Build 1.19.5-1

Updated compile options for annocheck hardening
Ensure we resolve library symbols at load time (-z now) and are a Position Independent Executable (-pie). Refactored compile options to better deal with arch differences.
Added an 'annocheck' makefile target for local checking.
Makefile: change build to use FORTIFY_SOURCE=3
src/utils.c: fix off-by-one error in buffer allocation

Resolves: RHEL-33662
Signed-off-by: Chris White <chwhite@redhat.com>

.gitignore

@@ -13,3 +13,4 @@
 /stalld-1.17.1.tar.bz2
 /stalld-v1.19.1.tar.bz2
 /stalld-1.19.1.tar.bz2
+/stalld-1.19.5.tar.bz2

Make-fill_process_comm-open-comm-file-as-READ_ONLY.patch

@@ -1,34 +0,0 @@
-From f9c0ade7cd9a514d4ca6f81f797284e11c56b31a Mon Sep 17 00:00:00 2001
-From: Chris White <chwhite@redhat.com>
-Date: Wed, 21 Feb 2024 15:22:44 -0500
-Subject: [PATCH] Make fill_process_comm() open comm file as READ_ONLY
-
-The fill_process_comm() opens the comm file using O_RDWR. The
-function itself does not perform a write operation on the file,
-and opening this in read and write mode can cause selinux policy
-violations where opening the file with write permission is
-restricted. Since the function itself only needs to read from this
-fd, changing this to READ_ONLY (O_RDONLY)
-
-Signed-off-by: Chris White <chwhite@redhat.com>
-Signed-off-by: John Kacur <jkacur@redhat.com>
----
- src/utils.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/utils.c b/src/utils.c
-index f6feca7040d8..898f4a5d06a7 100644
---- a/src/utils.c
-+++ b/src/utils.c
-@@ -55,7 +55,7 @@ int fill_process_comm(int tgid, int pid, char *comm, int comm_size)
- 	if (retval < 0)
- 		goto out_error;
- 
--	fd = open(path, O_RDWR);
-+	fd = open(path, O_RDONLY);
- 	if (fd < 0) {
- 		log_msg("failed to open comm file at %s\n", path);
- 		goto out_error;
--- 
-2.43.0
-

sources

@@ -1 +1 @@
-SHA512 (stalld-1.19.1.tar.bz2) = 3b5c8d1577fafa93dea44b299578b5f05764c4aa9770ccc4b54c8d247f80ab2da27fee61f9b462af0d1df49c5bebf6cb6fc5659d12c2627256c4dfc6250bd56b
+SHA512 (stalld-1.19.5.tar.bz2) = 490efc66f214571582320adc7d80c022cc5d9f5b54a486b86ed867a942c9171a348d2f2a726e19ceccf8e39af3365d2ee192c85519134a00934b8d7cae0ca712

stalld.spec

@@ -1,6 +1,6 @@
 Name:		stalld
-Version:	1.19.1
-Release:	2%{?dist}
+Version:	1.19.5
+Release:	1%{?dist}
 Summary:	Daemon that finds starving tasks and gives them a temporary boost
 
 License:	GPLv2
@@ -22,8 +22,7 @@ BuildRequires:	libbpf-devel
 Requires:	libbpf
 %endif
 
-# Patches
-Patch1: Make-fill_process_comm-open-comm-file-as-READ_ONLY.patch
+%define _hardened_build 1
 
 %description
 The stalld program monitors the set of system threads,
@@ -62,6 +61,14 @@ allow 10 microseconds of runtime for 1 second of clock time.
 %systemd_postun_with_restart %{name}.service
 
 %changelog
+* Thu Jul 18 2024 Chris White <chwhite@redhat.com> - 1.19.5-1
+- Updated compile options for annocheck hardening
+- Ensure we resolve library symbols at load time (-z now) and are a Position Independent Executable (-pie). Refactored compile options to better deal with arch differences.
+- Added an 'annocheck' makefile target for local checking.
+- Makefile: change build to use FORTIFY_SOURCE=3
+- src/utils.c: fix off-by-one error in buffer allocation
+Resolves: RHEL-33662
+
 * Wed Feb 21 2024 John Kacur <jkacur@redhat.com> - 1.19.1-2
 -  Make fill_process_comm() open comm file as READ_ONLY
 Resolves: RHEL-25846