109 lines
3.0 KiB
Diff
109 lines
3.0 KiB
Diff
From 5044719a27cb41889ec08177cba977596b783e83 Mon Sep 17 00:00:00 2001
|
|
From: Nir Soffer <nsoffer@redhat.com>
|
|
Date: Sun, 2 Aug 2020 02:01:06 +0300
|
|
Subject: [PATCH] python: Remove extra link args
|
|
|
|
Fedora 33 builds fails now with:
|
|
|
|
/usr/bin/ld: /tmp/sanlock.cpython-39-x86_64-linux-gnu.so.mpvMfj.ltrans0.ltrans.o:
|
|
relocation R_X86_64_PC32 against undefined symbol `PyExc_ValueError' can
|
|
not be used when making a shared object; recompile with -fPIC
|
|
|
|
We use these extra link args:
|
|
|
|
extra_link_args=['-fPIE', '-Wl,-z,relro,-z,now'],
|
|
|
|
Looking the generated compiler command[1]:
|
|
|
|
gcc -pthread \
|
|
-shared \
|
|
-Wl,-z,relro \
|
|
-Wl,--as-needed \
|
|
-Wl,-z,now \
|
|
-g \
|
|
-Wl,-z,relro \
|
|
-Wl,--as-needed \
|
|
-Wl,-z,now \
|
|
-g \
|
|
-Wl,-z,relro \
|
|
-Wl,--as-needed \
|
|
-Wl,-z,now \
|
|
-specs=/usr/lib/rpm/redhat/redhat-hardened-ld \
|
|
-O2 \
|
|
-fexceptions \
|
|
-g \
|
|
-grecord-gcc-switches \
|
|
-pipe \
|
|
-Wall \
|
|
-Werror=format-security \
|
|
-Wp,-D_FORTIFY_SOURCE=2 \
|
|
-Wp,-D_GLIBCXX_ASSERTIONS \
|
|
-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 \
|
|
-fstack-protector-strong \
|
|
-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 \
|
|
-m64 \
|
|
-mtune=generic \
|
|
-fasynchronous-unwind-tables \
|
|
-fstack-clash-protection \
|
|
-fcf-protection build/temp.linux-x86_64-3.9/sanlock.o \
|
|
-L../src \
|
|
-L/usr/lib64 \
|
|
-lsanlock \
|
|
-o build/lib.linux-x86_64-3.9/sanlock.cpython-39-x86_64-linux-gnu.so \
|
|
-fPIE \
|
|
-Wl,-z,relro,-z,now
|
|
|
|
This looks like a complete mess. These arguments are repeated 3 times:
|
|
|
|
-Wl,-z,relro \
|
|
-Wl,--as-needed \
|
|
-Wl,-z,now \
|
|
|
|
And our extra compiler flags adds the forth copy.
|
|
|
|
gcc says this about -fPIE:
|
|
|
|
These options are similar to -fpic and -fPIC, but the generated
|
|
position-independent code can be only linked into executables
|
|
|
|
But our python extension is a shared object, so I don't think -fPIE
|
|
makes sense.
|
|
|
|
The extra arguments were added in:
|
|
|
|
commit a1929080a6ce51879139eb8d05a425ccd3d37082
|
|
Author: David Teigland <teigland@redhat.com>
|
|
Date: Wed Oct 14 13:21:04 2015 -0500
|
|
|
|
python: add compile flags
|
|
|
|
Without any justification. I assume the intent was good, but it looks
|
|
like this change was not needed, and somehow it worked until now.
|
|
|
|
If some hardening is needed, it should be done by python build
|
|
infrastructure, not in sanlock. And it seems that python do use some
|
|
hardening specs (e.g. -specs=/usr/lib/rpm/redhat/redhat-hardened-ld).
|
|
|
|
[1] https://kojipkgs.fedoraproject.org//work/tasks/8900/48358900/build.log
|
|
|
|
Signed-off-by: Nir Soffer <nsoffer@redhat.com>
|
|
---
|
|
python/setup.py | 1 -
|
|
1 file changed, 1 deletion(-)
|
|
|
|
diff --git a/python/setup.py b/python/setup.py
|
|
index 0f3d683..b3bfaf1 100644
|
|
--- a/python/setup.py
|
|
+++ b/python/setup.py
|
|
@@ -12,7 +12,6 @@ sanlock = Extension(name='sanlock',
|
|
include_dirs=['../src'],
|
|
library_dirs=['../src'],
|
|
extra_compile_args=["-std=c99"],
|
|
- extra_link_args=['-fPIE', '-Wl,-z,relro,-z,now'],
|
|
libraries=sanlocklib)
|
|
|
|
version = None
|
|
--
|
|
2.25.4
|
|
|