[Freeipa-devel] [PATCH] Fix linking ipa-otpd with broken hardened build

Martin Kosek mkosek at redhat.com
Wed Jan 29 12:55:09 UTC 2014 

On 01/29/2014 10:39 AM, Lukas Slebodnik wrote:
> On (29/01/14 09:46), Martin Kosek wrote:
>> On 01/28/2014 08:59 PM, Lukas Slebodnik wrote:
>>> On (28/01/14 20:56), Lukas Slebodnik wrote:
>>>> ehlo,
>>>>
>>>> How to test:
>>>>    -remove line "%define _hardened_build 1" from spec file
>>>>    -build freeeipa package (it should fail)
>>>>    -apply patch
>>>>    -build freeeipa package (it should work )
>>>>
>>>> simple patch attached.
>>>>
>>>> LS
>>>
>>>> >From 0ae1582770706f5a88980c0a16d4c64ce58c98e2 Mon Sep 17 00:00:00 2001
>>>> From: Lukas Slebodnik <lslebodn at redhat.com>
>>>> Date: Tue, 28 Jan 2014 19:58:40 +0100
>>>> Subject: [PATCH] Fix linking ipa-otpd with broken hardened build
>>>>
>>>> If there is problem with _hardened_build in rpm extra flag will not be included
>>>> into CLFAGS and LDFLAGS ("-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1" )
>>>> and it will cause problem with linking binary ipa-otpd.
>>>>
>>>> /usr/bin/ld: bind.o: relocation R_X86_64_32 against `.rodata.str1.8' can not be
>>>> used when making a shared object; recompile with -fPIC
>>>> bind.o: error adding symbols: Bad value
>>>>
>>>> ipa-otpd will be linked successfully with this patch even if there is problem
>>>> with hardened build on fedora.
>>>>
>>>> Resolves:
>>>> https://fedorahosted.org/freeipa/ticket/4142
>>>> ---
>>>> daemons/ipa-otpd/Makefile.am | 2 +-
>>>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>>>
>>>> diff --git a/daemons/ipa-otpd/Makefile.am b/daemons/ipa-otpd/Makefile.am
>>>> index f0b75284dbbd46265a6ff366a7846da63c935986..0716e75b72cb7fb3910350fc0f9439a23c0bcf29 100644
>>>> --- a/daemons/ipa-otpd/Makefile.am
>>>> +++ b/daemons/ipa-otpd/Makefile.am
>>>> @@ -1,4 +1,4 @@
>>>> -AM_CFLAGS := $(CFLAGS) @LDAP_CFLAGS@ @LIBVERTO_CFLAGS@
>>>> +AM_CFLAGS := $(CFLAGS) @LDAP_CFLAGS@ @LIBVERTO_CFLAGS@ -fPIE
>>>> AM_LDFLAGS := $(LDFLAGS) @LDAP_LIBS@ @LIBVERTO_LIBS@ @KRAD_LIBS@ -pie -Wl,-z,relro -Wl,-z,now
>>>>
>>>> noinst_HEADERS = internal.h
>>>> -- 
>>>> 1.8.5.3
>>>>
>>>
>>> I forgot to mention; patch applies only on ipa-3-3 branch, because file
>>> daemons/ipa-otpd/Makefile.am is different on master.
>>>
>>> LS
>>
>> Thanks Lukas, good investigation. This made me realize that the rawhide build
>> was indeed crashing due to missing section switching _hardened_build to 1 in
>> downstream repo. The build seems OK now.
>>
> I used srpm from fedora 20 build and _hardened_build was available in spec
> file. I expected all builds(f19, f20, rawhide} use the same spec file.
> 
>> Do you still consider this patch as something that should be in git, given it
>> was caused by missing _hardened_build?
>>
> There is condition in spec file
> %if (0%{?fedora} > 15 || 0%{?rhel} >= 7)
> %define _hardened_build 1
> %endif
> 
> So _hardened_build will not be defined on other platforms (e.g. opensuse)
> and there will be the same problem with linking ipa-otpd
> 
> Other option is to remove "duplicated" hardened flags from AM_LDFLAGS
> 
> -AM_LDFLAGS := $(LDFLAGS) @LDAP_LIBS@ @LIBVERTO_LIBS@ @KRAD_LIBS@ -pie -Wl,-z,relro -Wl,-z,now
> +AM_LDFLAGS := $(LDFLAGS) @LDAP_LIBS@ @LIBVERTO_LIBS@ @KRAD_LIBS@
> 
> LS
> 

I chose to do the second option as I see this is what Honza did in master
branch. Thus, I cherry picked his patch pushed to ipa-3-3:

2d90c138ea63a74c90142e19d733e8c89ce81dab

Martin

More information about the Freeipa-devel mailing list