[Freeipa-devel] [PATCHES] 204-205 Spec file fixes
Jakub Hrozek
jhrozek at redhat.com
Mon Dec 2 11:26:23 UTC 2013
On Mon, Dec 02, 2013 at 12:14:07PM +0100, Petr Viktorin wrote:
> On 11/27/2013 02:50 PM, Martin Kosek wrote:
> >On 11/27/2013 02:26 PM, Jan Cholasta wrote:
> >>Hi,
> >>
> >>the attached patches fix <https://fedorahosted.org/freeipa/ticket/4010>.
>
> This fixes points 2) & 3) in the ticket; point 1) is not applicable;
> 4) are false positives.
>
> The checks mentioned in the ticket pass.
>
> $ hardening-check --color --verbose /usr/libexec/ipa-otpd
> /usr/libexec/ipa-otpd:
> Position Independent Executable: yes
> Stack protected: yes
> Fortify Source functions: yes (some protected functions found)
> unprotected: gethostname
> unprotected: read
> protected: vfprintf
> protected: asprintf
> protected: memcpy
> protected: fprintf
> Read-only relocations: yes
> Immediate binding: yes
> pviktori at vm-183:~/freeipa{master}16e60f7$ readelf -d
> /usr/libexec/ipa-otpd | grep BIND_NOW
> 0x0000000000000018 (BIND_NOW)
> pviktori at vm-183:~/freeipa{master}16e60f7$ readelf -h
> /usr/libexec/ipa-otpd | grep Type
> Type: DYN (Shared object file)
>
> (Note, redhat-rpm-config is part of Fedora's minimal build
> environment:
> https://fedoraproject.org/wiki/Packaging:Guidelines#Exceptions_2)
>
> >>Honza
> >
> >Do we want to define
> >
> >+%if (0%{?fedora} > 15 || 0%{?rhel} >= 7)
> >+%define _hardened_build 1
> >+%endif
> >
> >globally? Wouldn't it trigger the hardening also for all our C utilities or
> >internal SLAPI plugins? Wouldn't it have performance implication for the SLAPI
> >plugins?
> >
> >I am not sure, I would like to hear what the experts say.
> >
> >Martin
>
> On 11/27/2013 03:37 PM, Jakub Hrozek wrote:> I'm sorry, I removed
> Martin's e-mail by accident so I'll reply here. I
> > think defining the hardened build globally is fine, the only performance
> > impact is during startup and only small.
> >
> > AFAIR, the C utilities in IPA are mostly daemons and you really want to
> > have full RELRO enabled there.
> >
> > The only gotcha we found so far (well, Nalin did) was that SELinux was
> > not happy with full RELRO on some exotic architectures, like s390x
>
> Is that a SELinux bug?
I'm not actually sure, as I said, Nalin worked on this bugzilla. FWIW, I
never saw any problems with hardened builds of SSSD or any other package
I'm involved with.
> Should we care about it?
I think that such change in build flags warrants at least basic smoke
testing on all architectures.
More information about the Freeipa-devel
mailing list