[Freeipa-devel] [PATCH] Fix linking ipa-otpd with broken hardened build
Lukas Slebodnik
lslebodn at redhat.com
Wed Jan 29 09:39:28 UTC 2014
On (29/01/14 09:46), Martin Kosek wrote:
>On 01/28/2014 08:59 PM, Lukas Slebodnik wrote:
>> On (28/01/14 20:56), Lukas Slebodnik wrote:
>>> ehlo,
>>>
>>> How to test:
>>> -remove line "%define _hardened_build 1" from spec file
>>> -build freeeipa package (it should fail)
>>> -apply patch
>>> -build freeeipa package (it should work )
>>>
>>> simple patch attached.
>>>
>>> LS
>>
>>> >From 0ae1582770706f5a88980c0a16d4c64ce58c98e2 Mon Sep 17 00:00:00 2001
>>> From: Lukas Slebodnik <lslebodn at redhat.com>
>>> Date: Tue, 28 Jan 2014 19:58:40 +0100
>>> Subject: [PATCH] Fix linking ipa-otpd with broken hardened build
>>>
>>> If there is problem with _hardened_build in rpm extra flag will not be included
>>> into CLFAGS and LDFLAGS ("-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1" )
>>> and it will cause problem with linking binary ipa-otpd.
>>>
>>> /usr/bin/ld: bind.o: relocation R_X86_64_32 against `.rodata.str1.8' can not be
>>> used when making a shared object; recompile with -fPIC
>>> bind.o: error adding symbols: Bad value
>>>
>>> ipa-otpd will be linked successfully with this patch even if there is problem
>>> with hardened build on fedora.
>>>
>>> Resolves:
>>> https://fedorahosted.org/freeipa/ticket/4142
>>> ---
>>> daemons/ipa-otpd/Makefile.am | 2 +-
>>> 1 file changed, 1 insertion(+), 1 deletion(-)
>>>
>>> diff --git a/daemons/ipa-otpd/Makefile.am b/daemons/ipa-otpd/Makefile.am
>>> index f0b75284dbbd46265a6ff366a7846da63c935986..0716e75b72cb7fb3910350fc0f9439a23c0bcf29 100644
>>> --- a/daemons/ipa-otpd/Makefile.am
>>> +++ b/daemons/ipa-otpd/Makefile.am
>>> @@ -1,4 +1,4 @@
>>> -AM_CFLAGS := $(CFLAGS) @LDAP_CFLAGS@ @LIBVERTO_CFLAGS@
>>> +AM_CFLAGS := $(CFLAGS) @LDAP_CFLAGS@ @LIBVERTO_CFLAGS@ -fPIE
>>> AM_LDFLAGS := $(LDFLAGS) @LDAP_LIBS@ @LIBVERTO_LIBS@ @KRAD_LIBS@ -pie -Wl,-z,relro -Wl,-z,now
>>>
>>> noinst_HEADERS = internal.h
>>> --
>>> 1.8.5.3
>>>
>>
>> I forgot to mention; patch applies only on ipa-3-3 branch, because file
>> daemons/ipa-otpd/Makefile.am is different on master.
>>
>> LS
>
>Thanks Lukas, good investigation. This made me realize that the rawhide build
>was indeed crashing due to missing section switching _hardened_build to 1 in
>downstream repo. The build seems OK now.
>
I used srpm from fedora 20 build and _hardened_build was available in spec
file. I expected all builds(f19, f20, rawhide} use the same spec file.
>Do you still consider this patch as something that should be in git, given it
>was caused by missing _hardened_build?
>
There is condition in spec file
%if (0%{?fedora} > 15 || 0%{?rhel} >= 7)
%define _hardened_build 1
%endif
So _hardened_build will not be defined on other platforms (e.g. opensuse)
and there will be the same problem with linking ipa-otpd
Other option is to remove "duplicated" hardened flags from AM_LDFLAGS
-AM_LDFLAGS := $(LDFLAGS) @LDAP_LIBS@ @LIBVERTO_LIBS@ @KRAD_LIBS@ -pie -Wl,-z,relro -Wl,-z,now
+AM_LDFLAGS := $(LDFLAGS) @LDAP_LIBS@ @LIBVERTO_LIBS@ @KRAD_LIBS@
LS
More information about the Freeipa-devel
mailing list