- build daemons hardened (#881250)

- zipl: Use "possible_cpus" kernel parameter (#1016180)
2013-11-07 11:45:30 +01:00 · 2013-11-07 11:45:30 +01:00 · b8434861eb
commit b8434861eb
parent d93a0307e6
3 changed files with 126 additions and 7 deletions
--- a/s390-tools-1.23.0-fedora.patch
+++ b/s390-tools-1.23.0-fedora.patch
@ -1,7 +1,7 @@
 From 9b225fac81186176075f673dfe5cf8e373b2068a Mon Sep 17 00:00:00 2001
 From: Dan Horak <dan@danny.cz>
 Date: Sun, 20 Jul 2008 09:24:05 +0200
-Subject: [PATCH 1/4] s390-tools-1.5.3-zipl-zfcpdump-2
+Subject: [PATCH 1/5] s390-tools-1.5.3-zipl-zfcpdump-2
 ---
 common.mak | 4 ++--
@ -29,7 +29,7 @@ index 44adc6e..4373da5 100644
 From a3d9221076f9eb7cc8434baac71327f786351c63 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Dan=20Hor=C3=A1k?= <dan@danny.cz>
 Date: Thu, 23 Apr 2009 11:46:01 +0200
-Subject: [PATCH 2/4] s390-tools-1.8.1-fdasd-su
+Subject: [PATCH 2/5] s390-tools-1.8.1-fdasd-su
 ---
 fdasd/fdasd.c | 10 ++++++----
@ -63,7 +63,7 @@ index ba22475..f2ac417 100644
 From d13c754f68ea838a47b8125006b9b493cfbbb7f4 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Dan=20Hor=C3=A1k?= <dan@danny.cz>
 Date: Wed, 21 Aug 2013 12:13:30 +0200
-Subject: [PATCH 3/4] dbginfo.sh: Avoiding exclusion list for pipes in sysfs
+Subject: [PATCH 3/5] dbginfo.sh: Avoiding exclusion list for pipes in sysfs
 Description:  dbginfo.sh: Avoiding exclusion list for pipes in sysfs
 Symptom:      The dbginfo.sh script hangs
@ -133,7 +133,7 @@ index 6d07132..0ada40b 100755
 From 7d540e7f40c731092ac655d1d38af7d69ceee706 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Dan=20Hor=C3=A1k?= <dan@danny.cz>
 Date: Wed, 21 Aug 2013 12:13:58 +0200
-Subject: [PATCH 4/4] zipl: Fix zipl "--force" option for DASD multi-volume
+Subject: [PATCH 4/5] zipl: Fix zipl "--force" option for DASD multi-volume
 dump
 Description:  zipl: Fix zipl "--force" option for DASD multi-volume dump
@ -180,3 +180,43 @@ index f1cec78..529d6b3 100644
 -- 
 1.8.1.4
 From 21caf0d0dc05c5e950f369f72027a203a7d3e772 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Dan=20Hor=C3=A1k?= <dan@danny.cz>
 Date: Tue, 5 Nov 2013 12:23:18 +0100
 Subject: [PATCH 5/5] zipl: Use "possible_cpus" kernel parameter
 Description:  zipl: Use "possible_cpus" kernel parameter
 Symptom:      The zfcpdump system might run out-of memory.
 Problem:      For each possible CPU the zfcpdump kernel consumes memory for
              the per-CPU data structures. Since it only runs with one CPU
              this is not necessary. Because only 32 MiB are available for
              zfcpdump the per-CPU data should not be allocated.
 Solution:     Use the kernel parameter "possible_cpus=1".
 Reproduction: To verify that the fix is included check that the zipl -D output
              line "kernel parmline" contains "possible_cpus=1".
 ---
 zipl/src/bootmap.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)
 diff --git a/zipl/src/bootmap.c b/zipl/src/bootmap.c
 index cc2ed16..68dffe1 100644
 --- a/zipl/src/bootmap.c
 +++ b/zipl/src/bootmap.c
@@ -603,10 +603,11 @@ create_dump_fs_parmline(const char* parmline, const char* root_dev,
 	if (!result)
 		return NULL;
 	snprintf(result, DUMP_PARAM_MAX_LEN, "%s%sroot=%s dump_part=%d "
 -		 "dump_mem=%lld maxcpus=%d cgroup_disable=memory",
 +		 "dump_mem=%lld maxcpus=%d possible_cpus=%d "
 +		 "cgroup_disable=memory",
 		 parmline ? parmline : "",
 		 parmline ? " " : "", root_dev, part_num,
 -		 (unsigned long long) mem, max_cpus);
 +		 (unsigned long long) mem, max_cpus, max_cpus);
 	result[DUMP_PARAM_MAX_LEN - 1] = 0;
 	return result;
 }
 -- 
 1.8.1.4
--- a/s390-tools-1.23.0-hardening.patch
+++ b/s390-tools-1.23.0-hardening.patch
@ -0,0 +1,75 @@
 From a1d489d42248acd0b5f2e3348df5f2ece22dc9e0 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Dan=20Hor=C3=A1k?= <dan@danny.cz>
 Date: Tue, 5 Nov 2013 15:34:11 +0100
 Subject: [PATCH] build daemons hardened
 ---
 common.mak              | 3 +++
 cpuplugd/Makefile       | 4 ++--
 mon_tools/Makefile      | 2 ++
 osasnmpd/Makefile.rules | 3 +++
 4 files changed, 10 insertions(+), 2 deletions(-)
 diff --git a/common.mak b/common.mak
 index 4373da5..7b992b4 100644
 --- a/common.mak
 +++ b/common.mak
@@ -76,6 +76,9 @@ CXXFLAGS	= $(WARNFLAGS) -O3 -DS390_TOOLS_RELEASE=$(S390_TOOLS_RELEASE) \
 			-DS390_TOOLS_SYSCONFDIR=$(SYSCONFDIR) \
 			 -g $(OPT_FLAGS)
 +DAEMON_CFLAGS	= -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1
 +DAEMON_LDFLAGS	= -specs=/usr/lib/rpm/redhat/redhat-hardened-ld
 +
 # make G=1
 # Compile tools so that gcov can be used to collect code coverage data.
 # See the gcov man page for details.
 diff --git a/cpuplugd/Makefile b/cpuplugd/Makefile
 index 4a72075..28480f5 100644
 --- a/cpuplugd/Makefile
 +++ b/cpuplugd/Makefile
@@ -1,6 +1,6 @@
 include ../common.mak
 -CFLAGS += -I../include
 +CFLAGS += $(DAEMON_CFLAGS) -I../include
 all: cpuplugd
@@ -10,7 +10,7 @@ OBJECTS = daemon.o cpu.o info.o terms.o config.o main.o getopt.o mem.o
 $(OBJECTS): cpuplugd.h
 cpuplugd: $(OBJECTS)
 -	$(LINK) $(LDFLAGS) $^ $(LOADLIBES) $(LDLIBS) -o $@
 +	$(LINK) $(DAEMON_LDFLAGS) $(LDFLAGS) $^ $(LOADLIBES) $(LDLIBS) -o $@
 clean:
 	rm -f cpuplugd $(OBJECTS)
 diff --git a/mon_tools/Makefile b/mon_tools/Makefile
 index c8c58fc..b025f65 100644
 --- a/mon_tools/Makefile
 +++ b/mon_tools/Makefile
@@ -1,6 +1,8 @@
 include ../common.mak
 CPPFLAGS += -I../include
 +CFLAGS += $(DAEMON_CFLAGS)
 +LDFLAGS += $(DAEMON_LDFLAGS)
 all: mon_fsstatd mon_procd
 diff --git a/osasnmpd/Makefile.rules b/osasnmpd/Makefile.rules
 index 6668ed6..11ee8eb 100644
 --- a/osasnmpd/Makefile.rules
 +++ b/osasnmpd/Makefile.rules
@@ -10,4 +10,7 @@ CPPFLAGS += -DNETSNMP5
 endif
 CPPFLAGS += -I../include
 +CFLAGS += $(DAEMON_CFLAGS)
 +LDFLAGS += $(DAEMON_LDFLAGS)
 +
 OBJS = ibmOSAMib.o ibmOSAMibUtil.o osasnmpd.o
 -- 
 1.8.1.4
--- a/s390utils.spec
+++ b/s390utils.spec
@ -1,13 +1,11 @@
 %define cmsfsver 1.1.8c
 %define vipaver 2.0.4
 %{!?_initddir: %define _initddir %{_initrddir}}
 Name:           s390utils
 Summary:        Utilities and daemons for IBM System/z
 Group:          System Environment/Base
 Version:        1.23.0
-Release:        3%{?dist}
+Release:        4%{?dist}
 Epoch:          2
 License:        GPLv2 and GPLv2+ and CPL
 ExclusiveArch:  s390 s390x
@ -36,6 +34,7 @@ Source19:       mon_statd.initd
 Source21:       normalize_dasd_arg
 Patch1:         s390-tools-1.23.0-fedora.patch
 Patch2:         s390-tools-1.23.0-hardening.patch
 Patch1000:      cmsfs-1.1.8-warnings.patch
 Patch1001:      cmsfs-1.1.8-kernel26.patch
@ -65,6 +64,7 @@ be used together with the zSeries (s390) Linux kernel and device drivers.
 # Fedora/RHEL changes
 %patch1 -p1 -b .fedora
 %patch2 -p1 -b .hardening
 #
 # cmsfs
@ -734,6 +734,10 @@ User-space development files for the s390/s390x architecture.
 %changelog
 * Wed Nov 06 2013 Dan Horák <dan[at]danny.cz> - 2:1.23.0-4
 - build daemons hardened (#881250)
 - zipl: Use "possible_cpus" kernel parameter (#1016180)
 * Wed Aug 21 2013 Dan Horák <dan[at]danny.cz> - 2:1.23.0-3
 - dbginfo.sh: Avoiding exclusion list for pipes in sysfs (#996732)
 - zipl: Fix zipl "--force" option for DASD multi-volume dump (#997361)