From fba93c79c7c4b8fdfe09697d4a0c9fbd93bb4c56 Mon Sep 17 00:00:00 2001
From: "Frank Ch. Eigler" <fche@redhat.com>
Date: Mon, 26 Jul 2021 16:42:35 -0400
Subject: [PATCH] Resolves: rhbz1982908

---
 rhbz1982908.patch | 222 ++++++++++++++++++++++++++++++++++++++++++++++
 systemtap.spec    |   8 +-
 2 files changed, 228 insertions(+), 2 deletions(-)
 create mode 100644 rhbz1982908.patch

diff --git a/rhbz1982908.patch b/rhbz1982908.patch
new file mode 100644
index 0000000..f7bc9f1
--- /dev/null
+++ b/rhbz1982908.patch
@@ -0,0 +1,222 @@
+commit 04b43f48f1091bdc4bfdbabae86745547e539f8c
+Author: Frank Ch. Eigler <fche@redhat.com>
+Date:   Mon Jul 26 15:49:15 2021 -0400
+
+    releng: ditch custom pie/ssp CFLAGS engine in configure.ac
+    
+    Just inherit the desired c*flags from autoconf via environment
+    variables from the distro spec files.  This lets us automatically
+    benefit from centralized hardening flags on some distros.  OTOH
+    distros without that now will need to add such settings to the build
+    scripts that invoke this configure script.
+
+diff --git a/configure b/configure
+index 3830ca898..55ff87330 100755
+--- a/configure
++++ b/configure
+@@ -904,8 +904,6 @@ with_libiconv_prefix
+ with_libintl_prefix
+ enable_prologues
+ enable_sdt_probes
+-enable_ssp
+-enable_pie
+ with_debuginfod
+ enable_sqlite
+ enable_translator
+@@ -1609,8 +1607,6 @@ Optional Features:
+   --disable-rpath         do not hardcode runtime library paths
+   --enable-prologues      make -P prologue-searching default
+   --disable-sdt-probes    disable process.mark probes in stap, staprun, stapio
+-  --disable-ssp           disable gcc stack-protector
+-  --enable-pie            enable position-independent-executable
+   --enable-sqlite         build with sqlite support
+   --disable-translator    build only runtime utilities
+   --enable-crash[=DIRECTORY]
+@@ -10269,82 +10265,6 @@ ac_compiler_gnu=$ac_cv_c_compiler_gnu
+ 
+ fi
+ 
+-# Check whether --enable-ssp was given.
+-if test "${enable_ssp+set}" = set; then :
+-  enableval=$enable_ssp;
+-fi
+-
+-if test "x$enable_ssp" != xno; then :
+-
+-   save_CFLAGS="$CFLAGS"
+-   save_CXXFLAGS="$CXXFLAGS"
+-   CXXFLAGS="-Werror -fstack-protector-all -D_FORTIFY_SOURCE=2 $CXXFLAGS"
+-   CFLAGS="-Werror -fstack-protector-all -D_FORTIFY_SOURCE=2 $CFLAGS"
+-   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+-/* end confdefs.h.  */
+-int something ();
+-_ACEOF
+-if ac_fn_c_try_compile "$LINENO"; then :
+-
+-       { $as_echo "$as_me:${as_lineno-$LINENO}: Compiling with gcc -fstack-protector-all et al." >&5
+-$as_echo "$as_me: Compiling with gcc -fstack-protector-all et al." >&6;}
+-	CFLAGS="-fstack-protector-all -D_FORTIFY_SOURCE=2 $save_CFLAGS"
+-	CXXFLAGS="-fstack-protector-all -D_FORTIFY_SOURCE=2 $save_CXXFLAGS"
+-else
+-
+-       { $as_echo "$as_me:${as_lineno-$LINENO}: Compiler does not support -fstack-protector-all et al." >&5
+-$as_echo "$as_me: Compiler does not support -fstack-protector-all et al." >&6;}
+-       CFLAGS="$save_CFLAGS"
+-       CXXFLAGS="$save_CXXFLAGS"
+-fi
+-rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
+-fi
+-
+-
+-
+-
+-# Compiling with fPIE by default (but see PR 9922)
+-# Check whether --enable-pie was given.
+-if test "${enable_pie+set}" = set; then :
+-  enableval=$enable_pie;
+-fi
+-
+-if test "x$enable_pie" != xno; then :
+-
+-   PIECFLAGS='-fPIE'
+-   PIECXXFLAGS='-fPIE'
+-   PIELDFLAGS='-pie -Wl,-z,relro -Wl,-z,now'
+-   save_CFLAGS="$CFLAGS"
+-   save_CXXFLAGS="$CXXFLAGS"
+-   save_LDFLAGS="$LDFLAGS"
+-   CFLAGS="$CFLAGS $PIECFLAGS"
+-   CXXFLAGS="$CXXFLAGS $PIECXXFLAGS"
+-   LDFLAGS="$LDFLAGS $PIELDFLAGS"
+-   cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+-/* end confdefs.h.  */
+-void main () {}
+-_ACEOF
+-if ac_fn_c_try_link "$LINENO"; then :
+-
+-       { $as_echo "$as_me:${as_lineno-$LINENO}: Compiling with gcc pie et al." >&5
+-$as_echo "$as_me: Compiling with gcc pie et al." >&6;}
+-
+-else
+-
+-       { $as_echo "$as_me:${as_lineno-$LINENO}: Compiler does not support -pie et al." >&5
+-$as_echo "$as_me: Compiler does not support -pie et al." >&6;}
+-       PIECFLAGS=""
+-       PIECXXFLAGS=""
+-       PIELDFLAGS=""
+-
+-fi
+-rm -f core conftest.err conftest.$ac_objext \
+-    conftest$ac_exeext conftest.$ac_ext
+-   CFLAGS="$save_CFLAGS"
+-   CXXFLAGS="$save_CXXFLAGS"
+-   LDFLAGS="$save_LDFLAGS"
+-
+-fi
+ 
+ 
+ 
+diff --git a/configure.ac b/configure.ac
+index d4fd9e1b0..a88c20bff 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -190,60 +190,8 @@ AS_IF([test "x$HAVE_CXX11" != x1],[
+   AC_LANG_POP(C++)
+   ])
+ 
+-AC_ARG_ENABLE([ssp],
+-  [AS_HELP_STRING([--disable-ssp], [disable gcc stack-protector])])
+-AS_IF([test "x$enable_ssp" != xno],[
+-   save_CFLAGS="$CFLAGS"
+-   save_CXXFLAGS="$CXXFLAGS"
+-   CXXFLAGS="-Werror -fstack-protector-all -D_FORTIFY_SOURCE=2 $CXXFLAGS"
+-   CFLAGS="-Werror -fstack-protector-all -D_FORTIFY_SOURCE=2 $CFLAGS"
+-   AC_COMPILE_IFELSE([AC_LANG_SOURCE([int something ();])], [
+-       AC_MSG_NOTICE([Compiling with gcc -fstack-protector-all et al.])
+-	CFLAGS="-fstack-protector-all -D_FORTIFY_SOURCE=2 $save_CFLAGS"
+-	CXXFLAGS="-fstack-protector-all -D_FORTIFY_SOURCE=2 $save_CXXFLAGS"],[
+-       AC_MSG_NOTICE([Compiler does not support -fstack-protector-all et al.])
+-       CFLAGS="$save_CFLAGS"
+-       CXXFLAGS="$save_CXXFLAGS"])])
+-
+-
+-dnl Link with gold if possible
+-dnl but: https://bugzilla.redhat.com/show_bug.cgi?id=636603
+-dnl
+-dnl AC_PATH_PROG(GOLD, [ld.gold], [no])
+-dnl if test "x$GOLD" != "xno"
+-dnl then
+-dnl   mkdir -p Bdir
+-dnl   ln -sf $GOLD Bdir/ld
+-dnl   LDFLAGS="$LDFLAGS -B`pwd`/Bdir/"
+-dnl   AC_MSG_NOTICE([using ld.gold to link])
+-dnl fi
+-
+-
+-# Compiling with fPIE by default (but see PR 9922)
+-AC_ARG_ENABLE([pie],
+-  [AS_HELP_STRING([--enable-pie], [enable position-independent-executable])])
+-AS_IF([test "x$enable_pie" != xno],[
+-   PIECFLAGS='-fPIE'
+-   PIECXXFLAGS='-fPIE'
+-   PIELDFLAGS='-pie -Wl,-z,relro -Wl,-z,now'
+-   save_CFLAGS="$CFLAGS"
+-   save_CXXFLAGS="$CXXFLAGS"
+-   save_LDFLAGS="$LDFLAGS"
+-   CFLAGS="$CFLAGS $PIECFLAGS"
+-   CXXFLAGS="$CXXFLAGS $PIECXXFLAGS"
+-   LDFLAGS="$LDFLAGS $PIELDFLAGS"
+-   AC_LINK_IFELSE([AC_LANG_SOURCE([void main () {}])], [
+-       AC_MSG_NOTICE([Compiling with gcc pie et al.])
+-   ], [
+-       AC_MSG_NOTICE([Compiler does not support -pie et al.])
+-       PIECFLAGS=""
+-       PIECXXFLAGS=""
+-       PIELDFLAGS=""
+-   ])
+-   CFLAGS="$save_CFLAGS"
+-   CXXFLAGS="$save_CXXFLAGS"
+-   LDFLAGS="$save_LDFLAGS"
+-])
++dnl Carry forward some empty PIE*FLAGS so we don't have to modify
++dnl all the Makefile.am's just now.
+ AC_SUBST(PIELDFLAGS)
+ AC_SUBST(PIECFLAGS)
+ AC_SUBST(PIECXXFLAGS)
+diff --git a/systemtap.spec b/systemtap.spec
+index e5224e902..a2458b4b5 100644
+--- a/systemtap.spec
++++ b/systemtap.spec
+@@ -11,7 +11,6 @@
+ %endif
+ %{!?with_rpm: %global with_rpm 1}
+ %{!?elfutils_version: %global elfutils_version 0.179}
+-%{!?pie_supported: %global pie_supported 1}
+ %{!?with_boost: %global with_boost 0}
+ %ifarch %{ix86} x86_64 ppc ppc64 ppc64le aarch64
+ %{!?with_dyninst: %global with_dyninst 0%{?fedora} >= 18 || 0%{?rhel} >= 7}
+@@ -589,14 +588,6 @@ systemtap-runtime-virthost machine to execute systemtap scripts.
+ %global docs_config --enable-docs=prebuilt
+ %endif
+ 
+-# Enable pie as configure defaults to disabling it
+-%if %{pie_supported}
+-%global pie_config --enable-pie
+-%else
+-%global pie_config --disable-pie
+-%endif
+-
+-
+ %if %{with_java}
+ %global java_config --with-java=%{_jvmdir}/java
+ %else
+@@ -646,8 +637,8 @@ systemtap-runtime-virthost machine to execute systemtap scripts.
+ # We don't ship compileworthy python code, just oddball samples
+ %global py_auto_byte_compile 0
+ 
+-%configure %{dyninst_config} %{sqlite_config} %{crash_config} %{docs_config} %{pie_config} %{rpm_config} %{java_config} %{virt_config} %{dracut_config} %{python3_config} %{python2_probes_config} %{python3_probes_config} %{httpd_config} %{bpf_config} %{debuginfod_config} --disable-silent-rules --with-extra-version="rpm %{version}-%{release}"
+-make %{?_smp_mflags}
++%configure %{dyninst_config} %{sqlite_config} %{crash_config} %{docs_config} %{rpm_config} %{java_config} %{virt_config} %{dracut_config} %{python3_config} %{python2_probes_config} %{python3_probes_config} %{httpd_config} %{bpf_config} %{debuginfod_config} --disable-silent-rules --with-extra-version="rpm %{version}-%{release}"
++make %{?_smp_mflags} V=1
+ 
+ 
+ %install
diff --git a/systemtap.spec b/systemtap.spec
index 2c364a0..6063614 100644
--- a/systemtap.spec
+++ b/systemtap.spec
@@ -90,7 +90,7 @@
 
 Name: systemtap
 Version: 4.5
-Release: 3%{?release_override}%{?dist}
+Release: 4%{?release_override}%{?dist}
 # for version, see also configure.ac
 
 
@@ -129,7 +129,7 @@ Source: ftp://sourceware.org/pub/systemtap/releases/systemtap-%{version}.tar.gz
 Patch1: rhbz1972803.patch
 Patch2: rhbz1972828.patch
 Patch3: rhbz1972805.patch
-
+Patch4: rhbz1982908.patch
 
 # Build*
 BuildRequires: make
@@ -544,6 +544,7 @@ systemtap-runtime-virthost machine to execute systemtap scripts.
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
+%patch4 -p1
 
 %build
 
@@ -1218,6 +1219,9 @@ exit 0
 
 # PRERELEASE
 %changelog
+* Mon Jul 26 2021 Frank Ch. Eigler <fche@redhat.com> - 4.5-3
+- rhbz1982908: Import hardening c*flags from specs/rhel standards
+
 * Tue May 18 2021 Frank Ch. Eigler <fche@redhat.com> - 4.5-2
 - Respin against newer dyninst.