From 55054b88c942419c84d71e53ce00ffb8050fe9a6 Mon Sep 17 00:00:00 2001 From: Daniel P. Berrangé Date: Mar 19 2018 18:36:49 +0000 Subject: Re-enable normal Fedora hardening macros We previously disabled the hardened build macros because they broke static linking. This is now resolved, so we can use them as is, which in turn ensures ksmctl gets linked correctly. While doing this it is not neccessary to pass -pie in ldflags, as we are already giving the --enable-pie configure option. This lets us move setting of linker/compiler flags into the common run_configure function, rather than duplicating them for static & dynamic builds Finally, even though QEMU sets _FORTIFY_SOURCE itself, there's no reason to strip it from the RPM provided build flags - it is harmless for it to appear twice on compiler args. This ensures ksmctl.c gets fortified. Signed-off-by: Daniel P. Berrangé --- diff --git a/qemu.spec b/qemu.spec index 2e1e0d9..651dcaf 100644 --- a/qemu.spec +++ b/qemu.spec @@ -89,10 +89,6 @@ Requires: %{name}-block-nfs = %{epoch}:%{version}-%{release} \ Requires: %{name}-block-ssh = %{epoch}:%{version}-%{release} %endif -# Temp hack for https://bugzilla.redhat.com/show_bug.cgi?id=1343892 -# We'll manually turn on hardened build later in this spec -%undefine _hardened_build - # Release candidate version tracking # global rcver rc3 %if 0%{?rcver:1} @@ -104,7 +100,7 @@ Requires: %{name}-block-ssh = %{epoch}:%{version}-%{release} Summary: QEMU is a FAST! processor emulator Name: qemu Version: 2.11.1 -Release: 1%{?rcrel}%{?dist} +Release: 2%{?rcrel}%{?dist} Epoch: 2 License: GPLv2 and BSD and MIT and CC-BY URL: http://www.qemu.org/ @@ -941,9 +937,6 @@ This package provides the system emulator for NIOS2. %build -# QEMU already knows how to set _FORTIFY_SOURCE -%global optflags %(echo %{optflags} | sed 's/-Wp,-D_FORTIFY_SOURCE=2//') - # drop -g flag to prevent memory exhaustion by linker %ifarch s390 %global optflags %(echo %{optflags} | sed 's/-g//') @@ -1064,6 +1057,12 @@ run_configure() { --enable-tcg-interpreter \ %endif --enable-trace-backend=$tracebackends \ +%ifnarch aarch64 + --extra-ldflags="$extraldflags -Wl,-z,relro -Wl,-z,now" \ +%else + --extra-ldflags="$extraldflags" \ +%endif + --extra-cflags="%{optflags}" \ "$@" || cat config.log } @@ -1071,12 +1070,6 @@ mkdir build-dynamic pushd build-dynamic run_configure \ -%ifnarch aarch64 - --extra-ldflags="$extraldflags -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -pie -Wl,-z,relro -Wl,-z,now" \ -%else - --extra-ldflags="$extraldflags -specs=/usr/lib/rpm/redhat/redhat-hardened-ld" \ -%endif - --extra-cflags="%{optflags} -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1" \ --target-list="$dynamic_targets" \ --enable-pie \ --enable-modules \ @@ -1101,12 +1094,6 @@ mkdir build-static pushd build-static run_configure \ -%ifnarch aarch64 - --extra-ldflags="$extraldflags -Wl,-z,relro -Wl,-z,now" \ -%else - --extra-ldflags="$extraldflags" \ -%endif - --extra-cflags="%{optflags}" \ --target-list="$static_targets" \ --static \ --disable-pie \ @@ -1983,6 +1970,11 @@ getent passwd qemu >/dev/null || \ %changelog +* Mon Mar 19 2018 Daniel P. Berrangé - 2:2.11.1-2 +- Re-enable normal hardened build macros to fix ksmctl.c hardening +- Don't strip _FORTIFY_SOURCE from compiler flags +- Don't pass -pie as an extra ldflags when we use --enable-pie + * Wed Feb 28 2018 Cole Robinson - 2:2.11.1-1 - Rebase to qemu 2.11.1 bugfix release