[Freeipa-devel] [PATCH] Fix linking ipa-otpd with broken hardened build
Martin Kosek
mkosek at redhat.com
Wed Jan 29 08:46:41 UTC 2014
On 01/28/2014 08:59 PM, Lukas Slebodnik wrote:
> On (28/01/14 20:56), Lukas Slebodnik wrote:
>> ehlo,
>>
>> How to test:
>> -remove line "%define _hardened_build 1" from spec file
>> -build freeeipa package (it should fail)
>> -apply patch
>> -build freeeipa package (it should work )
>>
>> simple patch attached.
>>
>> LS
>
>> >From 0ae1582770706f5a88980c0a16d4c64ce58c98e2 Mon Sep 17 00:00:00 2001
>> From: Lukas Slebodnik <lslebodn at redhat.com>
>> Date: Tue, 28 Jan 2014 19:58:40 +0100
>> Subject: [PATCH] Fix linking ipa-otpd with broken hardened build
>>
>> If there is problem with _hardened_build in rpm extra flag will not be included
>> into CLFAGS and LDFLAGS ("-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1" )
>> and it will cause problem with linking binary ipa-otpd.
>>
>> /usr/bin/ld: bind.o: relocation R_X86_64_32 against `.rodata.str1.8' can not be
>> used when making a shared object; recompile with -fPIC
>> bind.o: error adding symbols: Bad value
>>
>> ipa-otpd will be linked successfully with this patch even if there is problem
>> with hardened build on fedora.
>>
>> Resolves:
>> https://fedorahosted.org/freeipa/ticket/4142
>> ---
>> daemons/ipa-otpd/Makefile.am | 2 +-
>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/daemons/ipa-otpd/Makefile.am b/daemons/ipa-otpd/Makefile.am
>> index f0b75284dbbd46265a6ff366a7846da63c935986..0716e75b72cb7fb3910350fc0f9439a23c0bcf29 100644
>> --- a/daemons/ipa-otpd/Makefile.am
>> +++ b/daemons/ipa-otpd/Makefile.am
>> @@ -1,4 +1,4 @@
>> -AM_CFLAGS := $(CFLAGS) @LDAP_CFLAGS@ @LIBVERTO_CFLAGS@
>> +AM_CFLAGS := $(CFLAGS) @LDAP_CFLAGS@ @LIBVERTO_CFLAGS@ -fPIE
>> AM_LDFLAGS := $(LDFLAGS) @LDAP_LIBS@ @LIBVERTO_LIBS@ @KRAD_LIBS@ -pie -Wl,-z,relro -Wl,-z,now
>>
>> noinst_HEADERS = internal.h
>> --
>> 1.8.5.3
>>
>
> I forgot to mention; patch applies only on ipa-3-3 branch, because file
> daemons/ipa-otpd/Makefile.am is different on master.
>
> LS
Thanks Lukas, good investigation. This made me realize that the rawhide build
was indeed crashing due to missing section switching _hardened_build to 1 in
downstream repo. The build seems OK now.
Do you still consider this patch as something that should be in git, given it
was caused by missing _hardened_build?
Martin
More information about the Freeipa-devel
mailing list