[Freeipa-devel] [PATCHES] 204-205 Spec file fixes

Mon Dec 2 11:43:34 UTC 2013

On 12/02/2013 12:26 PM, Jakub Hrozek wrote:
> On Mon, Dec 02, 2013 at 12:14:07PM +0100, Petr Viktorin wrote:
>> On 11/27/2013 02:50 PM, Martin Kosek wrote:
>>> On 11/27/2013 02:26 PM, Jan Cholasta wrote:
>>>> Hi,
>>>>
>>>> the attached patches fix <https://fedorahosted.org/freeipa/ticket/4010>.
>>
>> This fixes points 2) & 3) in the ticket; point 1) is not applicable;
>> 4) are false positives.
>>
>> The checks mentioned in the ticket pass.
>>
>> $ hardening-check --color --verbose /usr/libexec/ipa-otpd
>> /usr/libexec/ipa-otpd:
>>  Position Independent Executable: yes
>>  Stack protected: yes
>>  Fortify Source functions: yes (some protected functions found)
>>         unprotected: gethostname
>>         unprotected: read
>>         protected: vfprintf
>>         protected: asprintf
>>         protected: memcpy
>>         protected: fprintf
>>  Read-only relocations: yes
>>  Immediate binding: yes
>> pviktori at vm-183:~/freeipa{master}16e60f7$ readelf -d
>> /usr/libexec/ipa-otpd | grep BIND_NOW
>>  0x0000000000000018 (BIND_NOW)
>> pviktori at vm-183:~/freeipa{master}16e60f7$ readelf -h
>> /usr/libexec/ipa-otpd  | grep Type
>>   Type:                              DYN (Shared object file)
>>
>> (Note, redhat-rpm-config is part of Fedora's minimal build
>> environment:
>> https://fedoraproject.org/wiki/Packaging:Guidelines#Exceptions_2)
>>
>>>> Honza
>>>
>>> Do we want to define
>>>
>>> +%if (0%{?fedora} > 15 || 0%{?rhel} >= 7)
>>> +%define _hardened_build 1
>>> +%endif
>>>
>>> globally? Wouldn't it trigger the hardening also for all our C utilities or
>>> internal SLAPI plugins? Wouldn't it have performance implication for the SLAPI
>>> plugins?
>>>
>>> I am not sure, I would like to hear what the experts say.
>>>
>>> Martin
>>
>> On 11/27/2013 03:37 PM, Jakub Hrozek wrote:> I'm sorry, I removed
>> Martin's e-mail by accident so I'll reply here. I
>>> think defining the hardened build globally is fine, the only performance
>>> impact is during startup and only small.
>>>
>>> AFAIR, the C utilities in IPA are mostly daemons and you really want to
>>> have full RELRO enabled there.
>>>
>>> The only gotcha we found so far (well, Nalin did) was that SELinux was
>>> not happy with full RELRO on some exotic architectures, like s390x
>>
>> Is that a SELinux bug?
> 
> I'm not actually sure, as I said, Nalin worked on this bugzilla. FWIW, I
> never saw any problems with hardened builds of SSSD or any other package
> I'm involved with.
> 
>> Should we care about it?
> 
> I think that such change in build flags warrants at least basic smoke
> testing on all architectures.

I talked to Jakub, we will deal with it in the similar way as nss-pam-ldapd
did. In case of issues, we would turn off the hardening for the specific
architectures.

Anyway, I think current state of the patch is OK for now.

So ACK, pushed both patches to master, ipa-3-3.

Martin