- build daemons hardened (#881250)

- zipl: Use "possible_cpus" kernel parameter (#1016180)
2013-11-07 11:45:30 +01:00 · 2013-11-07 11:45:30 +01:00 · b8434861eb
commit b8434861eb
parent d93a0307e6
3 changed files with 126 additions and 7 deletions
--- a/s390-tools-1.23.0-fedora.patch
+++ b/s390-tools-1.23.0-fedora.patch
@ -1,7 +1,7 @@
 From 9b225fac81186176075f673dfe5cf8e373b2068a Mon Sep 17 00:00:00 2001
 From: Dan Horak <dan@danny.cz>
 Date: Sun, 20 Jul 2008 09:24:05 +0200
-Subject: [PATCH 1/4] s390-tools-1.5.3-zipl-zfcpdump-2
+Subject: [PATCH 1/5] s390-tools-1.5.3-zipl-zfcpdump-2

 ---
 common.mak | 4 ++--
@ -29,7 +29,7 @@ index 44adc6e..4373da5 100644
 From a3d9221076f9eb7cc8434baac71327f786351c63 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Dan=20Hor=C3=A1k?= <dan@danny.cz>
 Date: Thu, 23 Apr 2009 11:46:01 +0200
-Subject: [PATCH 2/4] s390-tools-1.8.1-fdasd-su
+Subject: [PATCH 2/5] s390-tools-1.8.1-fdasd-su

 ---
 fdasd/fdasd.c | 10 ++++++----
@ -63,7 +63,7 @@ index ba22475..f2ac417 100644
 From d13c754f68ea838a47b8125006b9b493cfbbb7f4 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Dan=20Hor=C3=A1k?= <dan@danny.cz>
 Date: Wed, 21 Aug 2013 12:13:30 +0200
-Subject: [PATCH 3/4] dbginfo.sh: Avoiding exclusion list for pipes in sysfs
+Subject: [PATCH 3/5] dbginfo.sh: Avoiding exclusion list for pipes in sysfs

 Description:  dbginfo.sh: Avoiding exclusion list for pipes in sysfs
 Symptom:      The dbginfo.sh script hangs
@ -133,7 +133,7 @@ index 6d07132..0ada40b 100755
 From 7d540e7f40c731092ac655d1d38af7d69ceee706 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Dan=20Hor=C3=A1k?= <dan@danny.cz>
 Date: Wed, 21 Aug 2013 12:13:58 +0200
-Subject: [PATCH 4/4] zipl: Fix zipl "--force" option for DASD multi-volume
+Subject: [PATCH 4/5] zipl: Fix zipl "--force" option for DASD multi-volume
 dump

 Description:  zipl: Fix zipl "--force" option for DASD multi-volume dump
@ -180,3 +180,43 @@ index f1cec78..529d6b3 100644
 -- 
 1.8.1.4

+
+From 21caf0d0dc05c5e950f369f72027a203a7d3e772 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Dan=20Hor=C3=A1k?= <dan@danny.cz>
+Date: Tue, 5 Nov 2013 12:23:18 +0100
+Subject: [PATCH 5/5] zipl: Use "possible_cpus" kernel parameter
+
+Description:  zipl: Use "possible_cpus" kernel parameter
+Symptom:      The zfcpdump system might run out-of memory.
+Problem:      For each possible CPU the zfcpdump kernel consumes memory for
+              the per-CPU data structures. Since it only runs with one CPU
+              this is not necessary. Because only 32 MiB are available for
+              zfcpdump the per-CPU data should not be allocated.
+Solution:     Use the kernel parameter "possible_cpus=1".
+Reproduction: To verify that the fix is included check that the zipl -D output
+              line "kernel parmline" contains "possible_cpus=1".
+---
+ zipl/src/bootmap.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/zipl/src/bootmap.c b/zipl/src/bootmap.c
+index cc2ed16..68dffe1 100644
+--- a/zipl/src/bootmap.c
+++ b/zipl/src/bootmap.c
+@@ -603,10 +603,11 @@ create_dump_fs_parmline(const char* parmline, const char* root_dev,
+ 	if (!result)
+ 		return NULL;
+ 	snprintf(result, DUMP_PARAM_MAX_LEN, "%s%sroot=%s dump_part=%d "
+-		 "dump_mem=%lld maxcpus=%d cgroup_disable=memory",
+		 "dump_mem=%lld maxcpus=%d possible_cpus=%d "
+		 "cgroup_disable=memory",
+ 		 parmline ? parmline : "",
+ 		 parmline ? " " : "", root_dev, part_num,
+-		 (unsigned long long) mem, max_cpus);
+		 (unsigned long long) mem, max_cpus, max_cpus);
+ 	result[DUMP_PARAM_MAX_LEN - 1] = 0;
+ 	return result;
+ }
+-- 
+1.8.1.4
+
--- a/s390-tools-1.23.0-hardening.patch
+++ b/s390-tools-1.23.0-hardening.patch
@ -0,0 +1,75 @@
+From a1d489d42248acd0b5f2e3348df5f2ece22dc9e0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Dan=20Hor=C3=A1k?= <dan@danny.cz>
+Date: Tue, 5 Nov 2013 15:34:11 +0100
+Subject: [PATCH] build daemons hardened
+
+---
+ common.mak              | 3 +++
+ cpuplugd/Makefile       | 4 ++--
+ mon_tools/Makefile      | 2 ++
+ osasnmpd/Makefile.rules | 3 +++
+ 4 files changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/common.mak b/common.mak
+index 4373da5..7b992b4 100644
+--- a/common.mak
+++ b/common.mak
+@@ -76,6 +76,9 @@ CXXFLAGS	= $(WARNFLAGS) -O3 -DS390_TOOLS_RELEASE=$(S390_TOOLS_RELEASE) \
+ 			-DS390_TOOLS_SYSCONFDIR=$(SYSCONFDIR) \
+ 			 -g $(OPT_FLAGS)
+ 
+DAEMON_CFLAGS	= -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1
+DAEMON_LDFLAGS	= -specs=/usr/lib/rpm/redhat/redhat-hardened-ld
+
+ # make G=1
+ # Compile tools so that gcov can be used to collect code coverage data.
+ # See the gcov man page for details.
+diff --git a/cpuplugd/Makefile b/cpuplugd/Makefile
+index 4a72075..28480f5 100644
+--- a/cpuplugd/Makefile
+++ b/cpuplugd/Makefile
+@@ -1,6 +1,6 @@
+ include ../common.mak
+ 
+-CFLAGS += -I../include
+CFLAGS += $(DAEMON_CFLAGS) -I../include
+ 
+ all: cpuplugd
+ 
+@@ -10,7 +10,7 @@ OBJECTS = daemon.o cpu.o info.o terms.o config.o main.o getopt.o mem.o
+ $(OBJECTS): cpuplugd.h
+ 
+ cpuplugd: $(OBJECTS)
+-	$(LINK) $(LDFLAGS) $^ $(LOADLIBES) $(LDLIBS) -o $@
+	$(LINK) $(DAEMON_LDFLAGS) $(LDFLAGS) $^ $(LOADLIBES) $(LDLIBS) -o $@
+ 
+ clean:
+ 	rm -f cpuplugd $(OBJECTS)
+diff --git a/mon_tools/Makefile b/mon_tools/Makefile
+index c8c58fc..b025f65 100644
+--- a/mon_tools/Makefile
+++ b/mon_tools/Makefile
+@@ -1,6 +1,8 @@
+ include ../common.mak
+ 
+ CPPFLAGS += -I../include
+CFLAGS += $(DAEMON_CFLAGS)
+LDFLAGS += $(DAEMON_LDFLAGS)
+ 
+ all: mon_fsstatd mon_procd
+ 
+diff --git a/osasnmpd/Makefile.rules b/osasnmpd/Makefile.rules
+index 6668ed6..11ee8eb 100644
+--- a/osasnmpd/Makefile.rules
+++ b/osasnmpd/Makefile.rules
+@@ -10,4 +10,7 @@ CPPFLAGS += -DNETSNMP5
+ endif
+ CPPFLAGS += -I../include
+ 
+CFLAGS += $(DAEMON_CFLAGS)
+LDFLAGS += $(DAEMON_LDFLAGS)
+
+ OBJS = ibmOSAMib.o ibmOSAMibUtil.o osasnmpd.o
+-- 
+1.8.1.4
+
--- a/s390utils.spec
+++ b/s390utils.spec
@ -1,13 +1,11 @@
 %define cmsfsver 1.1.8c
 %define vipaver 2.0.4

-%{!?_initddir: %define _initddir %{_initrddir}}
-
 Name:           s390utils
 Summary:        Utilities and daemons for IBM System/z
 Group:          System Environment/Base
 Version:        1.23.0
-Release:        3%{?dist}
+Release:        4%{?dist}
 Epoch:          2
 License:        GPLv2 and GPLv2+ and CPL
 ExclusiveArch:  s390 s390x
@ -36,6 +34,7 @@ Source19:       mon_statd.initd
 Source21:       normalize_dasd_arg

 Patch1:         s390-tools-1.23.0-fedora.patch
+Patch2:         s390-tools-1.23.0-hardening.patch

 Patch1000:      cmsfs-1.1.8-warnings.patch
 Patch1001:      cmsfs-1.1.8-kernel26.patch
@ -65,6 +64,7 @@ be used together with the zSeries (s390) Linux kernel and device drivers.

 # Fedora/RHEL changes
 %patch1 -p1 -b .fedora
+%patch2 -p1 -b .hardening

 #
 # cmsfs
@ -734,6 +734,10 @@ User-space development files for the s390/s390x architecture.


 %changelog
+* Wed Nov 06 2013 Dan Horák <dan[at]danny.cz> - 2:1.23.0-4
+- build daemons hardened (#881250)
+- zipl: Use "possible_cpus" kernel parameter (#1016180)
+
 * Wed Aug 21 2013 Dan Horák <dan[at]danny.cz> - 2:1.23.0-3
 - dbginfo.sh: Avoiding exclusion list for pipes in sysfs (#996732)
 - zipl: Fix zipl "--force" option for DASD multi-volume dump (#997361)