Resolves: rhbz1982908
This commit is contained in:
Frank Ch. Eigler
parent
b0d46aeb9d
commit
fba93c79c7
222
rhbz1982908.patch
Normal file
222
rhbz1982908.patch
Normal file
@ -0,0 +1,222 @@
|
||||
commit 04b43f48f1091bdc4bfdbabae86745547e539f8c
|
||||
Author: Frank Ch. Eigler <fche@redhat.com>
|
||||
Date: Mon Jul 26 15:49:15 2021 -0400
|
||||
|
||||
releng: ditch custom pie/ssp CFLAGS engine in configure.ac
|
||||
|
||||
Just inherit the desired c*flags from autoconf via environment
|
||||
variables from the distro spec files. This lets us automatically
|
||||
benefit from centralized hardening flags on some distros. OTOH
|
||||
distros without that now will need to add such settings to the build
|
||||
scripts that invoke this configure script.
|
||||
|
||||
diff --git a/configure b/configure
|
||||
index 3830ca898..55ff87330 100755
|
||||
--- a/configure
|
||||
+++ b/configure
|
||||
@@ -904,8 +904,6 @@ with_libiconv_prefix
|
||||
with_libintl_prefix
|
||||
enable_prologues
|
||||
enable_sdt_probes
|
||||
-enable_ssp
|
||||
-enable_pie
|
||||
with_debuginfod
|
||||
enable_sqlite
|
||||
enable_translator
|
||||
@@ -1609,8 +1607,6 @@ Optional Features:
|
||||
--disable-rpath do not hardcode runtime library paths
|
||||
--enable-prologues make -P prologue-searching default
|
||||
--disable-sdt-probes disable process.mark probes in stap, staprun, stapio
|
||||
- --disable-ssp disable gcc stack-protector
|
||||
- --enable-pie enable position-independent-executable
|
||||
--enable-sqlite build with sqlite support
|
||||
--disable-translator build only runtime utilities
|
||||
--enable-crash[=DIRECTORY]
|
||||
@@ -10269,82 +10265,6 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
|
||||
|
||||
fi
|
||||
|
||||
-# Check whether --enable-ssp was given.
|
||||
-if test "${enable_ssp+set}" = set; then :
|
||||
- enableval=$enable_ssp;
|
||||
-fi
|
||||
-
|
||||
-if test "x$enable_ssp" != xno; then :
|
||||
-
|
||||
- save_CFLAGS="$CFLAGS"
|
||||
- save_CXXFLAGS="$CXXFLAGS"
|
||||
- CXXFLAGS="-Werror -fstack-protector-all -D_FORTIFY_SOURCE=2 $CXXFLAGS"
|
||||
- CFLAGS="-Werror -fstack-protector-all -D_FORTIFY_SOURCE=2 $CFLAGS"
|
||||
- cat confdefs.h - <<_ACEOF >conftest.$ac_ext
|
||||
-/* end confdefs.h. */
|
||||
-int something ();
|
||||
-_ACEOF
|
||||
-if ac_fn_c_try_compile "$LINENO"; then :
|
||||
-
|
||||
- { $as_echo "$as_me:${as_lineno-$LINENO}: Compiling with gcc -fstack-protector-all et al." >&5
|
||||
-$as_echo "$as_me: Compiling with gcc -fstack-protector-all et al." >&6;}
|
||||
- CFLAGS="-fstack-protector-all -D_FORTIFY_SOURCE=2 $save_CFLAGS"
|
||||
- CXXFLAGS="-fstack-protector-all -D_FORTIFY_SOURCE=2 $save_CXXFLAGS"
|
||||
-else
|
||||
-
|
||||
- { $as_echo "$as_me:${as_lineno-$LINENO}: Compiler does not support -fstack-protector-all et al." >&5
|
||||
-$as_echo "$as_me: Compiler does not support -fstack-protector-all et al." >&6;}
|
||||
- CFLAGS="$save_CFLAGS"
|
||||
- CXXFLAGS="$save_CXXFLAGS"
|
||||
-fi
|
||||
-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
|
||||
-fi
|
||||
-
|
||||
-
|
||||
-
|
||||
-
|
||||
-# Compiling with fPIE by default (but see PR 9922)
|
||||
-# Check whether --enable-pie was given.
|
||||
-if test "${enable_pie+set}" = set; then :
|
||||
- enableval=$enable_pie;
|
||||
-fi
|
||||
-
|
||||
-if test "x$enable_pie" != xno; then :
|
||||
-
|
||||
- PIECFLAGS='-fPIE'
|
||||
- PIECXXFLAGS='-fPIE'
|
||||
- PIELDFLAGS='-pie -Wl,-z,relro -Wl,-z,now'
|
||||
- save_CFLAGS="$CFLAGS"
|
||||
- save_CXXFLAGS="$CXXFLAGS"
|
||||
- save_LDFLAGS="$LDFLAGS"
|
||||
- CFLAGS="$CFLAGS $PIECFLAGS"
|
||||
- CXXFLAGS="$CXXFLAGS $PIECXXFLAGS"
|
||||
- LDFLAGS="$LDFLAGS $PIELDFLAGS"
|
||||
- cat confdefs.h - <<_ACEOF >conftest.$ac_ext
|
||||
-/* end confdefs.h. */
|
||||
-void main () {}
|
||||
-_ACEOF
|
||||
-if ac_fn_c_try_link "$LINENO"; then :
|
||||
-
|
||||
- { $as_echo "$as_me:${as_lineno-$LINENO}: Compiling with gcc pie et al." >&5
|
||||
-$as_echo "$as_me: Compiling with gcc pie et al." >&6;}
|
||||
-
|
||||
-else
|
||||
-
|
||||
- { $as_echo "$as_me:${as_lineno-$LINENO}: Compiler does not support -pie et al." >&5
|
||||
-$as_echo "$as_me: Compiler does not support -pie et al." >&6;}
|
||||
- PIECFLAGS=""
|
||||
- PIECXXFLAGS=""
|
||||
- PIELDFLAGS=""
|
||||
-
|
||||
-fi
|
||||
-rm -f core conftest.err conftest.$ac_objext \
|
||||
- conftest$ac_exeext conftest.$ac_ext
|
||||
- CFLAGS="$save_CFLAGS"
|
||||
- CXXFLAGS="$save_CXXFLAGS"
|
||||
- LDFLAGS="$save_LDFLAGS"
|
||||
-
|
||||
-fi
|
||||
|
||||
|
||||
|
||||
diff --git a/configure.ac b/configure.ac
|
||||
index d4fd9e1b0..a88c20bff 100644
|
||||
--- a/configure.ac
|
||||
+++ b/configure.ac
|
||||
@@ -190,60 +190,8 @@ AS_IF([test "x$HAVE_CXX11" != x1],[
|
||||
AC_LANG_POP(C++)
|
||||
])
|
||||
|
||||
-AC_ARG_ENABLE([ssp],
|
||||
- [AS_HELP_STRING([--disable-ssp], [disable gcc stack-protector])])
|
||||
-AS_IF([test "x$enable_ssp" != xno],[
|
||||
- save_CFLAGS="$CFLAGS"
|
||||
- save_CXXFLAGS="$CXXFLAGS"
|
||||
- CXXFLAGS="-Werror -fstack-protector-all -D_FORTIFY_SOURCE=2 $CXXFLAGS"
|
||||
- CFLAGS="-Werror -fstack-protector-all -D_FORTIFY_SOURCE=2 $CFLAGS"
|
||||
- AC_COMPILE_IFELSE([AC_LANG_SOURCE([int something ();])], [
|
||||
- AC_MSG_NOTICE([Compiling with gcc -fstack-protector-all et al.])
|
||||
- CFLAGS="-fstack-protector-all -D_FORTIFY_SOURCE=2 $save_CFLAGS"
|
||||
- CXXFLAGS="-fstack-protector-all -D_FORTIFY_SOURCE=2 $save_CXXFLAGS"],[
|
||||
- AC_MSG_NOTICE([Compiler does not support -fstack-protector-all et al.])
|
||||
- CFLAGS="$save_CFLAGS"
|
||||
- CXXFLAGS="$save_CXXFLAGS"])])
|
||||
-
|
||||
-
|
||||
-dnl Link with gold if possible
|
||||
-dnl but: https://bugzilla.redhat.com/show_bug.cgi?id=636603
|
||||
-dnl
|
||||
-dnl AC_PATH_PROG(GOLD, [ld.gold], [no])
|
||||
-dnl if test "x$GOLD" != "xno"
|
||||
-dnl then
|
||||
-dnl mkdir -p Bdir
|
||||
-dnl ln -sf $GOLD Bdir/ld
|
||||
-dnl LDFLAGS="$LDFLAGS -B`pwd`/Bdir/"
|
||||
-dnl AC_MSG_NOTICE([using ld.gold to link])
|
||||
-dnl fi
|
||||
-
|
||||
-
|
||||
-# Compiling with fPIE by default (but see PR 9922)
|
||||
-AC_ARG_ENABLE([pie],
|
||||
- [AS_HELP_STRING([--enable-pie], [enable position-independent-executable])])
|
||||
-AS_IF([test "x$enable_pie" != xno],[
|
||||
- PIECFLAGS='-fPIE'
|
||||
- PIECXXFLAGS='-fPIE'
|
||||
- PIELDFLAGS='-pie -Wl,-z,relro -Wl,-z,now'
|
||||
- save_CFLAGS="$CFLAGS"
|
||||
- save_CXXFLAGS="$CXXFLAGS"
|
||||
- save_LDFLAGS="$LDFLAGS"
|
||||
- CFLAGS="$CFLAGS $PIECFLAGS"
|
||||
- CXXFLAGS="$CXXFLAGS $PIECXXFLAGS"
|
||||
- LDFLAGS="$LDFLAGS $PIELDFLAGS"
|
||||
- AC_LINK_IFELSE([AC_LANG_SOURCE([void main () {}])], [
|
||||
- AC_MSG_NOTICE([Compiling with gcc pie et al.])
|
||||
- ], [
|
||||
- AC_MSG_NOTICE([Compiler does not support -pie et al.])
|
||||
- PIECFLAGS=""
|
||||
- PIECXXFLAGS=""
|
||||
- PIELDFLAGS=""
|
||||
- ])
|
||||
- CFLAGS="$save_CFLAGS"
|
||||
- CXXFLAGS="$save_CXXFLAGS"
|
||||
- LDFLAGS="$save_LDFLAGS"
|
||||
-])
|
||||
+dnl Carry forward some empty PIE*FLAGS so we don't have to modify
|
||||
+dnl all the Makefile.am's just now.
|
||||
AC_SUBST(PIELDFLAGS)
|
||||
AC_SUBST(PIECFLAGS)
|
||||
AC_SUBST(PIECXXFLAGS)
|
||||
diff --git a/systemtap.spec b/systemtap.spec
|
||||
index e5224e902..a2458b4b5 100644
|
||||
--- a/systemtap.spec
|
||||
+++ b/systemtap.spec
|
||||
@@ -11,7 +11,6 @@
|
||||
%endif
|
||||
%{!?with_rpm: %global with_rpm 1}
|
||||
%{!?elfutils_version: %global elfutils_version 0.179}
|
||||
-%{!?pie_supported: %global pie_supported 1}
|
||||
%{!?with_boost: %global with_boost 0}
|
||||
%ifarch %{ix86} x86_64 ppc ppc64 ppc64le aarch64
|
||||
%{!?with_dyninst: %global with_dyninst 0%{?fedora} >= 18 || 0%{?rhel} >= 7}
|
||||
@@ -589,14 +588,6 @@ systemtap-runtime-virthost machine to execute systemtap scripts.
|
||||
%global docs_config --enable-docs=prebuilt
|
||||
%endif
|
||||
|
||||
-# Enable pie as configure defaults to disabling it
|
||||
-%if %{pie_supported}
|
||||
-%global pie_config --enable-pie
|
||||
-%else
|
||||
-%global pie_config --disable-pie
|
||||
-%endif
|
||||
-
|
||||
-
|
||||
%if %{with_java}
|
||||
%global java_config --with-java=%{_jvmdir}/java
|
||||
%else
|
||||
@@ -646,8 +637,8 @@ systemtap-runtime-virthost machine to execute systemtap scripts.
|
||||
# We don't ship compileworthy python code, just oddball samples
|
||||
%global py_auto_byte_compile 0
|
||||
|
||||
-%configure %{dyninst_config} %{sqlite_config} %{crash_config} %{docs_config} %{pie_config} %{rpm_config} %{java_config} %{virt_config} %{dracut_config} %{python3_config} %{python2_probes_config} %{python3_probes_config} %{httpd_config} %{bpf_config} %{debuginfod_config} --disable-silent-rules --with-extra-version="rpm %{version}-%{release}"
|
||||
-make %{?_smp_mflags}
|
||||
+%configure %{dyninst_config} %{sqlite_config} %{crash_config} %{docs_config} %{rpm_config} %{java_config} %{virt_config} %{dracut_config} %{python3_config} %{python2_probes_config} %{python3_probes_config} %{httpd_config} %{bpf_config} %{debuginfod_config} --disable-silent-rules --with-extra-version="rpm %{version}-%{release}"
|
||||
+make %{?_smp_mflags} V=1
|
||||
|
||||
|
||||
%install
|
||||
@ -90,7 +90,7 @@
|
||||
|
||||
Name: systemtap
|
||||
Version: 4.5
|
||||
Release: 3%{?release_override}%{?dist}
|
||||
Release: 4%{?release_override}%{?dist}
|
||||
# for version, see also configure.ac
|
||||
|
||||
|
||||
@ -129,7 +129,7 @@ Source: ftp://sourceware.org/pub/systemtap/releases/systemtap-%{version}.tar.gz
|
||||
Patch1: rhbz1972803.patch
|
||||
Patch2: rhbz1972828.patch
|
||||
Patch3: rhbz1972805.patch
|
||||
|
||||
Patch4: rhbz1982908.patch
|
||||
|
||||
# Build*
|
||||
BuildRequires: make
|
||||
@ -544,6 +544,7 @@ systemtap-runtime-virthost machine to execute systemtap scripts.
|
||||
%patch1 -p1
|
||||
%patch2 -p1
|
||||
%patch3 -p1
|
||||
%patch4 -p1
|
||||
|
||||
%build
|
||||
|
||||
@ -1218,6 +1219,9 @@ exit 0
|
||||
|
||||
# PRERELEASE
|
||||
%changelog
|
||||
* Mon Jul 26 2021 Frank Ch. Eigler <fche@redhat.com> - 4.5-3
|
||||
- rhbz1982908: Import hardening c*flags from specs/rhel standards
|
||||
|
||||
* Tue May 18 2021 Frank Ch. Eigler <fche@redhat.com> - 4.5-2
|
||||
- Respin against newer dyninst.
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user