri, 10 Jun 2016 15:00:03 +0200
Subject: [PATCH 1/5] Build: Makefile.common to define MAINTAINERCLEANFILES +
AM_CPPFLAGS
Fallout after 89fba95.
---
attrd/Makefile.am | 5 +----
lib/cib/Makefile.am | 5 +----
lib/cluster/Makefile.am | 5 +----
lib/common/Makefile.am | 8 +++-----
lib/fencing/Makefile.am | 6 +-----
lib/lrmd/Makefile.am | 8 +-------
lib/pengine/Makefile.am | 5 +----
lib/transition/Makefile.am | 5 +----
lrmd/Makefile.am | 1 -
9 files changed, 10 insertions(+), 38 deletions(-)
diff --git a/attrd/Makefile.am b/attrd/Makefile.am
index 9d5e223..0c5d456 100644
--- a/attrd/Makefile.am
+++ b/attrd/Makefile.am
@@ -15,10 +15,7 @@
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
#
-MAINTAINERCLEANFILES = Makefile.in
-
-AM_CPPFLAGS = -I$(top_builddir)/include -I$(top_srcdir)/include \
- -I$(top_builddir)/libltdl -I$(top_srcdir)/libltdl
+include $(top_srcdir)/Makefile.common
halibdir = $(CRM_DAEMON_DIR)
halib_PROGRAMS = attrd
diff --git a/lib/cib/Makefile.am b/lib/cib/Makefile.am
index 1ebd7b0..687b9f3 100644
--- a/lib/cib/Makefile.am
+++ b/lib/cib/Makefile.am
@@ -15,10 +15,7 @@
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
#
-MAINTAINERCLEANFILES = Makefile.in
-
-AM_CPPFLAGS = -I$(top_builddir)/include -I$(top_srcdir)/include \
- -I$(top_builddir)/libltdl -I$(top_srcdir)/libltdl
+include $(top_srcdir)/Makefile.common
## libraries
lib_LTLIBRARIES = libcib.la
diff --git a/lib/cluster/Makefile.am b/lib/cluster/Makefile.am
index 5b6f3f7..f5f40bc 100644
--- a/lib/cluster/Makefile.am
+++ b/lib/cluster/Makefile.am
@@ -15,10 +15,7 @@
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
#
-MAINTAINERCLEANFILES = Makefile.in
-
-AM_CPPFLAGS = -I$(top_builddir)/include -I$(top_srcdir)/include \
- -I$(top_builddir)/libltdl -I$(top_srcdir)/libltdl
+include $(top_srcdir)/Makefile.common
headerdir=$(pkgincludedir)/crm/cluster
diff --git a/lib/common/Makefile.am b/lib/common/Makefile.am
index 8ef08db..7ae1dc8 100644
--- a/lib/common/Makefile.am
+++ b/lib/common/Makefile.am
@@ -15,12 +15,10 @@
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
#
-MAINTAINERCLEANFILES = Makefile.in
+include $(top_srcdir)/Makefile.common
-AM_CPPFLAGS = -I$(top_builddir)/include -I$(top_srcdir)/include \
- -I$(top_builddir)/libltdl -I$(top_srcdir)/libltdl \
- -I$(top_builddir)/lib/gnu -I$(top_srcdir)/lib/gnu \
- -DSBINDIR=\"$(sbindir)\"
+AM_CPPFLAGS += -I$(top_builddir)/lib/gnu -I$(top_srcdir)/lib/gnu \
+ -DSBINDIR=\"$(sbindir)\"
## libraries
lib_LTLIBRARIES = libcrmcommon.la
diff --git a/lib/fencing/Makefile.am b/lib/fencing/Makefile.am
index 3320466..aa57ba5 100644
--- a/lib/fencing/Makefile.am
+++ b/lib/fencing/Makefile.am
@@ -16,11 +16,7 @@
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
#
-MAINTAINERCLEANFILES = Makefile.in
-
-AM_CPPFLAGS = -I$(top_builddir)/include -I$(top_srcdir)/include \
- -I$(top_builddir)/libltdl -I$(top_srcdir)/libltdl \
- -I$(top_builddir) -I$(top_srcdir)
+include $(top_srcdir)/Makefile.common
lib_LTLIBRARIES = libstonithd.la
diff --git a/lib/lrmd/Makefile.am b/lib/lrmd/Makefile.am
index d5ae2f4..8c76a78 100644
--- a/lib/lrmd/Makefile.am
+++ b/lib/lrmd/Makefile.am
@@ -14,13 +14,7 @@
# License along with this library; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
-#
-
-MAINTAINERCLEANFILES = Makefile.in
-
-AM_CPPFLAGS = -I$(top_builddir)/include -I$(top_srcdir)/include \
- -I$(top_builddir)/libltdl -I$(top_srcdir)/libltdl \
- -I$(top_builddir) -I$(top_srcdir)
+include $(top_srcdir)/Makefile.common
lib_LTLIBRARIES = liblrmd.la
diff --git a/lib/pengine/Makefile.am b/lib/pengine/Makefile.am
index b9191d5..4544377 100644
--- a/lib/pengine/Makefile.am
+++ b/lib/pengine/Makefile.am
@@ -15,10 +15,7 @@
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
#
-MAINTAINERCLEANFILES = Makefile.in
-
-AM_CPPFLAGS = -I$(top_builddir)/include -I$(top_srcdir)/include \
- -I$(top_builddir)/libltdl -I$(top_srcdir)/libltdl
+include $(top_srcdir)/Makefile.common
## libraries
lib_LTLIBRARIES = libpe_rules.la libpe_status.la
diff --git a/lib/transition/Makefile.am b/lib/transition/Makefile.am
index 4447f1b..6cc9bca 100644
--- a/lib/transition/Makefile.am
+++ b/lib/transition/Makefile.am
@@ -15,10 +15,7 @@
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
#
-MAINTAINERCLEANFILES = Makefile.in
-
-AM_CPPFLAGS = -I$(top_builddir)/include -I$(top_srcdir)/include \
- -I$(top_builddir)/libltdl -I$(top_srcdir)/libltdl
+include $(top_srcdir)/Makefile.common
## libraries
lib_LTLIBRARIES = libtransitioner.la
diff --git a/lrmd/Makefile.am b/lrmd/Makefile.am
index a8fb07a..556d48a 100644
--- a/lrmd/Makefile.am
+++ b/lrmd/Makefile.am
@@ -14,7 +14,6 @@
# License along with this library; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
#
-
include $(top_srcdir)/Makefile.common
testdir = $(datadir)/$(PACKAGE)/tests/lrmd
--
1.8.3.1
From bfad92c9e23f3bf7a73e86017eed46ba7fd63c12 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20Pokorn=C3=BD?= <jpokorny@redhat.com>
Date: Fri, 10 Jun 2016 17:38:46 +0200
Subject: [PATCH 2/5] Build: Makefile.am files: drop extraneous variables +
targets
- empty variables
- non-fitting .PHONY definitions
- unemployed install-exec-local + uninstall-local target pairs (per file)
- AM_CFLAGS unnecessarily initialized with current AM_CPPFLAGS value
- empty header_HEADERS variable + superfluous headerdir definition
---
Makefile.am | 2 --
attrd/Makefile.am | 8 --------
fencing/Makefile.am | 2 --
include/crm/Makefile.am | 1 -
include/crm/fencing/Makefile.am | 3 ---
lib/cib/Makefile.am | 5 -----
lib/cluster/Makefile.am | 8 --------
lib/common/Makefile.am | 4 ----
lib/fencing/Makefile.am | 2 --
lib/lrmd/Makefile.am | 3 ---
lib/pengine/Makefile.am | 4 ----
lib/services/Makefile.am | 2 --
lib/transition/Makefile.am | 5 -----
tools/Makefile.am | 11 -----------
14 files changed, 60 deletions(-)
diff --git a/Makefile.am b/Makefile.am
index 0edf0c9..5d1a689 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -73,5 +73,3 @@ dist-clean-local:
maintainer-clean-local:
rm -f libltdl.tar
-
-.PHONY: rpm pkg handy handy-copy
diff --git a/attrd/Makefile.am b/attrd/Makefile.am
index 0c5d456..9a841e5 100644
--- a/attrd/Makefile.am
+++ b/attrd/Makefile.am
@@ -21,8 +21,6 @@ halibdir = $(CRM_DAEMON_DIR)
halib_PROGRAMS = attrd
## SOURCES
-noinst_HEADERS =
-
attrd_SOURCES =
attrd_LDADD = $(top_builddir)/lib/cluster/libcrmcluster.la \
$(top_builddir)/lib/common/libcrmcommon.la \
@@ -37,9 +35,3 @@ endif
clean-generic:
rm -f *.log *.debug *.xml *~
-
-install-exec-local:
-
-uninstall-local:
-
-.PHONY: install-exec-hook
diff --git a/fencing/Makefile.am b/fencing/Makefile.am
index 383c217..bef6e6e 100644
--- a/fencing/Makefile.am
+++ b/fencing/Makefile.am
@@ -17,8 +17,6 @@
#
include $(top_srcdir)/Makefile.common
-SUBDIRS =
-
## binary progs
testdir = $(datadir)/$(PACKAGE)/tests/fencing
test_SCRIPTS = regression.py
diff --git a/include/crm/Makefile.am b/include/crm/Makefile.am
index ef96011..bdb627c 100644
--- a/include/crm/Makefile.am
+++ b/include/crm/Makefile.am
@@ -19,7 +19,6 @@ MAINTAINERCLEANFILES = Makefile.in
headerdir=$(pkgincludedir)/crm
-noinst_HEADERS =
header_HEADERS = crm.h cib.h attrd.h msg_xml.h transition.h stonith-ng.h cluster.h lrmd.h services.h error.h compatibility.h
SUBDIRS = common pengine cib fencing cluster
diff --git a/include/crm/fencing/Makefile.am b/include/crm/fencing/Makefile.am
index f85c842..57a787b 100644
--- a/include/crm/fencing/Makefile.am
+++ b/include/crm/fencing/Makefile.am
@@ -17,7 +17,4 @@
#
MAINTAINERCLEANFILES = Makefile.in
-headerdir=$(pkgincludedir)/crm/fencing
-
noinst_HEADERS = internal.h
-header_HEADERS =
diff --git a/lib/cib/Makefile.am b/lib/cib/Makefile.am
index 687b9f3..07bf261 100644
--- a/lib/cib/Makefile.am
+++ b/lib/cib/Makefile.am
@@ -21,7 +21,6 @@ include $(top_srcdir)/Makefile.common
lib_LTLIBRARIES = libcib.la
## SOURCES
-noinst_HEADERS =
libcib_la_SOURCES = cib_ops.c cib_utils.c cib_client.c cib_native.c cib_attrs.c
libcib_la_SOURCES += cib_file.c cib_remote.c
@@ -31,7 +30,3 @@ libcib_la_CFLAGS = -I$(top_srcdir)
clean-generic:
rm -f *.log *.debug *.xml *~
-
-install-exec-local:
-
-uninstall-local:
diff --git a/lib/cluster/Makefile.am b/lib/cluster/Makefile.am
index f5f40bc..dcc1fbd 100644
--- a/lib/cluster/Makefile.am
+++ b/lib/cluster/Makefile.am
@@ -17,10 +17,6 @@
#
include $(top_srcdir)/Makefile.common
-headerdir=$(pkgincludedir)/crm/cluster
-
-header_HEADERS =
-
## libraries
lib_LTLIBRARIES = libcrmcluster.la
@@ -45,7 +41,3 @@ endif
clean-generic:
rm -f *.log *.debug *.xml *~
-
-install-exec-local:
-
-uninstall-local:
diff --git a/lib/common/Makefile.am b/lib/common/Makefile.am
index 7ae1dc8..111628f 100644
--- a/lib/common/Makefile.am
+++ b/lib/common/Makefile.am
@@ -44,7 +44,3 @@ libcrmcommon_la_SOURCES += $(top_builddir)/lib/gnu/md5.c
clean-generic:
rm -f *.log *.debug *.xml *~
-
-install-exec-local:
-
-uninstall-local:
diff --git a/lib/fencing/Makefile.am b/lib/fencing/Makefile.am
index aa57ba5..a9f9874 100644
--- a/lib/fencing/Makefile.am
+++ b/lib/fencing/Makefile.am
@@ -23,5 +23,3 @@ lib_LTLIBRARIES = libstonithd.la
libstonithd_la_SOURCES = st_client.c
libstonithd_la_LDFLAGS = -version-info 4:1:2
libstonithd_la_LIBADD = $(top_builddir)/lib/common/libcrmcommon.la
-
-AM_CFLAGS = $(AM_CPPFLAGS)
diff --git a/lib/lrmd/Makefile.am b/lib/lrmd/Makefile.am
index 8c76a78..c23fef5 100644
--- a/lib/lrmd/Makefile.am
+++ b/lib/lrmd/Makefile.am
@@ -23,6 +23,3 @@ liblrmd_la_LDFLAGS = -version-info 4:0:3
liblrmd_la_LIBADD = $(top_builddir)/lib/common/libcrmcommon.la \
$(top_builddir)/lib/services/libcrmservice.la \
$(top_builddir)/lib/fencing/libstonithd.la
-
-
-AM_CFLAGS = $(AM_CPPFLAGS)
diff --git a/lib/pengine/Makefile.am b/lib/pengine/Makefile.am
index 4544377..a0d19e5 100644
--- a/lib/pengine/Makefile.am
+++ b/lib/pengine/Makefile.am
@@ -34,7 +34,3 @@ libpe_status_la_LIBADD = @CURSESLIBS@ $(top_builddir)/lib/common/libcrmcommon.l
clean-generic:
rm -f *.log *.debug *~
-
-install-exec-local:
-
-uninstall-local:
diff --git a/lib/services/Makefile.am b/lib/services/Makefile.am
index a9fe26d..2797b53 100644
--- a/lib/services/Makefile.am
+++ b/lib/services/Makefile.am
@@ -39,5 +39,3 @@ endif
if BUILD_SYSTEMD
libcrmservice_la_SOURCES += systemd.c
endif
-
-AM_CFLAGS = $(AM_CPPFLAGS)
diff --git a/lib/transition/Makefile.am b/lib/transition/Makefile.am
index 6cc9bca..7bcfc1a 100644
--- a/lib/transition/Makefile.am
+++ b/lib/transition/Makefile.am
@@ -21,7 +21,6 @@ include $(top_srcdir)/Makefile.common
lib_LTLIBRARIES = libtransitioner.la
## SOURCES
-noinst_HEADERS =
libtransitioner_la_SOURCES = unpack.c graph.c utils.c
libtransitioner_la_LDFLAGS = -version-info 2:5:0
@@ -30,7 +29,3 @@ libtransitioner_la_LIBADD = $(top_builddir)/lib/common/libcrmcommon.la
clean-generic:
rm -f *~
-
-install-exec-local:
-
-uninstall-local:
diff --git a/tools/Makefile.am b/tools/Makefile.am
index 555b1db..59ce743 100644
--- a/tools/Makefile.am
+++ b/tools/Makefile.am
@@ -26,9 +26,6 @@ COMMONLIBS = \
$(top_builddir)/lib/cib/libcib.la \
$(CURSESLIBS) $(CLUSTERLIBS)
-headerdir = $(pkgincludedir)/crm
-header_HEADERS =
-
pcmkdir = $(datadir)/$(PACKAGE)
pcmk_DATA = report.common report.collector
@@ -57,8 +54,6 @@ endif
## SOURCES
-noinst_HEADERS =
-
MAN8DEPS = crm_attribute crm_node
crmadmin_SOURCES = crmadmin.c
@@ -143,10 +138,4 @@ ipmiservicelogd_CFLAGS = $(OPENIPMI_SERVICELOG_CFLAGS) $(SERVICELOG_CFLAGS)
ipmiservicelogd_LDFLAGS = $(top_builddir)/lib/common/libcrmcommon.la $(OPENIPMI_SERVICELOG_LIBS) $(SERVICELOG_LIBS)
endif
-install-exec-local:
-
-uninstall-local:
-
-.PHONY: install-exec-hook
-
CLEANFILES = $(man8_MANS)
--
1.8.3.1
From 048efbf21a84568816b35522ed5f7b84f9ffdc41 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20Pokorn=C3=BD?= <jpokorny@redhat.com>
Date: Mon, 20 Jun 2016 15:10:34 +0200
Subject: [PATCH 3/5] Build: drop superfluous libcrmcluster_la_DEPENDENCIES var
---
lib/cluster/Makefile.am | 1 -
1 file changed, 1 deletion(-)
diff --git a/lib/cluster/Makefile.am b/lib/cluster/Makefile.am
index dcc1fbd..ffa2a73 100644
--- a/lib/cluster/Makefile.am
+++ b/lib/cluster/Makefile.am
@@ -23,7 +23,6 @@ lib_LTLIBRARIES = libcrmcluster.la
libcrmcluster_la_SOURCES = election.c cluster.c membership.c
libcrmcluster_la_LDFLAGS = -version-info 6:0:2
libcrmcluster_la_LIBADD = $(top_builddir)/lib/common/libcrmcommon.la $(top_builddir)/lib/fencing/libstonithd.la $(CLUSTERLIBS)
-libcrmcluster_la_DEPENDENCIES = $(top_builddir)/lib/common/libcrmcommon.la $(top_builddir)/lib/fencing/libstonithd.la
if BUILD_CS_SUPPORT
libcrmcluster_la_SOURCES += cpg.c
--
1.8.3.1
From f5042bf76d048cb1fb77f9a60253cbf5a0ee9fc1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20Pokorn=C3=BD?= <jpokorny@redhat.com>
Date: Mon, 20 Jun 2016 21:09:00 +0200
Subject: [PATCH 4/5] Build: cib/Makefile.am: avoid second-guessing Libtool
Explicitly referring to location that is an implementation detail of
Libtool is not very reasonable and appears to be working regardless.
---
lib/cib/Makefile.am | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/cib/Makefile.am b/lib/cib/Makefile.am
index 07bf261..0c57eee 100644
--- a/lib/cib/Makefile.am
+++ b/lib/cib/Makefile.am
@@ -24,7 +24,7 @@ lib_LTLIBRARIES = libcib.la
libcib_la_SOURCES = cib_ops.c cib_utils.c cib_client.c cib_native.c cib_attrs.c
libcib_la_SOURCES += cib_file.c cib_remote.c
-libcib_la_LDFLAGS = -version-info 5:1:1 -L$(top_builddir)/lib/pengine/.libs
+libcib_la_LDFLAGS = -version-info 5:1:1
libcib_la_LIBADD = $(CRYPTOLIB) $(top_builddir)/lib/pengine/libpe_rules.la $(top_builddir)/lib/common/libcrmcommon.la
libcib_la_CFLAGS = -I$(top_srcdir)
--
1.8.3.1
From 8a86b03d1dbb8bab4a38f39544c519a2e7e85136 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20Pokorn=C3=BD?= <jpokorny@redhat.com>
Date: Fri, 10 Jun 2016 17:55:57 +0200
Subject: [PATCH 5/5] Build: Makefile.am f.: move/drop comments to reflect
previous commits
* "# lex/yacc issues":
- introduced with 800b0c3 ("CFLAGS = $(CFLAGS_COPY:-Werror=)")
- comment + the statement got separated as of ae6fb13
* "# utils.h pengine.h"
- introduced with a4d9634
- became superfluous as of ef1f2e2
---
fencing/Makefile.am | 4 +---
pengine/Makefile.am | 2 +-
2 files changed, 2 insertions(+), 4 deletions(-)
diff --git a/fencing/Makefile.am b/fencing/Makefile.am
index bef6e6e..79fe2ed 100644
--- a/fencing/Makefile.am
+++ b/fencing/Makefile.am
@@ -56,9 +56,6 @@ BUILT_SOURCES = standalone_config.h
stonithd_SOURCES += standalone_config.c config.y config.l
stonithd_AM_LFLAGS = -o$(LEX_OUTPUT_ROOT).c
-
-# lex/yacc issues:
-
endif
stonithd_YFLAGS = -d
@@ -69,6 +66,7 @@ stonithd_LDADD = $(top_builddir)/lib/common/libcrmcommon.la \
$(top_builddir)/pengine/libpengine.la \
$(CRYPTOLIB) $(CLUSTERLIBS)
+# lex/yacc issues:
CFLAGS = $(CFLAGS_COPY:-Werror=)
CLEANFILES = $(man7_MANS) $(man8_MANS)
diff --git a/pengine/Makefile.am b/pengine/Makefile.am
index 172a86b..170b728 100644
--- a/pengine/Makefile.am
+++ b/pengine/Makefile.am
@@ -58,8 +58,8 @@ man7_MANS = pengine.7
endif
## SOURCES
+
noinst_HEADERS = allocate.h utils.h pengine.h
-#utils.h pengine.h
libpengine_la_LDFLAGS = -version-info 11:0:1
# -L$(top_builddir)/lib/pils -lpils -export-dynamic -module -avoid-version
--
1.8.3.1

678
002-build-cleanup.patch Normal file
View File

@ -0,0 +1,678 @@
From f4305372f80faafb5a1856f68b06c4dd87f8f521 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20Pokorn=C3=BD?= <jpokorny@redhat.com>
Date: Fri, 17 Jun 2016 21:47:34 +0200
Subject: [PATCH 1/3] Build: drop acinclude.m4 never ever used by pacemaker
proper
It was rather used by the management tool being part of heartbeat
project -- pacemaker's precursor -- hence the shared codebase that
just wasn't split carefully.
[note that hearbeat also mistakenly carries that file along while
the reason disappeared as of:
http://hg.linux-ha.org/heartbeat-STABLE_3_0/rev/cf17a3d4167b#l1.39]
---
acinclude.m4 | 39 ---------------------------------------
1 file changed, 39 deletions(-)
delete mode 100644 acinclude.m4
diff --git a/acinclude.m4 b/acinclude.m4
deleted file mode 100644
index fa8fef2..0000000
--- a/acinclude.m4
+++ /dev/null
@@ -1,39 +0,0 @@
-dnl
-dnl local autoconf/automake macros needed for heartbeat
-dnl Started by David Lee <t.d.lee@durham.ac.uk> February 2006
-dnl
-dnl License: GNU General Public License (GPL)
-
-
-dnl AM_CHECK_PYTHON_HEADERS: Find location of python include files.
-dnl Taken from:
-dnl http://source.macgimp.org/
-dnl which is GPL and is attributed to James Henstridge.
-dnl
-dnl AM_CHECK_PYTHON_HEADERS([ACTION-IF-POSSIBLE], [ACTION-IF-NOT-POSSIBLE])
-dnl Imports:
-dnl $PYTHON
-dnl Exports:
-dnl PYTHON_INCLUDES
-
-AC_DEFUN([AM_CHECK_PYTHON_HEADERS],
-[AC_REQUIRE([AM_PATH_PYTHON])
-AC_MSG_CHECKING(for headers required to compile python extensions)
-dnl deduce PYTHON_INCLUDES
-py_prefix=`$PYTHON -c "import sys; print sys.prefix"`
-py_exec_prefix=`$PYTHON -c "import sys; print sys.exec_prefix"`
-PYTHON_INCLUDES="-I${py_prefix}/include/python${PYTHON_VERSION}"
-if test "$py_prefix" != "$py_exec_prefix"; then
- PYTHON_INCLUDES="$PYTHON_INCLUDES -I${py_exec_prefix}/include/python${PYTHON_VERSION}"
-fi
-AC_SUBST(PYTHON_INCLUDES)
-dnl check if the headers exist:
-save_CPPFLAGS="$CPPFLAGS"
-CPPFLAGS="$CPPFLAGS $PYTHON_INCLUDES"
-AC_TRY_CPP([#include <Python.h>],dnl
-[AC_MSG_RESULT(found)
-$1],dnl
-[AC_MSG_RESULT(not found)
-$2])
-CPPFLAGS="$save_CPPFLAGS"
-])
--
1.8.3.1
From 4e0d5c81dae95be2bd3598d2f0dd639b64e5486a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20Pokorn=C3=BD?= <jpokorny@redhat.com>
Date: Fri, 17 Jun 2016 22:59:42 +0200
Subject: [PATCH 2/3] Build: configure.ac: drop unused CC_ERRORS, move
CC_EXTRAS
... so as not to delimit the comment and respective code with unrelated
stuff.
---
configure.ac | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/configure.ac b/configure.ac
index 1a393fc..c5b30dc 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1703,10 +1703,6 @@ dnl not have CFLAGS in their environment then this should have
dnl no effect. However if CFLAGS was exported from the user's
dnl environment, then the new CFLAGS will also be exported
dnl to sub processes.
-
-CC_ERRORS=""
-CC_EXTRAS=""
-
if export | fgrep " CFLAGS=" > /dev/null; then
SAVED_CFLAGS="$CFLAGS"
unset CFLAGS
@@ -1714,6 +1710,8 @@ if export | fgrep " CFLAGS=" > /dev/null; then
unset SAVED_CFLAGS
fi
+CC_EXTRAS=""
+
if test "$GCC" != yes; then
CFLAGS="$CFLAGS -g"
enable_fatal_warnings=no
--
1.8.3.1
From 9632cd73b758dd4d41c2dbf2b9f10679cc3ee1a2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20Pokorn=C3=BD?= <jpokorny@redhat.com>
Date: Tue, 21 Jun 2016 19:05:52 +0200
Subject: [PATCH 3/3] Refactor: sanitizing touch on makefiles about to receive
hardening
* whitespace cleanup
* internally provided -D... and -I... switches belong to CPPFLAGS rather
than CFLAGS
* use a following order of the per-target flags:
- CPPFLAGS
- YFLAGS
- CFLAGS
- LDFLAGS
- LDADD/LIBADD
- SOURCES
This is in part to reflect common conditional inclusion of additional
sources (which should preferably immediately follow the main SOURCES
definition) sometimes connected with extending other flags as well.
---
attrd/Makefile.am | 12 ++++++------
cib/Makefile.am | 18 +++++++++---------
crmd/Makefile.am | 31 +++++++++++++++----------------
fencing/Makefile.am | 30 ++++++++++++++++--------------
lib/cib/Makefile.am | 9 +++++----
lib/cluster/Makefile.am | 3 +--
lib/common/Makefile.am | 8 ++++----
lib/fencing/Makefile.am | 8 ++++----
lib/lrmd/Makefile.am | 10 +++++-----
lib/pengine/Makefile.am | 12 ++++++------
lib/services/Makefile.am | 24 ++++++++++++------------
lib/transition/Makefile.am | 9 +++++----
lrmd/Makefile.am | 46 ++++++++++++++++++++++------------------------
mcp/Makefile.am | 4 ++--
pengine/Makefile.am | 16 +++++++---------
15 files changed, 119 insertions(+), 121 deletions(-)
diff --git a/attrd/Makefile.am b/attrd/Makefile.am
index 9a841e5..a116e0e 100644
--- a/attrd/Makefile.am
+++ b/attrd/Makefile.am
@@ -17,16 +17,16 @@
#
include $(top_srcdir)/Makefile.common
-halibdir = $(CRM_DAEMON_DIR)
-halib_PROGRAMS = attrd
+halibdir = $(CRM_DAEMON_DIR)
+halib_PROGRAMS = attrd
## SOURCES
-attrd_SOURCES =
-attrd_LDADD = $(top_builddir)/lib/cluster/libcrmcluster.la \
- $(top_builddir)/lib/common/libcrmcommon.la \
- $(top_builddir)/lib/cib/libcib.la \
+attrd_LDADD = $(top_builddir)/lib/cluster/libcrmcluster.la \
+ $(top_builddir)/lib/common/libcrmcommon.la \
+ $(top_builddir)/lib/cib/libcib.la \
$(CLUSTERLIBS)
+attrd_SOURCES =
if BUILD_ATOMIC_ATTRD
attrd_SOURCES += main.c commands.c
else
diff --git a/cib/Makefile.am b/cib/Makefile.am
index 8508223..fcb8ce9 100644
--- a/cib/Makefile.am
+++ b/cib/Makefile.am
@@ -23,23 +23,23 @@ hadir = $(sysconfdir)/ha.d
halibdir = $(CRM_DAEMON_DIR)
commmoddir = $(halibdir)/modules/comm
-COMMONLIBS = $(top_builddir)/lib/common/libcrmcommon.la \
- $(top_builddir)/lib/cib/libcib.la
+COMMONLIBS = $(top_builddir)/lib/common/libcrmcommon.la \
+ $(top_builddir)/lib/cib/libcib.la
## binary progs
halib_PROGRAMS = cib cibmon
## SOURCES
-noinst_HEADERS = callbacks.h cibio.h cibmessages.h common.h notify.h
+noinst_HEADERS = callbacks.h cibio.h cibmessages.h common.h notify.h
-cib_SOURCES = io.c messages.c notify.c \
- callbacks.c main.c remote.c common.c
+cib_LDADD = $(top_builddir)/lib/cluster/libcrmcluster.la \
+ $(COMMONLIBS) $(CRYPTOLIB) $(CLUSTERLIBS)
-cib_LDADD = $(top_builddir)/lib/cluster/libcrmcluster.la \
- $(COMMONLIBS) $(CRYPTOLIB) $(CLUSTERLIBS)
+cib_SOURCES = io.c messages.c notify.c \
+ callbacks.c main.c remote.c common.c
-cibmon_SOURCES = cibmon.c
-cibmon_LDADD = $(COMMONLIBS)
+cibmon_LDADD = $(COMMONLIBS)
+cibmon_SOURCES = cibmon.c
clean-generic:
rm -f *.log *.debug *.xml *~
diff --git a/crmd/Makefile.am b/crmd/Makefile.am
index c28da0b..979e266 100644
--- a/crmd/Makefile.am
+++ b/crmd/Makefile.am
@@ -24,20 +24,10 @@ halib_PROGRAMS = crmd
## SOURCES
-noinst_HEADERS = crmd.h crmd_fsa.h crmd_messages.h fsa_defines.h \
- fsa_matrix.h fsa_proto.h crmd_utils.h crmd_callbacks.h \
+noinst_HEADERS = crmd.h crmd_fsa.h crmd_messages.h fsa_defines.h \
+ fsa_matrix.h fsa_proto.h crmd_utils.h crmd_callbacks.h \
crmd_lrm.h te_callbacks.h tengine.h
-crmd_SOURCES = main.c crmd.c corosync.c notify.c \
- fsa.c control.c messages.c membership.c callbacks.c \
- election.c join_client.c join_dc.c subsystems.c throttle.c \
- cib.c pengine.c tengine.c lrm.c lrm_state.c remote_lrmd_ra.c \
- utils.c misc.c te_events.c te_actions.c te_utils.c te_callbacks.c
-
-if BUILD_HEARTBEAT_SUPPORT
-crmd_SOURCES += heartbeat.c
-endif
-
crmd_LDADD = $(top_builddir)/lib/fencing/libstonithd.la \
$(top_builddir)/lib/transition/libtransitioner.la \
$(top_builddir)/lib/pengine/libpe_rules.la \
@@ -45,19 +35,28 @@ crmd_LDADD = $(top_builddir)/lib/fencing/libstonithd.la \
$(top_builddir)/lib/cluster/libcrmcluster.la \
$(top_builddir)/lib/common/libcrmcommon.la \
$(top_builddir)/lib/services/libcrmservice.la \
- $(top_builddir)/lib/lrmd/liblrmd.la \
+ $(top_builddir)/lib/lrmd/liblrmd.la \
$(CLUSTERLIBS)
+crmd_SOURCES = main.c crmd.c corosync.c notify.c \
+ fsa.c control.c messages.c membership.c callbacks.c \
+ election.c join_client.c join_dc.c subsystems.c throttle.c \
+ cib.c pengine.c tengine.c lrm.c lrm_state.c remote_lrmd_ra.c \
+ utils.c misc.c te_events.c te_actions.c te_utils.c te_callbacks.c
+if BUILD_HEARTBEAT_SUPPORT
+crmd_SOURCES += heartbeat.c
+endif
+
if BUILD_XML_HELP
-man7_MANS = crmd.7
+man7_MANS = crmd.7
endif
-graphs: fsa_inputs.png fsa_inputs_by_action.png fsa_actions_by_state.png
+graphs: fsa_inputs.png fsa_inputs_by_action.png fsa_actions_by_state.png
%.png: %.dot
dot -Tpng $< > $@
-%.dot : fsa_matrix.h make_dot.pl
+%.dot: fsa_matrix.h make_dot.pl
perl $(top_srcdir)/crmd/make_dot.pl $(top_srcdir)/crmd/fsa_matrix.h $(top_builddir)/crmd
CLEANFILES = $(man7_MANS)
diff --git a/fencing/Makefile.am b/fencing/Makefile.am
index 79fe2ed..1d591fc 100644
--- a/fencing/Makefile.am
+++ b/fencing/Makefile.am
@@ -24,13 +24,13 @@ test_SCRIPTS = regression.py
halibdir = $(CRM_DAEMON_DIR)
halib_PROGRAMS = stonithd stonith-test
-sbin_PROGRAMS = stonith_admin
-sbin_SCRIPTS = fence_legacy fence_pcmk
+sbin_PROGRAMS = stonith_admin
+sbin_SCRIPTS = fence_legacy fence_pcmk
-noinst_HEADERS = internal.h
+noinst_HEADERS = internal.h
if BUILD_XML_HELP
-man7_MANS = stonithd.7
+man7_MANS = stonithd.7
endif
stonith_test_SOURCES = test.c
@@ -49,23 +49,25 @@ stonith_admin_LDADD = $(top_builddir)/lib/common/libcrmcommon.la \
$(top_builddir)/lib/fencing/libstonithd.la \
$(CRYPTOLIB) $(CLUSTERLIBS)
-stonithd_CFLAGS = -I$(top_srcdir)/pengine
-stonithd_SOURCES = main.c commands.c remote.c
-if BUILD_STONITH_CONFIG
-BUILT_SOURCES = standalone_config.h
-
-stonithd_SOURCES += standalone_config.c config.y config.l
-stonithd_AM_LFLAGS = -o$(LEX_OUTPUT_ROOT).c
-endif
-stonithd_YFLAGS = -d
+stonithd_CPPFLAGS = -I$(top_srcdir)/pengine $(AM_CPPFLAGS)
+stonithd_YFLAGS = -d
stonithd_LDADD = $(top_builddir)/lib/common/libcrmcommon.la \
$(top_builddir)/lib/cluster/libcrmcluster.la \
$(top_builddir)/lib/fencing/libstonithd.la \
$(top_builddir)/lib/pengine/libpe_status.la \
- $(top_builddir)/pengine/libpengine.la \
+ $(top_builddir)/pengine/libpengine.la \
$(CRYPTOLIB) $(CLUSTERLIBS)
+stonithd_SOURCES = main.c commands.c remote.c
+
+if BUILD_STONITH_CONFIG
+BUILT_SOURCES = standalone_config.h
+
+stonithd_SOURCES += standalone_config.c config.y config.l
+stonithd_AM_LFLAGS = -o$(LEX_OUTPUT_ROOT).c
+endif
+
# lex/yacc issues:
CFLAGS = $(CFLAGS_COPY:-Werror=)
diff --git a/lib/cib/Makefile.am b/lib/cib/Makefile.am
index 0c57eee..e414a7f 100644
--- a/lib/cib/Makefile.am
+++ b/lib/cib/Makefile.am
@@ -18,15 +18,16 @@
include $(top_srcdir)/Makefile.common
## libraries
-lib_LTLIBRARIES = libcib.la
+lib_LTLIBRARIES = libcib.la
## SOURCES
libcib_la_SOURCES = cib_ops.c cib_utils.c cib_client.c cib_native.c cib_attrs.c
-libcib_la_SOURCES += cib_file.c cib_remote.c
+libcib_la_SOURCES += cib_file.c cib_remote.c
libcib_la_LDFLAGS = -version-info 5:1:1
-libcib_la_LIBADD = $(CRYPTOLIB) $(top_builddir)/lib/pengine/libpe_rules.la $(top_builddir)/lib/common/libcrmcommon.la
-libcib_la_CFLAGS = -I$(top_srcdir)
+libcib_la_CPPFLAGS = -I$(top_srcdir) $(AM_CPPFLAGS)
+
+libcib_la_LIBADD = $(CRYPTOLIB) $(top_builddir)/lib/pengine/libpe_rules.la $(top_builddir)/lib/common/libcrmcommon.la
clean-generic:
rm -f *.log *.debug *.xml *~
diff --git a/lib/cluster/Makefile.am b/lib/cluster/Makefile.am
index ffa2a73..06d7066 100644
--- a/lib/cluster/Makefile.am
+++ b/lib/cluster/Makefile.am
@@ -20,10 +20,10 @@ include $(top_srcdir)/Makefile.common
## libraries
lib_LTLIBRARIES = libcrmcluster.la
-libcrmcluster_la_SOURCES = election.c cluster.c membership.c
libcrmcluster_la_LDFLAGS = -version-info 6:0:2
libcrmcluster_la_LIBADD = $(top_builddir)/lib/common/libcrmcommon.la $(top_builddir)/lib/fencing/libstonithd.la $(CLUSTERLIBS)
+libcrmcluster_la_SOURCES = election.c cluster.c membership.c
if BUILD_CS_SUPPORT
libcrmcluster_la_SOURCES += cpg.c
if BUILD_CS_PLUGIN
@@ -32,7 +32,6 @@ else
libcrmcluster_la_SOURCES += corosync.c
endif
endif
-
if BUILD_HEARTBEAT_SUPPORT
libcrmcluster_la_SOURCES += heartbeat.c
#libcrmcluster_la_LIBADD += -ldl
diff --git a/lib/common/Makefile.am b/lib/common/Makefile.am
index 111628f..7550ec1 100644
--- a/lib/common/Makefile.am
+++ b/lib/common/Makefile.am
@@ -31,16 +31,16 @@ lib_LTLIBRARIES = libcrmcommon.la
CFLAGS = $(CFLAGS_COPY:-Wcast-qual=) -fPIC
+libcrmcommon_la_LDFLAGS = -version-info 9:0:6
+libcrmcommon_la_LIBADD = @LIBADD_DL@ $(GNUTLSLIBS) -lm
+
libcrmcommon_la_SOURCES = compat.c digest.c ipc.c io.c procfs.c utils.c xml.c \
iso8601.c remote.c mainloop.c logging.c watchdog.c \
xpath.c
if BUILD_CIBSECRETS
libcrmcommon_la_SOURCES += cib_secrets.c
endif
-
-libcrmcommon_la_LDFLAGS = -version-info 9:0:6
-libcrmcommon_la_LIBADD = @LIBADD_DL@ $(GNUTLSLIBS) -lm
-libcrmcommon_la_SOURCES += $(top_builddir)/lib/gnu/md5.c
+libcrmcommon_la_SOURCES += $(top_builddir)/lib/gnu/md5.c
clean-generic:
rm -f *.log *.debug *.xml *~
diff --git a/lib/fencing/Makefile.am b/lib/fencing/Makefile.am
index a9f9874..85ae40a 100644
--- a/lib/fencing/Makefile.am
+++ b/lib/fencing/Makefile.am
@@ -18,8 +18,8 @@
#
include $(top_srcdir)/Makefile.common
-lib_LTLIBRARIES = libstonithd.la
+lib_LTLIBRARIES = libstonithd.la
-libstonithd_la_SOURCES = st_client.c
-libstonithd_la_LDFLAGS = -version-info 4:1:2
-libstonithd_la_LIBADD = $(top_builddir)/lib/common/libcrmcommon.la
+libstonithd_la_LDFLAGS = -version-info 4:1:2
+libstonithd_la_LIBADD = $(top_builddir)/lib/common/libcrmcommon.la
+libstonithd_la_SOURCES = st_client.c
diff --git a/lib/lrmd/Makefile.am b/lib/lrmd/Makefile.am
index c23fef5..25f3d55 100644
--- a/lib/lrmd/Makefile.am
+++ b/lib/lrmd/Makefile.am
@@ -16,10 +16,10 @@
#
include $(top_srcdir)/Makefile.common
-lib_LTLIBRARIES = liblrmd.la
+lib_LTLIBRARIES = liblrmd.la
-liblrmd_la_SOURCES = lrmd_client.c proxy_common.c
-liblrmd_la_LDFLAGS = -version-info 4:0:3
-liblrmd_la_LIBADD = $(top_builddir)/lib/common/libcrmcommon.la \
- $(top_builddir)/lib/services/libcrmservice.la \
+liblrmd_la_LDFLAGS = -version-info 4:0:3
+liblrmd_la_LIBADD = $(top_builddir)/lib/common/libcrmcommon.la \
+ $(top_builddir)/lib/services/libcrmservice.la \
$(top_builddir)/lib/fencing/libstonithd.la
+liblrmd_la_SOURCES = lrmd_client.c proxy_common.c
diff --git a/lib/pengine/Makefile.am b/lib/pengine/Makefile.am
index a0d19e5..de760c3 100644
--- a/lib/pengine/Makefile.am
+++ b/lib/pengine/Makefile.am
@@ -18,19 +18,19 @@
include $(top_srcdir)/Makefile.common
## libraries
-lib_LTLIBRARIES = libpe_rules.la libpe_status.la
+lib_LTLIBRARIES = libpe_rules.la libpe_status.la
## SOURCES
-noinst_HEADERS = unpack.h variant.h
+noinst_HEADERS = unpack.h variant.h
libpe_rules_la_LDFLAGS = -version-info 2:6:0
-libpe_rules_la_SOURCES = rules.c common.c
libpe_rules_la_LIBADD = $(top_builddir)/lib/common/libcrmcommon.la
+libpe_rules_la_SOURCES = rules.c common.c
libpe_status_la_LDFLAGS = -version-info 11:0:1
-libpe_status_la_SOURCES = status.c unpack.c utils.c complex.c native.c \
- group.c clone.c rules.c common.c remote.c
-libpe_status_la_LIBADD = @CURSESLIBS@ $(top_builddir)/lib/common/libcrmcommon.la
+libpe_status_la_LIBADD = @CURSESLIBS@ $(top_builddir)/lib/common/libcrmcommon.la
+libpe_status_la_SOURCES = status.c unpack.c utils.c complex.c native.c \
+ group.c clone.c rules.c common.c remote.c
clean-generic:
rm -f *.log *.debug *~
diff --git a/lib/services/Makefile.am b/lib/services/Makefile.am
index 2797b53..c789fbd 100644
--- a/lib/services/Makefile.am
+++ b/lib/services/Makefile.am
@@ -18,24 +18,24 @@
MAINTAINERCLEANFILES = Makefile.in
-AM_CPPFLAGS = -I$(top_builddir)/include
+AM_CPPFLAGS = -I$(top_builddir)/include
-lib_LTLIBRARIES = libcrmservice.la
-noinst_HEADERS = upstart.h systemd.h services_private.h
+lib_LTLIBRARIES = libcrmservice.la
+noinst_HEADERS = upstart.h systemd.h services_private.h
-libcrmservice_la_SOURCES = services.c services_linux.c
-libcrmservice_la_LDFLAGS = -version-info 4:1:1
-libcrmservice_la_CFLAGS = $(GIO_CFLAGS) -DOCF_ROOT_DIR=\"@OCF_ROOT_DIR@\"
-libcrmservice_la_LIBADD = $(GIO_LIBS) $(top_builddir)/lib/common/libcrmcommon.la $(DBUS_LIBS)
+libcrmservice_la_LDFLAGS = -version-info 4:1:1
+libcrmservice_la_CPPFLAGS = -DOCF_ROOT_DIR=\"@OCF_ROOT_DIR@\" $(AM_CPPFLAGS)
+libcrmservice_la_CFLAGS = $(GIO_CFLAGS)
+libcrmservice_la_LIBADD = $(GIO_LIBS) $(top_builddir)/lib/common/libcrmcommon.la $(DBUS_LIBS)
+
+libcrmservice_la_SOURCES = services.c services_linux.c
if BUILD_DBUS
-libcrmservice_la_SOURCES += dbus.c
+libcrmservice_la_SOURCES += dbus.c
endif
-
if BUILD_UPSTART
-libcrmservice_la_SOURCES += upstart.c
+libcrmservice_la_SOURCES += upstart.c
endif
-
if BUILD_SYSTEMD
-libcrmservice_la_SOURCES += systemd.c
+libcrmservice_la_SOURCES += systemd.c
endif
diff --git a/lib/transition/Makefile.am b/lib/transition/Makefile.am
index 7bcfc1a..9bc039e 100644
--- a/lib/transition/Makefile.am
+++ b/lib/transition/Makefile.am
@@ -18,14 +18,15 @@
include $(top_srcdir)/Makefile.common
## libraries
-lib_LTLIBRARIES = libtransitioner.la
+lib_LTLIBRARIES = libtransitioner.la
## SOURCES
-libtransitioner_la_SOURCES = unpack.c graph.c utils.c
libtransitioner_la_LDFLAGS = -version-info 2:5:0
-libtransitioner_la_CFLAGS = -I$(top_builddir)
-libtransitioner_la_LIBADD = $(top_builddir)/lib/common/libcrmcommon.la
+libtransitioner_la_CPPFLAGS = -I$(top_builddir) $(AM_CPPFLAGS)
+
+libtransitioner_la_LIBADD = $(top_builddir)/lib/common/libcrmcommon.la
+libtransitioner_la_SOURCES = unpack.c graph.c utils.c
clean-generic:
rm -f *~
diff --git a/lrmd/Makefile.am b/lrmd/Makefile.am
index 556d48a..64df105 100644
--- a/lrmd/Makefile.am
+++ b/lrmd/Makefile.am
@@ -19,45 +19,43 @@ include $(top_srcdir)/Makefile.common
testdir = $(datadir)/$(PACKAGE)/tests/lrmd
test_SCRIPTS = regression.py
-lrmdlibdir = $(CRM_DAEMON_DIR)
-lrmdlib_PROGRAMS = lrmd lrmd_test lrmd_internal_ctl
+lrmdlibdir = $(CRM_DAEMON_DIR)
+lrmdlib_PROGRAMS = lrmd lrmd_test lrmd_internal_ctl
-initdir = $(INITDIR)
-init_SCRIPTS = pacemaker_remote
-sbin_PROGRAMS = pacemaker_remoted
+initdir = $(INITDIR)
+init_SCRIPTS = pacemaker_remote
+sbin_PROGRAMS = pacemaker_remoted
if BUILD_SYSTEMD
-systemdunit_DATA = pacemaker_remote.service
+systemdunit_DATA = pacemaker_remote.service
endif
-lrmd_SOURCES = main.c lrmd.c
lrmd_LDADD = $(top_builddir)/lib/common/libcrmcommon.la \
- $(top_builddir)/lib/services/libcrmservice.la \
- $(top_builddir)/lib/lrmd/liblrmd.la \
+ $(top_builddir)/lib/services/libcrmservice.la \
+ $(top_builddir)/lib/lrmd/liblrmd.la \
$(top_builddir)/lib/fencing/libstonithd.la ${COMPAT_LIBS}
+lrmd_SOURCES = main.c lrmd.c
+pacemaker_remoted_CPPFLAGS = -DSUPPORT_REMOTE $(AM_CPPFLAGS)
-pacemaker_remoted_SOURCES = main.c lrmd.c tls_backend.c ipc_proxy.c
-pacemaker_remoted_CFLAGS = -DSUPPORT_REMOTE
pacemaker_remoted_LDADD = $(lrmd_LDADD)
+pacemaker_remoted_SOURCES = main.c lrmd.c tls_backend.c ipc_proxy.c
-
+lrmd_internal_ctl_LDADD = $(top_builddir)/lib/common/libcrmcommon.la \
+ $(top_builddir)/lib/lrmd/liblrmd.la \
+ $(top_builddir)/lib/cib/libcib.la \
+ $(top_builddir)/lib/services/libcrmservice.la \
+ $(top_builddir)/lib/pengine/libpe_status.la \
+ $(top_builddir)/pengine/libpengine.la
lrmd_internal_ctl_SOURCES = remote_ctl.c
-lrmd_internal_ctl_LDADD = $(top_builddir)/lib/common/libcrmcommon.la \
- $(top_builddir)/lib/lrmd/liblrmd.la \
- $(top_builddir)/lib/cib/libcib.la \
- $(top_builddir)/lib/services/libcrmservice.la \
- $(top_builddir)/lib/pengine/libpe_status.la \
- $(top_builddir)/pengine/libpengine.la
-
-lrmd_test_SOURCES = test.c
lrmd_test_LDADD = $(top_builddir)/lib/common/libcrmcommon.la \
- $(top_builddir)/lib/lrmd/liblrmd.la \
- $(top_builddir)/lib/cib/libcib.la \
- $(top_builddir)/lib/services/libcrmservice.la \
- $(top_builddir)/lib/pengine/libpe_status.la \
+ $(top_builddir)/lib/lrmd/liblrmd.la \
+ $(top_builddir)/lib/cib/libcib.la \
+ $(top_builddir)/lib/services/libcrmservice.la \
+ $(top_builddir)/lib/pengine/libpe_status.la \
$(top_builddir)/pengine/libpengine.la
+lrmd_test_SOURCES = test.c
noinst_HEADERS = lrmd_private.h
diff --git a/mcp/Makefile.am b/mcp/Makefile.am
index 1b3720a..195530a 100644
--- a/mcp/Makefile.am
+++ b/mcp/Makefile.am
@@ -24,16 +24,16 @@ init_SCRIPTS = pacemaker
sbin_PROGRAMS = pacemakerd
if BUILD_SYSTEMD
-systemdunit_DATA = pacemaker.service
+systemdunit_DATA = pacemaker.service
endif
## SOURCES
noinst_HEADERS = pacemaker.h
-pacemakerd_SOURCES = pacemaker.c corosync.c
pacemakerd_LDADD = $(top_builddir)/lib/cluster/libcrmcluster.la $(top_builddir)/lib/common/libcrmcommon.la
pacemakerd_LDADD += $(CLUSTERLIBS)
+pacemakerd_SOURCES = pacemaker.c corosync.c
endif
diff --git a/pengine/Makefile.am b/pengine/Makefile.am
index 170b728..96c914f 100644
--- a/pengine/Makefile.am
+++ b/pengine/Makefile.am
@@ -17,7 +17,7 @@
#
include $(top_srcdir)/Makefile.common
-AM_CPPFLAGS += -I$(top_builddir) -I$(top_srcdir)
+AM_CPPFLAGS += -I$(top_builddir) -I$(top_srcdir)
halibdir = $(CRM_DAEMON_DIR)
@@ -30,9 +30,8 @@ test_DATA = regression.core.sh
test10dir = $(datadir)/$(PACKAGE)/tests/pengine/test10
test10_DATA = $(PE_TESTS) $(PE_TESTS:%.scores=%.xml) $(PE_TESTS:%.scores=%.exp) $(PE_TESTS:%.scores=%.dot) $(PE_TESTS:%.scores=%.summary) $(wildcard test10/*.stderr)
-COMMONLIBS = \
- $(top_builddir)/lib/common/libcrmcommon.la \
- $(top_builddir)/lib/pengine/libpe_status.la \
+COMMONLIBS = $(top_builddir)/lib/common/libcrmcommon.la \
+ $(top_builddir)/lib/pengine/libpe_status.la \
libpengine.la $(CURSESLIBS) $(CLUSTERLIBS)
beekhof:
@@ -62,17 +61,16 @@ endif
noinst_HEADERS = allocate.h utils.h pengine.h
libpengine_la_LDFLAGS = -version-info 11:0:1
+libpengine_la_LIBADD = $(top_builddir)/lib/pengine/libpe_status.la \
+ $(top_builddir)/lib/cib/libcib.la
# -L$(top_builddir)/lib/pils -lpils -export-dynamic -module -avoid-version
libpengine_la_SOURCES = pengine.c allocate.c utils.c constraints.c
-libpengine_la_SOURCES += native.c group.c clone.c master.c graph.c utilization.c
+libpengine_la_SOURCES += native.c group.c clone.c master.c graph.c utilization.c
-libpengine_la_LIBADD = $(top_builddir)/lib/pengine/libpe_status.la \
- $(top_builddir)/lib/cib/libcib.la
-
-pengine_SOURCES = main.c
pengine_LDADD = $(top_builddir)/lib/cib/libcib.la $(COMMONLIBS)
# libcib for get_object_root()
# $(top_builddir)/lib/hbclient/libhbclient.la
+pengine_SOURCES = main.c
install-exec-local:
$(mkinstalldirs) $(DESTDIR)/$(PE_STATE_DIR)
--
1.8.3.1

603
003-harden-toolchain.patch Normal file
View File

@ -0,0 +1,603 @@
From 658fff9445711b8402029bc2916fccbc5d6fd8fc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20Pokorn=C3=BD?= <jpokorny@redhat.com>
Date: Tue, 21 Jun 2016 19:16:43 +0200
Subject: [PATCH 1/2] Feature: conditional hardening, especially for daemons +
libraries
So far the build system has not been concerned with run-time hardening
measures the typical toolchains provide (beside unconditional enforcing
of -fstack-protector-all). Hence make a step in that direction,
enabling following if available and anticipating more to come:
[$LD -z relro]
- daemons incl. libs
- make some parts of Global Offset Table (GOT) read-only
[$CC -fPIE + ld -pie]
- daemons
- benefit from Address Space Layout Randomization (ASLR) for code
areas
[$LD -z now]
- daemons incl. libs, only when the former two features are supported
- all symbols are resolved initially to that complete GOT is read-only
[$CC -fstack-protector-strong/-fstack-protector-all/-fstack-protector]
- universal
- extra run-time checks for buffer overflows
- NOTE:
in case -fstack-protector-strong is supported, this is effectively
a weakening of previously enforced -fstack-protector-all, but note
that this variant comes with not entirely negligible performance
penalty [1], making "strong" variant a reasonable tradeoff for
something that is not in the prime line of possible attacks
For details on how to instruct configure script to do the right
thing (for when the default won't cut it), see detailed comment
in configure.ac under "Hardening flags" section.
[1] http://nvlpubs.nist.gov/nistpubs/TechnicalNotes/NIST.TN.1860.pdf
---
acinclude.m4 | 25 +++++++++
attrd/Makefile.am | 3 +
cib/Makefile.am | 3 +
configure.ac | 135 +++++++++++++++++++++++++++++++++++++++++++--
crmd/Makefile.am | 3 +
fencing/Makefile.am | 3 +
lib/cib/Makefile.am | 3 +
lib/cluster/Makefile.am | 4 ++
lib/common/Makefile.am | 4 ++
lib/fencing/Makefile.am | 4 ++
lib/lrmd/Makefile.am | 4 ++
lib/pengine/Makefile.am | 8 +++
lib/services/Makefile.am | 3 +
lib/transition/Makefile.am | 3 +
lrmd/Makefile.am | 6 ++
mcp/Makefile.am | 3 +
pacemaker.spec.in | 17 ++++++
pengine/Makefile.am | 6 ++
18 files changed, 231 insertions(+), 6 deletions(-)
create mode 100644 acinclude.m4
diff --git a/acinclude.m4 b/acinclude.m4
new file mode 100644
index 0000000..ecaa1dd
--- /dev/null
+++ b/acinclude.m4
@@ -0,0 +1,25 @@
+dnl
+dnl local autoconf/automake macros for pacemaker
+dnl
+
+dnl Check if the flag is supported by linker (cacheable)
+dnl CC_CHECK_LDFLAGS([FLAG], [ACTION-IF-FOUND],[ACTION-IF-NOT-FOUND])
+dnl
+dnl Origin (declared license: GPLv2+ with less restrictive exception):
+dnl https://git.gnome.org/browse/glib/tree/m4macros/attributes.m4?h=2.49.1
+dnl (AC_LANG_PROGRAM substituted by Jan Pokorny <jpokorny@redhat.com>)
+
+AC_DEFUN([CC_CHECK_LDFLAGS], [
+ AC_CACHE_CHECK([if $CC supports $1 flag],
+ AS_TR_SH([cc_cv_ldflags_$1]),
+ [ac_save_LDFLAGS="$LDFLAGS"
+ LDFLAGS="$LDFLAGS $1"
+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[]], [[]])],
+ [eval "AS_TR_SH([cc_cv_ldflags_$1])='yes'"],
+ [eval "AS_TR_SH([cc_cv_ldflags_$1])="])
+ LDFLAGS="$ac_save_LDFLAGS"
+ ])
+
+ AS_IF([eval test x$]AS_TR_SH([cc_cv_ldflags_$1])[ = xyes],
+ [$2], [$3])
+])
diff --git a/attrd/Makefile.am b/attrd/Makefile.am
index a116e0e..6eaaae2 100644
--- a/attrd/Makefile.am
+++ b/attrd/Makefile.am
@@ -21,6 +21,9 @@ halibdir = $(CRM_DAEMON_DIR)
halib_PROGRAMS = attrd
## SOURCES
+attrd_CFLAGS = $(CFLAGS_HARDENED_EXE)
+attrd_LDFLAGS = $(LDFLAGS_HARDENED_EXE)
+
attrd_LDADD = $(top_builddir)/lib/cluster/libcrmcluster.la \
$(top_builddir)/lib/common/libcrmcommon.la \
$(top_builddir)/lib/cib/libcib.la \
diff --git a/cib/Makefile.am b/cib/Makefile.am
index fcb8ce9..4273191 100644
--- a/cib/Makefile.am
+++ b/cib/Makefile.am
@@ -32,6 +32,9 @@ halib_PROGRAMS = cib cibmon
## SOURCES
noinst_HEADERS = callbacks.h cibio.h cibmessages.h common.h notify.h
+cib_CFLAGS = $(CFLAGS_HARDENED_EXE)
+cib_LDFLAGS = $(LDFLAGS_HARDENED_EXE)
+
cib_LDADD = $(top_builddir)/lib/cluster/libcrmcluster.la \
$(COMMONLIBS) $(CRYPTOLIB) $(CLUSTERLIBS)
diff --git a/configure.ac b/configure.ac
index c5b30dc..edf6a91 100644
--- a/configure.ac
+++ b/configure.ac
@@ -196,6 +196,13 @@ AC_ARG_ENABLE([systemd],
[ --enable-systemd
Do not build support for the Systemd init system [default=yes]])
+AC_ARG_ENABLE(hardening,
+ [ --with-hardening
+ Harden the resulting executables/libraries (best effort by default)],
+ [ HARDENING="${enableval}" ],
+ [ HARDENING=try ],
+)
+
AC_ARG_WITH(ais,
[ --with-ais
Support the Corosync messaging and membership layer ],
@@ -1710,6 +1717,12 @@ if export | fgrep " CFLAGS=" > /dev/null; then
unset SAVED_CFLAGS
fi
+AC_ARG_VAR([CFLAGS_HARDENED_LIB], [extra C compiler flags for hardened libraries])
+AC_ARG_VAR([LDFLAGS_HARDENED_LIB], [extra linker flags for hardened libraries])
+
+AC_ARG_VAR([CFLAGS_HARDENED_EXE], [extra C compiler flags for hardened executables])
+AC_ARG_VAR([LDFLAGS_HARDENED_EXE], [extra linker flags for hardened executables])
+
CC_EXTRAS=""
if test "$GCC" != yes; then
@@ -1785,12 +1798,6 @@ dnl otherwise none of both
# Additional warnings it might be nice to enable one day
# -Wshadow
# -Wunreachable-code
- case "$host_os" in
- *solaris*) ;;
- *) EXTRA_FLAGS="$EXTRA_FLAGS
- -fstack-protector-all"
- ;;
- esac
for j in $EXTRA_FLAGS
do
if
@@ -1829,6 +1836,118 @@ dnl System specific options
AC_MSG_NOTICE(Activated additional gcc flags: ${CC_EXTRAS})
fi
+dnl
+dnl Hardening flags
+dnl
+dnl The prime control of whether to apply (targeted) hardening build flags and
+dnl which ones is --{enable,disable}-hardening option passed to ./configure:
+dnl
+dnl --enable-hardening=try (default):
+dnl depending on whether any of CFLAGS_HARDENED_EXE, LDFLAGS_HARDENED_EXE,
+dnl CFLAGS_HARDENED_LIB or LDFLAGS_HARDENED_LIB environment variables
+dnl (see below) is set and non-null, all these custom flags (even if not
+dnl set) are used as are, otherwise the best effort is made to offer
+dnl reasonably strong hardening in several categories (RELRO, PIE,
+dnl "bind now", stack protector) according to what the selected toolchain
+dnl can offer
+dnl
+dnl --enable-hardening:
+dnl same effect as --enable-hardening=try when the environment variables
+dnl in question are suppressed
+dnl
+dnl --disable-hardening:
+dnl do not apply any targeted hardening measures at all
+dnl
+dnl The user-injected environment variables that regulate the hardening in
+dnl default case are as follows:
+dnl
+dnl * CFLAGS_HARDENED_EXE, LDFLAGS_HARDENED_EXE
+dnl compiler and linker flags (respectively) for daemon programs
+dnl (attrd, cib, crmd, lrmd, stonithd, pacemakerd, pacemaker_remoted,
+dnl pengine)
+dnl
+dnl * CFLAGS_HARDENED_LIB, LDFLAGS_HARDENED_LIB
+dnl compiler and linker flags (respectively) for libraries linked
+dnl with the daemon programs
+dnl
+dnl Note that these are purposedly targeted variables (addressing particular
+dnl targets all over the scattered Makefiles) and have no effect outside of
+dnl the predestined scope (e.g., CLI utilities). For a global reach,
+dnl use CFLAGS, LDFLAGS, etc. as usual.
+dnl
+dnl For guidance on the suitable flags consult, for instance:
+dnl https://fedoraproject.org/wiki/Changes/Harden_All_Packages#Detailed_Harden_Flags_Description
+dnl https://owasp.org/index.php/C-Based_Toolchain_Hardening#GCC.2FBinutils
+dnl
+
+if test "x${HARDENING}" != "xtry"; then
+ unset CFLAGS_HARDENED_EXE
+ unset CFLAGS_HARDENED_LIB
+ unset LDFLAGS_HARDENED_EXE
+ unset LDFLAGS_HARDENED_LIB
+fi
+if test "x${HARDENING}" = "xno"; then
+ AC_MSG_NOTICE([Hardening: explicitly disabled])
+elif test "x${HARDENING}" = "xyes" \
+ || test "$(env | grep -Ec '^(C|LD)FLAGS_HARDENED_(EXE|LIB)=.')" = 0; then
+ dnl We'll figure out on our own...
+ CFLAGS_HARDENED_EXE=
+ CFLAGS_HARDENED_LIB=
+ LDFLAGS_HARDENED_EXE=
+ LDFLAGS_HARDENED_LIB=
+ relro=0
+ pie=0
+ bindnow=0
+ # daemons incl. libs: partial RELRO
+ flag="-Wl,-z,relro"
+ CC_CHECK_LDFLAGS(["${flag}"],
+ [LDFLAGS_HARDENED_EXE="${LDFLAGS_HARDENED_EXE} ${flag}";
+ LDFLAGS_HARDENED_LIB="${LDFLAGS_HARDENED_LIB} ${flag}";
+ relro=1]
+ )
+ # daemons: PIE for both CFLAGS and LDFLAGS
+ if cc_supports_flag -fPIE; then
+ flag="-pie"
+ CC_CHECK_LDFLAGS(["${flag}"],
+ [CFLAGS_HARDENED_EXE="${CFLAGS_HARDENED_EXE} -fPIE";
+ LDFLAGS_HARDENED_EXE="${LDFLAGS_HARDENED_EXE} ${flag}";
+ pie=1]
+ )
+ fi
+ # daemons incl. libs: full RELRO if sensible
+ if test "${relro}" = 1 && test "${pie}" = 1; then
+ flag="-Wl,-z,now"
+ CC_CHECK_LDFLAGS(["${flag}"],
+ [LDFLAGS_HARDENED_EXE="${LDFLAGS_HARDENED_EXE} ${flag}";
+ LDFLAGS_HARDENED_LIB="${LDFLAGS_HARDENED_LIB} ${flag}";
+ bindnow=1]
+ )
+ fi
+ # universal: prefer strong > all > default stack protector if possible
+ flag=
+ if cc_supports_flag -fstack-protector-strong; then
+ flag="-fstack-protector-strong"
+ elif cc_supports_flag -fstack-protector-all; then
+ flag="-fstack-protector-all"
+ elif cc_supports_flag -fstack-protector; then
+ flag="-fstack-protector"
+ fi
+ if test -n "${flag}"; then
+ CC_EXTRAS="${CC_EXTRAS} ${flag}"
+ stackprot=1
+ fi
+ if test "${relro}" = 1 \
+ || test "${pie}" = 1 \
+ || test "${stackprot}" = 1; then
+ AC_MSG_NOTICE(
+ [Hardening: relro=${relro} pie=${pie} bindnow=${bindnow} stackprot=${flag}])
+ else
+ AC_MSG_WARN([Hardening: no suitable features in the toolchain detected])
+ fi
+else
+ AC_MSG_NOTICE([Hardening: using custom flags])
+fi
+
CFLAGS="$CFLAGS $CC_EXTRAS"
NON_FATAL_CFLAGS="$CFLAGS"
@@ -1978,5 +2097,9 @@ AC_MSG_RESULT([ HA group name = ${CRM_DAEMON_GROUP}])
AC_MSG_RESULT([ HA user name = ${CRM_DAEMON_USER}])
AC_MSG_RESULT([])
AC_MSG_RESULT([ CFLAGS = ${CFLAGS}])
+AC_MSG_RESULT([ CFLAGS_HARDENED_EXE = ${CFLAGS_HARDENED_EXE}])
+AC_MSG_RESULT([ CFLAGS_HARDENED_LIB = ${CFLAGS_HARDENED_LIB}])
+AC_MSG_RESULT([ LDFLAGS_HARDENED_EXE = ${LDFLAGS_HARDENED_EXE}])
+AC_MSG_RESULT([ LDFLAGS_HARDENED_LIB = ${LDFLAGS_HARDENED_LIB}])
AC_MSG_RESULT([ Libraries = ${LIBS}])
AC_MSG_RESULT([ Stack Libraries = ${CLUSTERLIBS}])
diff --git a/crmd/Makefile.am b/crmd/Makefile.am
index 979e266..6d5ee9a 100644
--- a/crmd/Makefile.am
+++ b/crmd/Makefile.am
@@ -28,6 +28,9 @@ noinst_HEADERS = crmd.h crmd_fsa.h crmd_messages.h fsa_defines.h \
fsa_matrix.h fsa_proto.h crmd_utils.h crmd_callbacks.h \
crmd_lrm.h te_callbacks.h tengine.h
+crmd_CFLAGS = $(CFLAGS_HARDENED_EXE)
+crmd_LDFLAGS = $(LDFLAGS_HARDENED_EXE)
+
crmd_LDADD = $(top_builddir)/lib/fencing/libstonithd.la \
$(top_builddir)/lib/transition/libtransitioner.la \
$(top_builddir)/lib/pengine/libpe_rules.la \
diff --git a/fencing/Makefile.am b/fencing/Makefile.am
index 1d591fc..c53ead6 100644
--- a/fencing/Makefile.am
+++ b/fencing/Makefile.am
@@ -52,6 +52,9 @@ stonith_admin_LDADD = $(top_builddir)/lib/common/libcrmcommon.la \
stonithd_CPPFLAGS = -I$(top_srcdir)/pengine $(AM_CPPFLAGS)
stonithd_YFLAGS = -d
+stonithd_CFLAGS = $(CFLAGS_HARDENED_EXE)
+stonithd_LDFLAGS = $(LDFLAGS_HARDENED_EXE)
+
stonithd_LDADD = $(top_builddir)/lib/common/libcrmcommon.la \
$(top_builddir)/lib/cluster/libcrmcluster.la \
$(top_builddir)/lib/fencing/libstonithd.la \
diff --git a/lib/cib/Makefile.am b/lib/cib/Makefile.am
index e414a7f..637ea8c 100644
--- a/lib/cib/Makefile.am
+++ b/lib/cib/Makefile.am
@@ -27,6 +27,9 @@ libcib_la_SOURCES += cib_file.c cib_remote.c
libcib_la_LDFLAGS = -version-info 5:1:1
libcib_la_CPPFLAGS = -I$(top_srcdir) $(AM_CPPFLAGS)
+libcib_la_CFLAGS = $(CFLAGS_HARDENED_LIB)
+libcib_la_LDFLAGS += $(LDFLAGS_HARDENED_LIB)
+
libcib_la_LIBADD = $(CRYPTOLIB) $(top_builddir)/lib/pengine/libpe_rules.la $(top_builddir)/lib/common/libcrmcommon.la
clean-generic:
diff --git a/lib/cluster/Makefile.am b/lib/cluster/Makefile.am
index 06d7066..9a57bbb 100644
--- a/lib/cluster/Makefile.am
+++ b/lib/cluster/Makefile.am
@@ -21,6 +21,10 @@ include $(top_srcdir)/Makefile.common
lib_LTLIBRARIES = libcrmcluster.la
libcrmcluster_la_LDFLAGS = -version-info 6:0:2
+
+libcrmcluster_la_CFLAGS = $(CFLAGS_HARDENED_LIB)
+libcrmcluster_la_LDFLAGS += $(LDFLAGS_HARDENED_LIB)
+
libcrmcluster_la_LIBADD = $(top_builddir)/lib/common/libcrmcommon.la $(top_builddir)/lib/fencing/libstonithd.la $(CLUSTERLIBS)
libcrmcluster_la_SOURCES = election.c cluster.c membership.c
diff --git a/lib/common/Makefile.am b/lib/common/Makefile.am
index 7550ec1..0e1ad29 100644
--- a/lib/common/Makefile.am
+++ b/lib/common/Makefile.am
@@ -32,6 +32,10 @@ lib_LTLIBRARIES = libcrmcommon.la
CFLAGS = $(CFLAGS_COPY:-Wcast-qual=) -fPIC
libcrmcommon_la_LDFLAGS = -version-info 9:0:6
+
+libcrmcommon_la_CFLAGS = $(CFLAGS_HARDENED_LIB)
+libcrmcommon_la_LDFLAGS += $(LDFLAGS_HARDENED_LIB)
+
libcrmcommon_la_LIBADD = @LIBADD_DL@ $(GNUTLSLIBS) -lm
libcrmcommon_la_SOURCES = compat.c digest.c ipc.c io.c procfs.c utils.c xml.c \
diff --git a/lib/fencing/Makefile.am b/lib/fencing/Makefile.am
index 85ae40a..dc15799 100644
--- a/lib/fencing/Makefile.am
+++ b/lib/fencing/Makefile.am
@@ -21,5 +21,9 @@ include $(top_srcdir)/Makefile.common
lib_LTLIBRARIES = libstonithd.la
libstonithd_la_LDFLAGS = -version-info 4:1:2
+
+libstonithd_la_CFLAGS = $(CFLAGS_HARDENED_LIB)
+libstonithd_la_LDFLAGS += $(LDFLAGS_HARDENED_LIB)
+
libstonithd_la_LIBADD = $(top_builddir)/lib/common/libcrmcommon.la
libstonithd_la_SOURCES = st_client.c
diff --git a/lib/lrmd/Makefile.am b/lib/lrmd/Makefile.am
index 25f3d55..611675e 100644
--- a/lib/lrmd/Makefile.am
+++ b/lib/lrmd/Makefile.am
@@ -19,6 +19,10 @@ include $(top_srcdir)/Makefile.common
lib_LTLIBRARIES = liblrmd.la
liblrmd_la_LDFLAGS = -version-info 4:0:3
+
+liblrmd_la_CFLAGS = $(CFLAGS_HARDENED_LIB)
+liblrmd_la_LDFLAGS += $(LDFLAGS_HARDENED_LIB)
+
liblrmd_la_LIBADD = $(top_builddir)/lib/common/libcrmcommon.la \
$(top_builddir)/lib/services/libcrmservice.la \
$(top_builddir)/lib/fencing/libstonithd.la
diff --git a/lib/pengine/Makefile.am b/lib/pengine/Makefile.am
index de760c3..ad5c5c3 100644
--- a/lib/pengine/Makefile.am
+++ b/lib/pengine/Makefile.am
@@ -24,10 +24,18 @@ lib_LTLIBRARIES = libpe_rules.la libpe_status.la
noinst_HEADERS = unpack.h variant.h
libpe_rules_la_LDFLAGS = -version-info 2:6:0
+
+libpe_rules_la_CFLAGS = $(CFLAGS_HARDENED_LIB)
+libpe_rules_la_LDFLAGS += $(LDFLAGS_HARDENED_LIB)
+
libpe_rules_la_LIBADD = $(top_builddir)/lib/common/libcrmcommon.la
libpe_rules_la_SOURCES = rules.c common.c
libpe_status_la_LDFLAGS = -version-info 11:0:1
+
+libpe_status_la_CFLAGS = $(CFLAGS_HARDENED_LIB)
+libpe_status_la_LDFLAGS += $(LDFLAGS_HARDENED_LIB)
+
libpe_status_la_LIBADD = @CURSESLIBS@ $(top_builddir)/lib/common/libcrmcommon.la
libpe_status_la_SOURCES = status.c unpack.c utils.c complex.c native.c \
group.c clone.c rules.c common.c remote.c
diff --git a/lib/services/Makefile.am b/lib/services/Makefile.am
index c789fbd..b3208c2 100644
--- a/lib/services/Makefile.am
+++ b/lib/services/Makefile.am
@@ -27,6 +27,9 @@ libcrmservice_la_LDFLAGS = -version-info 4:1:1
libcrmservice_la_CPPFLAGS = -DOCF_ROOT_DIR=\"@OCF_ROOT_DIR@\" $(AM_CPPFLAGS)
libcrmservice_la_CFLAGS = $(GIO_CFLAGS)
+libcrmservice_la_CFLAGS += $(CFLAGS_HARDENED_LIB)
+libcrmservice_la_LDFLAGS += $(LDFLAGS_HARDENED_LIB)
+
libcrmservice_la_LIBADD = $(GIO_LIBS) $(top_builddir)/lib/common/libcrmcommon.la $(DBUS_LIBS)
libcrmservice_la_SOURCES = services.c services_linux.c
diff --git a/lib/transition/Makefile.am b/lib/transition/Makefile.am
index 9bc039e..4d6cd23 100644
--- a/lib/transition/Makefile.am
+++ b/lib/transition/Makefile.am
@@ -25,6 +25,9 @@ lib_LTLIBRARIES = libtransitioner.la
libtransitioner_la_LDFLAGS = -version-info 2:5:0
libtransitioner_la_CPPFLAGS = -I$(top_builddir) $(AM_CPPFLAGS)
+libtransitioner_la_CFLAGS = $(CFLAGS_HARDENED_LIB)
+libtransitioner_la_LDFLAGS += $(LDFLAGS_HARDENED_LIB)
+
libtransitioner_la_LIBADD = $(top_builddir)/lib/common/libcrmcommon.la
libtransitioner_la_SOURCES = unpack.c graph.c utils.c
diff --git a/lrmd/Makefile.am b/lrmd/Makefile.am
index 64df105..5846503 100644
--- a/lrmd/Makefile.am
+++ b/lrmd/Makefile.am
@@ -30,6 +30,9 @@ if BUILD_SYSTEMD
systemdunit_DATA = pacemaker_remote.service
endif
+lrmd_CFLAGS = $(CFLAGS_HARDENED_EXE)
+lrmd_LDFLAGS = $(LDFLAGS_HARDENED_EXE)
+
lrmd_LDADD = $(top_builddir)/lib/common/libcrmcommon.la \
$(top_builddir)/lib/services/libcrmservice.la \
$(top_builddir)/lib/lrmd/liblrmd.la \
@@ -38,6 +41,9 @@ lrmd_SOURCES = main.c lrmd.c
pacemaker_remoted_CPPFLAGS = -DSUPPORT_REMOTE $(AM_CPPFLAGS)
+pacemaker_remoted_CFLAGS = $(CFLAGS_HARDENED_EXE)
+pacemaker_remoted_LDFLAGS = $(LDFLAGS_HARDENED_EXE)
+
pacemaker_remoted_LDADD = $(lrmd_LDADD)
pacemaker_remoted_SOURCES = main.c lrmd.c tls_backend.c ipc_proxy.c
diff --git a/mcp/Makefile.am b/mcp/Makefile.am
index 195530a..074d251 100644
--- a/mcp/Makefile.am
+++ b/mcp/Makefile.am
@@ -31,6 +31,9 @@ endif
noinst_HEADERS = pacemaker.h
+pacemakerd_CFLAGS = $(CFLAGS_HARDENED_EXE)
+pacemakerd_LDFLAGS = $(LDFLAGS_HARDENED_EXE)
+
pacemakerd_LDADD = $(top_builddir)/lib/cluster/libcrmcluster.la $(top_builddir)/lib/common/libcrmcommon.la
pacemakerd_LDADD += $(CLUSTERLIBS)
pacemakerd_SOURCES = pacemaker.c corosync.c
diff --git a/pacemaker.spec.in b/pacemaker.spec.in
index 6024514..a607588 100644
--- a/pacemaker.spec.in
+++ b/pacemaker.spec.in
@@ -63,6 +63,9 @@
# Turn off cman support on platforms that normally ship with it
%bcond_without cman
+# Turn off hardening of libraries and daemon executables
+%bcond_without hardening
+
%if %{with profiling}
# This disables -debuginfo package creation and also the stripping binaries/libraries
# Useful if you want sane profiling data
@@ -168,6 +171,7 @@ resource health.
Available rpmbuild rebuild options:
--with(out) : cman stonithd doc coverage profiling pre_release upstart_job
+ hardening
%package cli
License: GPLv2+ and LGPLv2+
@@ -301,6 +305,18 @@ find . -exec touch \{\} \;
# Early versions of autotools (e.g. RHEL <= 5) do not support --docdir
export docdir=%{pcmk_docdir}
+%if %{with hardening}
+# prefer distro-provided hardening flags in case they are defined
+# through _hardening_{c,ld}flags macros, configure script will
+# use its own defaults otherwise; if such hardenings are completely
+# undesired, rpmbuild using "--without hardening"
+# (or "--define '_without_hardening 1'")
+export CFLAGS_HARDENED_EXE="%{?_hardening_cflags}"
+export CFLAGS_HARDENED_LIB="%{?_hardening_cflags}"
+export LDFLAGS_HARDENED_EXE="%{?_hardening_ldflags}"
+export LDFLAGS_HARDENED_LIB="%{?_hardening_ldflags}"
+%endif
+
./autogen.sh
%{configure} \
@@ -309,6 +325,7 @@ export docdir=%{pcmk_docdir}
%{!?with_cman: --without-cman} \
--without-heartbeat \
%{!?with_doc: --with-brand=} \
+ %{!?with_hardening: --disable-hardening} \
--with-initdir=%{_initrddir} \
--localstatedir=%{_var} \
--with-version=%{version}-%{release}
diff --git a/pengine/Makefile.am b/pengine/Makefile.am
index 96c914f..d4dbfb9 100644
--- a/pengine/Makefile.am
+++ b/pengine/Makefile.am
@@ -61,12 +61,18 @@ endif
noinst_HEADERS = allocate.h utils.h pengine.h
libpengine_la_LDFLAGS = -version-info 11:0:1
+
+libpengine_la_CFLAGS = $(CFLAGS_HARDENED_LIB)
+libpengine_la_LDFLAGS += $(LDFLAGS_HARDENED_LIB)
+
libpengine_la_LIBADD = $(top_builddir)/lib/pengine/libpe_status.la \
$(top_builddir)/lib/cib/libcib.la
# -L$(top_builddir)/lib/pils -lpils -export-dynamic -module -avoid-version
libpengine_la_SOURCES = pengine.c allocate.c utils.c constraints.c
libpengine_la_SOURCES += native.c group.c clone.c master.c graph.c utilization.c
+pengine_CFLAGS = $(CFLAGS_HARDENED_EXE)
+pengine_LDFLAGS = $(LDFLAGS_HARDENED_EXE)
pengine_LDADD = $(top_builddir)/lib/cib/libcib.la $(COMMONLIBS)
# libcib for get_object_root()
# $(top_builddir)/lib/hbclient/libhbclient.la
--
1.8.3.1
From 35ec27112452f2bd06ae8b395d8543db935e2b05 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20Pokorn=C3=BD?= <jpokorny@redhat.com>
Date: Wed, 22 Jun 2016 15:18:00 +0200
Subject: [PATCH 2/2] Build: configure.ac: prefer as-needed linking in case of
"-z now"
Slight optimization of a default toolchain-flags-based hardening.
---
configure.ac | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/configure.ac b/configure.ac
index edf6a91..4beb877 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1914,7 +1914,10 @@ elif test "x${HARDENING}" = "xyes" \
pie=1]
)
fi
- # daemons incl. libs: full RELRO if sensible
+ # daemons incl. libs: full RELRO if sensible + as-needed linking
+ # so as to possibly mitigate startup performance
+ # hit caused by excessive linking with unneeded
+ # libraries
if test "${relro}" = 1 && test "${pie}" = 1; then
flag="-Wl,-z,now"
CC_CHECK_LDFLAGS(["${flag}"],
@@ -1923,6 +1926,13 @@ elif test "x${HARDENING}" = "xyes" \
bindnow=1]
)
fi
+ if test "${bindnow}" = 1; then
+ flag="-Wl,--as-needed"
+ CC_CHECK_LDFLAGS(["${flag}"],
+ [LDFLAGS_HARDENED_EXE="${LDFLAGS_HARDENED_EXE} ${flag}";
+ LDFLAGS_HARDENED_LIB="${LDFLAGS_HARDENED_LIB} ${flag}"]
+ )
+ fi
# universal: prefer strong > all > default stack protector if possible
flag=
if cc_supports_flag -fstack-protector-strong; then
--
1.8.3.1

35
pacemaker.spec
View File

@ -2,7 +2,7 @@
%global uname hacluster
%global pcmk_docdir %{_docdir}/%{name}
%global specversion 1
%global specversion 2
%global pcmkversion 1.1.15
# set following to the actual commit or, for final release, concatenate
# "pcmkversion" macro to "Pacemaker-" (will yield a tag per the convention)
@ -52,6 +52,9 @@
# Ship an Upstart job file
%bcond_with upstart_job
# Turn off hardening of libraries and daemon executables
%bcond_without hardening
%if %{with profiling}
# This disables -debuginfo package creation and also the stripping binaries/libraries
# Useful if you want sane profiling data
@ -82,6 +85,9 @@ Group: System Environment/Daemons
Source0: https://github.com/%{github_owner}/%{name}/archive/%{commit}/%{name}-%{shortcommit}.tar.gz
Source1: https://github.com/%{github_owner}/%{nagios_name}/archive/%{nagios_hash}/%{nagios_name}-%{nagios_hash}.tar.gz
Patch1: 001-makefile-cleanup.patch
Patch2: 002-build-cleanup.patch
Patch3: 003-harden-toolchain.patch
# ---
# keep following commented out for now
#Patch100: bz1179335-system-wide-crypto-policies.patch
@ -133,6 +139,9 @@ BuildRequires: publican inkscape asciidoc
%endif
# git-style patch application
BuildRequires: git
%description
Pacemaker is an advanced, scalable High-Availability cluster resource
manager for Corosync, CMAN and/or Linux-HA.
@ -145,7 +154,7 @@ when related resources fail and can be configured to periodically check
resource health.
Available rpmbuild rebuild options:
--with(out) : doc coverage profiling upstart_job
--with(out) : doc coverage profiling upstart_job pre_release hardening
%package cli
License: GPLv2+ and LGPLv2+
@ -267,6 +276,8 @@ monitor resources.
%prep
%setup -q -a 1 -n %{name}-%{commit}
%global __scm git
%__scm_setup_git
%autopatch -p1
# Force the local time
@ -282,12 +293,25 @@ find . -exec touch \{\} \;
# Early versions of autotools (e.g. RHEL <= 5) do not support --docdir
export docdir=%{pcmk_docdir}
%if %{with hardening}
# prefer distro-provided hardening flags in case they are defined
# through _hardening_{c,ld}flags macros, configure script will
# use its own defaults otherwise; if such hardenings are completely
# undesired, rpmbuild using "--without hardening"
# (or "--define '_without_hardening 1'")
export CFLAGS_HARDENED_EXE="%{?_hardening_cflags}"
export CFLAGS_HARDENED_LIB="%{?_hardening_cflags}"
export LDFLAGS_HARDENED_EXE="%{?_hardening_ldflags}"
export LDFLAGS_HARDENED_LIB="%{?_hardening_ldflags}"
%endif
./autogen.sh
%{configure} \
%{?with_profiling: --with-profiling} \
%{?with_coverage: --with-coverage} \
%{!?with_doc: --with-brand=} \
%{!?with_hardening: --disable-hardening} \
--with-initdir=%{_initrddir} \
--localstatedir=%{_var} \
--with-version=%{version}-%{release} \
@ -608,6 +632,13 @@ exit 0
%attr(0644,root,root) %{_datadir}/pacemaker/nagios/plugins-metadata/*
%changelog
* Thu Jul 07 2016 Jan Pokorný <jpokorny+rpm-pacemaker@redhat.com> - 1.1.15-2
- Stop building with -fstack-protector-all using the upstream patches
overhauling toolchain hardening (Fedora natively uses
-fstack-protector-strong so this effectively relaxed stack protection
is the only effect as hardened flags are already used by default:
https://fedoraproject.org/wiki/Changes/Harden_All_Packages)
* Wed Jun 22 2016 Jan Pokorný <jpokorny+rpm-pacemaker@redhat.com> - 1.1.15-1
- Update for new upstream tarball: Pacemaker-1.1.15,
for full details, see included ChangeLog file or