Link with -z defs by default (#1535422)

buildflags.md

@@ -59,6 +59,20 @@ position-dependent (no full ASLR) and use lazy binding.
 This turns off watermarking, making it impossible to do full hardening
 coverage analysis for any binaries produced.
 
+### Disable strict symbol checks in the link editor (ld)
+
+By default, the link editor will refuse to link shared objects which
+contain undefined symbols.  In some cases (such as when a DSO is
+loaded as a plugin and is expected to bind to symbols in the main
+executable), undefined symbols are expected.  In this case, you can
+add
+
+    %undefine _strict_symbol_defs_build
+
+to the RPM spec file to disable these strict checks.  Alternatively,
+you can pass `-z undefs` to ld (written as `-Wl,-z,undefs` on the gcc
+command line).  The latter needs binutils 2.29.1-12.fc28 or later.
+
 # Individual compiler flags
 
 Compiler flags end up in the environment variables `CFLAGS`,
@@ -213,6 +227,11 @@ to the compiler driver `gcc`, and not directly to the link editor
   dynamic linker is instructed to revoke write permissions after
   dynamic linking.  Full protection of relocation data requires the
   `-z now` flag (see below).
+* `-z defs`: Refuse to link shared objects (DSOs) with undefined symbols.
+  Such symbols lack symbol versioning information and can be bound to
+  the wrong (compatibility) symbol version at run time, and not the
+  actual (default) symbol version which would have been used if the
+  symbol definition had been available and static link time.
 
 For hardened builds, the
 `-specs=/usr/lib/rpm/redhat/redhat-hardened-ld` flag is added to the

macros

@@ -166,13 +166,19 @@
 %_annotated_build	1
 %_annotated_cflags	%{?_annotated_build:%{_annobin_cflags}}
 
+# Fail linking if there are undefined symbols.  Required for proper
+# ELF symbol versioning support.
+# Use %undefine _strict_symbol_defs_build" to disable.
+%_strict_symbol_defs_build	1
+%_ld_symbols_flags		%{?_strict_symbol_defs_build:-Wl,-z,defs}
+
 %__global_compiler_flags	-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches %{_hardened_cflags} %{_annotated_cflags}
 
 %__global_cflags	%{optflags}
 %__global_cxxflags	%{optflags}
 %__global_fflags	%{optflags} -I%_fmoddir
 %__global_fcflags	%{optflags} -I%_fmoddir
-%__global_ldflags	-Wl,-z,relro %{_hardened_ldflags}
+%__global_ldflags	-Wl,-z,relro %{_ld_symbols_flags} %{_hardened_ldflags}
 
 #==============================================================================
 # ---- Generic auto req/prov filtering macros

redhat-rpm-config.spec

@@ -6,7 +6,7 @@
 
 Summary: Red Hat specific rpm configuration files
 Name: redhat-rpm-config
-Version: 83
+Version: 84
 Release: 1%{?dist}
 # No version specified.
 License: GPL+
@@ -157,6 +157,9 @@ install -p -m 755 -t %{buildroot}%{_rpmconfigdir} kmod.prov
 %{_rpmconfigdir}/macros.d/macros.kmp
 
 %changelog
+* Mon Jan 22 2018 Florian Weimer <fweimer@redhat.com> - 84-1
+- Link with -z defs by default (#1535422)
+
 * Mon Jan 22 2018 Florian Weimer <fweimer@redhat.com> - 83-1
 - Make armhfp flags consistent with GCC defaults