Link with -z defs by default (#1535422)

2018-01-22 16:01:54 +01:00 · 2018-01-22 16:01:54 +01:00 · 078af19261
commit 078af19261
parent 75a53b7ea3
3 changed files with 30 additions and 2 deletions
--- a/buildflags.md
+++ b/buildflags.md
@ -59,6 +59,20 @@ position-dependent (no full ASLR) and use lazy binding.
 This turns off watermarking, making it impossible to do full hardening
 coverage analysis for any binaries produced.
 ### Disable strict symbol checks in the link editor (ld)
 By default, the link editor will refuse to link shared objects which
 contain undefined symbols.  In some cases (such as when a DSO is
 loaded as a plugin and is expected to bind to symbols in the main
 executable), undefined symbols are expected.  In this case, you can
 add
    %undefine _strict_symbol_defs_build
 to the RPM spec file to disable these strict checks.  Alternatively,
 you can pass `-z undefs` to ld (written as `-Wl,-z,undefs` on the gcc
 command line).  The latter needs binutils 2.29.1-12.fc28 or later.
 # Individual compiler flags
 Compiler flags end up in the environment variables `CFLAGS`,
@ -213,6 +227,11 @@ to the compiler driver `gcc`, and not directly to the link editor
  dynamic linker is instructed to revoke write permissions after
  dynamic linking.  Full protection of relocation data requires the
  `-z now` flag (see below).
 * `-z defs`: Refuse to link shared objects (DSOs) with undefined symbols.
  Such symbols lack symbol versioning information and can be bound to
  the wrong (compatibility) symbol version at run time, and not the
  actual (default) symbol version which would have been used if the
  symbol definition had been available and static link time.
 For hardened builds, the
 `-specs=/usr/lib/rpm/redhat/redhat-hardened-ld` flag is added to the
--- a/8
+++ b/8
@ -166,13 +166,19 @@
 %_annotated_build	1
 %_annotated_cflags	%{?_annotated_build:%{_annobin_cflags}}
 # Fail linking if there are undefined symbols.  Required for proper
 # ELF symbol versioning support.
 # Use %undefine _strict_symbol_defs_build" to disable.
 %_strict_symbol_defs_build	1
 %_ld_symbols_flags		%{?_strict_symbol_defs_build:-Wl,-z,defs}
 %__global_compiler_flags	-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches %{_hardened_cflags} %{_annotated_cflags}
 %__global_cflags	%{optflags}
 %__global_cxxflags	%{optflags}
 %__global_fflags	%{optflags} -I%_fmoddir
 %__global_fcflags	%{optflags} -I%_fmoddir
-%__global_ldflags	-Wl,-z,relro %{_hardened_ldflags}
+%__global_ldflags	-Wl,-z,relro %{_ld_symbols_flags} %{_hardened_ldflags}
 #==============================================================================
 # ---- Generic auto req/prov filtering macros
--- a/redhat-rpm-config.spec
+++ b/redhat-rpm-config.spec
@ -6,7 +6,7 @@
 Summary: Red Hat specific rpm configuration files
 Name: redhat-rpm-config
-Version: 83
+Version: 84
 Release: 1%{?dist}
 # No version specified.
 License: GPL+
@ -157,6 +157,9 @@ install -p -m 755 -t %{buildroot}%{_rpmconfigdir} kmod.prov
 %{_rpmconfigdir}/macros.d/macros.kmp
 %changelog
 * Mon Jan 22 2018 Florian Weimer <fweimer@redhat.com> - 84-1
 - Link with -z defs by default (#1535422)
 * Mon Jan 22 2018 Florian Weimer <fweimer@redhat.com> - 83-1
 - Make armhfp flags consistent with GCC defaults