diff --git a/SOURCES/brp-mangle-shebangs b/SOURCES/brp-mangle-shebangs index fe28768..6a47b9f 100755 --- a/SOURCES/brp-mangle-shebangs +++ b/SOURCES/brp-mangle-shebangs @@ -93,7 +93,14 @@ while IFS= read -r line; do fi - read shebang_line < "$f" + if ! read shebang_line < "$f"; then + echo >&2 "*** WARNING: Cannot read the first line from $f, removing executable bit" + ts=$(stat -c %y "$f") + chmod -x "$f" + touch -d "$ts" "$f" + continue + fi + orig_shebang="${shebang_line#\#!}" if [ "$orig_shebang" = "$shebang_line" ]; then echo >&2 "*** WARNING: $f is executable but has no shebang, removing executable bit" diff --git a/SOURCES/buildflags.md b/SOURCES/buildflags.md index abcfcbb..fe7b812 100644 --- a/SOURCES/buildflags.md +++ b/SOURCES/buildflags.md @@ -13,6 +13,8 @@ this: This will invoke the `./configure` with arguments (such as `--prefix=/usr`) to adjust the paths to the packaging defaults. +Prior to that, some common problems in autotools scripts are +automatically patched across the source tree. As a side effect, this will set the environment variables `CFLAGS`, `CXXFLAGS`, `FFLAGS`, `FCFLAGS`, and `LDFLAGS`, so they can be used by @@ -25,7 +27,8 @@ environment variables using %set_build_flags early in the `%build` section. (Again, existing environment variables -are not overwritten.) +are not overwritten.) `%set_build_flags` does not perform autotools +script rewriting, unlike `%configure`. Individual build flags are also available through RPM macros: @@ -66,11 +69,24 @@ For other considerations involving shared objects, see: * [Fedora Packaging Guidelines: Shared Libraries](https://fedoraproject.org/wiki/Packaging:Guidelines#Shared_Libraries) -# Customizing compiler flags +# Customizing compiler and other build flags It is possible to set RPM macros to change some aspects of the compiler flags. Changing these flags should be used as a last -recourse if other workarunds are not available. +recourse if other workarounds are not available. + +### Disable autotools compatibility patching + +By default, the invocation of the `%configure` macro replaces +`config.guess` files in the source tree with the system version. To +disable that, define this macro: + + %global _configure_gnuconfig_hack 0 + +`%configure` also patches `ltmain.sh` scripts, so that linker flags +are set as well during libtool-. This can be switched off using: + + %global _configure_libtool_hardening_hack 0 ### Lazy binding @@ -145,6 +161,63 @@ to the RPM spec file to disable these strict checks. Alternatively, you can pass `-z undefs` to ld (written as `-Wl,-z,undefs` on the gcc command line). The latter needs binutils 2.29.1-12.fc28 or later. +### Post-build ELF object processing + +By default, DWARF debugging information is separated from installed +ELF objects and put into `-debuginfo` subpackages. To disable most +debuginfo processing (and thus the generation of these subpackages), +define `_enable_debug_packages` as `0`. + +Processing of debugging information is controlled using the +`find-debuginfo` tool from the `debugedit` package. Several aspects +of its operation can be controlled at the RPM level. + +* Creation of `-debuginfo` subpackages is enabled by default. + To disable, undefine `_debuginfo_subpackages`. +* Likewise, `-debugsource` subpackages are automatically created. + To disable, undefine `_debugsource_subpackages`. + See [Separate Subpackage and Source Debuginfo](https://fedoraproject.org/wiki/Changes/SubpackageAndSourceDebuginfo) + for background information. +* `_build_id_links`, `_unique_build_ids`, `_unique_debug_names`, + `_unique_debug_srcs` control how debugging information and + corresponding source files are represented on disk. + See `/usr/lib/rpm/macros` for details. The defaults + enable parallel installation of `-debuginfo` packages for + different package versions, as described in + [Parallel Installable Debuginfo](https://fedoraproject.org/wiki/Changes/ParallelInstallableDebuginfo). +* By default, a compressed symbol table is preserved in the + `.gnu_debugdata` section. To disable that, undefine + `_include_minidebuginfo`. +* To speed up debuggers, a `.gdb_index` section is created. It can be + disabled by undefining `_include_gdb_index`. +* Missing build IDs result in a build failure. To ignore such + problems, undefine `_missing_build_ids_terminate_build`. +* During processing, build IDs are recomputed to match the binary + content. To skip this step, define `_no_recompute_build_ids` as `1`. +* By default, the options in `_find_debuginfo_dwz_opts` turn on `dwz` + (DWARF compression) processing. Undefine this macro to disable this + step. +* Additional options can be passed by defining the + `_find_debuginfo_opts` macro. + +After separation of debugging information, additional transformations +are applied, most of them also related to debugging information. +These steps can be skipped by undefining the corresponding macros: + +* `__brp_strip`: Removal of leftover debugging information. The tool + specified by the `__strip` macro is invoked with the `-g` option on + ELF object (`.o`) files. +* `__brp_strip_static_archive`: This is similar to `__brp_strip`, but + processes static `.a` archives instead. +* `__brp_strip_comment_note`: This step removes unallocated `.note` + sections, and `.comment` sections from ELF files. +* `__brp_ldconfig`: For each shared object on the library search path + whose soname does not match its file name, a symbolic link from the + soname to the file name is created. This way, these shared objects + are loadable immediately after installation, even if they are not yet + listed in the `/etc/ld.so.cache` file (because `ldconfig` has not been + invoked yet). + # Individual compiler flags Compiler flags end up in the environment variables `CFLAGS`, @@ -202,6 +275,11 @@ The general (architecture-independent) build flags are: variables. (If the address of a variable is never taken, it is not possible that a buffer overflow is caused by incorrect pointer arithmetic involving a pointer to that variable.) +* `-fstack-clash-protection`: Turn on instrumentation to avoid + skipping the guard page in large stack frames. (Without this flag, + vulnerabilities can result where the stack overlaps with the heap, + or thread stacks spill into other regions of memory.) This flag is + fully ABI-compatible and has adds very little run-time overhead. * `-grecord-gcc-switches`: Include select GCC command line switches in the DWARF debugging information. This is useful for detecting the presence of certain build flags and general hardening coverage. @@ -240,13 +318,6 @@ added by default. This can be switched off by undefining the These compiler flags are enabled for all builds (hardened/annotated or not), but their selection depends on the architecture: -* `-fstack-clash-protection`: Turn on instrumentation to avoid - skipping the guard page in large stack frames. (Without this flag, - vulnerabilities can result where the stack overlaps with the heap, - or thread stacks spill into other regions of memory.) This flag is - fully ABI-compatible and has adds very little run-time overhead, but - is only available on certain architectures (currently aarch64, i386, - ppc64, ppc64le, s390x, x86_64). * `-fcf-protection`: Instrument binaries to guard against ROP/JOP attacks. Used on i686 and x86_64. * `-m64` and `-m32`: Some GCC builds support both 32-bit and 64-bit in @@ -260,24 +331,18 @@ not), but their selection depends on the architecture: useful because unwind information is available without having to install (and load) debugging ienformation. Asynchronous unwind tables are enabled for aarch64, i686, s390x, - and x86_64. They are not needed on armhfp, ppc64 and ppc64le due + and x86_64. They are not needed on ppc64le due to architectural differences in stack management. On these architectures, `-fexceptions` (see above) still enables regular unwind tables (or they are enabled by default even without this option). * `-funwind-tables`: A subset of the unwind information restricted - to actual call sites. Used on ppc64, ppc64le. Also implied by + to actual call sites. Used on ppc64le. Also implied by `-fexceptions`. In addition, `redhat-rpm-config` re-selects the built-in default tuning in the `gcc` package. These settings are: -* **armhfp**: `-march=armv7-a -mfpu=vfpv3-d16 -mfloat-abi=hard` - selects an Arm subarchitecture based on the ARMv7-A architecture - with 16 64-bit floating point registers. `-mtune=cortex-8a` selects - tuning for the Cortex-A8 implementation (while preserving compatibility - with other ARMv7-A implementations). `-mabi=aapcs-linux` switches to - the AAPCS ABI for GNU/Linux. * **i686**: `-march=x86-64` is used to select a minimum supported CPU level matching the baseline for the x86_64 architecture. `-mtune=generic` activates tuning for a current blend of CPUs. @@ -296,7 +361,7 @@ tuning in the `gcc` package. These settings are: (z14). * **x86_64**: `-mtune=generic` selects tuning which is expected to beneficial for a broad range of current CPUs. -* **ppc64** and **aarch64** do not have any architecture-specific tuning. +* **aarch64** does not have any architecture-specific tuning. # Individual linker flags diff --git a/SOURCES/modalias.prov b/SOURCES/modalias.prov index c5eda32..022c4f0 100644 --- a/SOURCES/modalias.prov +++ b/SOURCES/modalias.prov @@ -1,4 +1,4 @@ -#! /bin/sh +#! /bin/bash -efu # heavily based upon find-suggests.ksyms by Andreas Gruenbacher . # with modifications by Michael Brown @@ -14,7 +14,8 @@ IFS=$'\n' # completeness, so that we can determine when drivers are folded into # mainline kernel. # -case "$1" in +is_kernel_package="" +case "${1:-}" in kernel-module-*) ;; # Fedora kernel module package names start with # kernel-module. kernel*) is_kernel_package=1 ;; @@ -25,6 +26,11 @@ if ! [ -z "$is_kernel_package" ]; then exit 0 fi +# Check for presence of the commands used +which /sbin/modinfo >/dev/null || exit 0 +which sed >/dev/null || exit 0 +which sort >/dev/null || exit 0 + print_modaliases() { declare class=$1 variants=$2 pos=$3 if [ -n "$variants" ]; then @@ -35,7 +41,7 @@ print_modaliases() { } combine_modaliases() { - declare tag class variants pos n + declare tag class variants="" pos="" n read class while read tag; do for ((n=0; n<${#class}; n++)); do @@ -58,19 +64,15 @@ combine_modaliases() { print_modaliases "$class" "$variants" "$pos" } -for module in $(grep -E '/lib/modules/.+\.ko$') $*; do +for module in $(grep -E '/lib/modules/.+\.ko(\.gz|\.bz2|\.xz)?$') "$@"; do # | head -n1 because some modules have *two* version tags. *cough*b44*cough* modver=$(/sbin/modinfo -F version "$module"| head -n1) - modver=${modver// /_} - + modver=${modver//[^0-9a-zA-Z._]/_} # only add version tag if it has a version - if [ -n "$modver" ]; then - /sbin/modinfo -F alias "$module" \ - | sed -nre "s,(.+),modalias(\\1) = $modver,p" - else - /sbin/modinfo -F alias "$module" \ - | sed -nre "s,(.+),modalias(\\1),p" - fi + [ -z "$modver" ] || modver=" = $modver" + + /sbin/modinfo -F alias "$module" \ + | sed -nre "s,[^][0-9a-zA-Z._:*?/-],_,g; s,(.+),modalias(\\1)$modver,p" done \ | sort -u \ | combine_modaliases diff --git a/SPECS/redhat-rpm-config.spec b/SPECS/redhat-rpm-config.spec index bab5c39..80ef424 100644 --- a/SPECS/redhat-rpm-config.spec +++ b/SPECS/redhat-rpm-config.spec @@ -6,7 +6,7 @@ Summary: Red Hat specific rpm configuration files Name: redhat-rpm-config -Version: 125 +Version: 129 Release: 1%{?dist}.alma # No version specified. License: GPL+ @@ -113,6 +113,11 @@ Requires: %{_bindir}/grep Requires: %{_bindir}/sed Requires: %{_bindir}/xargs +# iconv modules have been split out of glibc into a separate package (#1971664) +# so let's ensure packages that require them at build time but haven't yet +# added an explicit BuildRequires will continue to work (#2013328) +Requires: glibc-gconv-extra + # -fstack-clash-protection and -fcf-protection require GCC 8. Conflicts: gcc < 8 @@ -205,9 +210,22 @@ install -p -m 755 %{SOURCE21} %{buildroot}%{_rpmconfigdir}/kabi.sh %{_rpmconfigdir}/macros.d/macros.kmp %changelog -* Sun Apr 11 2021 Andrew Lukoshko - 125-1.alma +* Tue May 10 2022 Andrew Lukoshko - 129-1.alma - Fix AlmaLinux detection +* Wed Mar 23 2022 Michal Domonkos - 129-1 +- Fix handling of files without newlines in brp-mangle-shebang (#2063036) + +* Wed Jan 05 2022 Eugene Syromiatnikov - 128-1 +- modalias.prov: handle compressed kmods, sanitise alias/version strings + (#1976000) + +* Mon Dec 13 2021 Michal Domonkos - 127-1 +- Add Requires: glibc-gconv-extras to cover for the split (#2013328) + +* Mon Nov 29 2021 Florian Weimer - 126-1 +- buildflags.md: Documentation updates (#2005079) + * Fri Nov 27 2020 Florian Festi - 125-1 - Add missing macros.fedora-misc file (#1874576)