diff --git a/SOURCES/core-setup-hardening-flags.patch b/SOURCES/core-setup-hardening-flags.patch index 3f6b91c..5eb3848 100644 --- a/SOURCES/core-setup-hardening-flags.patch +++ b/SOURCES/core-setup-hardening-flags.patch @@ -1,11 +1,23 @@ diff --git a/src/settings.cmake b/src/settings.cmake --- a/src/settings.cmake +++ b/src/settings.cmake -@@ -218,6 +218,7 @@ if(${CMAKE_SYSTEM_NAME} MATCHES "Linux") +@@ -218,6 +218,8 @@ if(${CMAKE_SYSTEM_NAME} MATCHES "Linux") set(CMAKE_SHARED_LINKER_FLAGS "${CMAKE_SHARED_LINKER_FLAGS} -Xlinker -Bsymbolic -Bsymbolic-functions") set(CMAKE_SHARED_LINKER_FLAGS "${CMAKE_SHARED_LINKER_FLAGS} -Wl,--build-id=sha1") ++ set(CMAKE_SHARED_LINKER_FLAGS "${CMAKE_SHARED_LINKER_FLAGS} -pie") set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -Wl,--build-id=sha1") + set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -pie") add_compile_options(-fstack-protector-strong) elseif(${CMAKE_SYSTEM_NAME} MATCHES "Darwin") add_compile_options(-fstack-protector) +--- a/src/corehost/cli/apphost/CMakeLists.txt ++++ b/src/corehost/cli/apphost/CMakeLists.txt +@@ -50,6 +50,8 @@ + + add_definitions(-DFEATURE_APPHOST=1) + ++set_target_properties("apphost" PROPERTIES LINK_FLAGS -pie) ++ + # Disable manifest generation into the file .exe on Windows + if(WIN32) + set_property(TARGET ${PROJECT_NAME} PROPERTY diff --git a/SOURCES/coreclr-hardening-flags.patch b/SOURCES/coreclr-hardening-flags.patch index e2599a7..bd9a4ba 100644 --- a/SOURCES/coreclr-hardening-flags.patch +++ b/SOURCES/coreclr-hardening-flags.patch @@ -9,3 +9,14 @@ target_link_libraries(createdump createdump_lib # share the PAL/corguids in the dac module +--- a/src/corefx/System.Globalization.Native/CMakeLists.txt ++++ b/src/corefx/System.Globalization.Native/CMakeLists.txt +@@ -71,6 +71,8 @@ + set_target_properties(System.Globalization.Native_Static PROPERTIES PREFIX "") + set_target_properties(System.Globalization.Native_Static PROPERTIES OUTPUT_NAME System.Globalization.Native) + ++set_target_properties(System.Globalization.Native PROPERTIES LINK_FLAGS -pie) ++ + if(NOT CLR_CMAKE_PLATFORM_DARWIN) + if (NOT CMAKE_SYSTEM_NAME STREQUAL FreeBSD AND NOT CMAKE_SYSTEM_NAME STREQUAL NetBSD) + target_link_libraries(System.Globalization.Native diff --git a/SOURCES/corefx-hardening-flags.patch b/SOURCES/corefx-hardening-flags.patch new file mode 100644 index 0000000..b1588e2 --- /dev/null +++ b/SOURCES/corefx-hardening-flags.patch @@ -0,0 +1,11 @@ +--- a/src/Native/Unix/System.Native/CMakeLists.txt ++++ b/src/Native/Unix/System.Native/CMakeLists.txt +@@ -48,6 +48,8 @@ + set_target_properties(System.Native-Static PROPERTIES PREFIX "") + set_target_properties(System.Native-Static PROPERTIES OUTPUT_NAME System.Native CLEAN_DIRECT_OUTPUT 1) + ++set_target_properties(System.Native PROPERTIES LINK_FLAGS -pie) ++ + if (CMAKE_SYSTEM_NAME STREQUAL Linux AND NOT CLR_CMAKE_PLATFORM_ANDROID) + target_link_libraries(System.Native rt) + endif () diff --git a/SPECS/dotnet3.1.spec b/SPECS/dotnet3.1.spec index 909a8cb..57c7aad 100644 --- a/SPECS/dotnet3.1.spec +++ b/SPECS/dotnet3.1.spec @@ -16,7 +16,7 @@ # -fstack-clash-protection is not supported by clang # -specs= is not supported by clang %global dotnet_cflags %(echo %optflags | sed -e 's/-fstack-clash-protection//' | sed -re 's/-specs=[^ ]*//g') -%if 0%{?fedora} < 30 +%if 0%{?fedora} < 30 && ! 0%{?rhel} # on Fedora 29, clang, -fcf-protection and binutils interact in strage ways leading to # "" errors. %global dotnet_cflags %(echo %dotnet_cflags | sed -e 's/ -fcf-protection//') @@ -59,7 +59,7 @@ Name: dotnet3.1 Version: %{sdk_rpm_version} -Release: 2%{?dist} +Release: 3%{?dist} Summary: .NET Core CLI tools and runtime License: MIT and ASL 2.0 and BSD URL: https://github.com/dotnet/ @@ -73,6 +73,7 @@ Source101: dotnet.sh.in Patch100: corefx-optflags-support.patch Patch103: corefx-39633-cgroupv2-mountpoints.patch +Patch104: corefx-hardening-flags.patch Patch200: coreclr-27048-sysctl-deprecation.patch Patch201: coreclr-hardening-flags.patch @@ -284,7 +285,7 @@ applications using the .NET Core SDK. %dotnet_targeting_pack dotnet-apphost-pack-3.1 %{runtime_rpm_version} Microsoft.NETCore.App 3.1 Microsoft.NETCore.App.Host.%{runtime_id} %dotnet_targeting_pack dotnet-targeting-pack-3.1 %{runtime_rpm_version} Microsoft.NETCore.App 3.1 Microsoft.NETCore.App.Ref %dotnet_targeting_pack aspnetcore-targeting-pack-3.1 %{aspnetcore_runtime_rpm_version} Microsoft.AspNetCore.App 3.1 Microsoft.AspNetCore.App.Ref -%dotnet_targeting_pack netstandard-targeting-pack-2.1 %{sdk_rpm_version} NETStandard.Library 2.1 NETStandard.Library.Ref +#%%dotnet_targeting_pack netstandard-targeting-pack-2.1 %%{sdk_rpm_version} NETStandard.Library 2.1 NETStandard.Library.Ref %prep @@ -304,6 +305,7 @@ sed -i 's|skiptests|skiptests ignorewarnings|' repos/coreclr.common.props pushd src/corefx.* %patch100 -p1 %patch103 -p1 +%patch104 -p1 popd pushd src/coreclr.* @@ -367,39 +369,44 @@ find %{buildroot}%{_libdir}/dotnet/ -type f -name '*.props' -exec chmod -x {} \; find %{buildroot}%{_libdir}/dotnet/ -type f -name '*.pubxml' -exec chmod -x {} \; find %{buildroot}%{_libdir}/dotnet/ -type f -name '*.targets' -exec chmod -x {} \; chmod 0755 %{buildroot}/%{_libdir}/dotnet/sdk/%{sdk_version}/AppHostTemplate/apphost -chmod 0755 %{buildroot}/%{_libdir}/dotnet/packs/Microsoft.NETCore.App.Host.%{runtime_id}/%{runtime_version}/runtimes/%{runtime_id}/native/libnethost.so -chmod 0755 %{buildroot}/%{_libdir}/dotnet/packs/Microsoft.NETCore.App.Host.%{runtime_id}/%{runtime_version}/runtimes/%{runtime_id}/native/apphost -chmod 0644 %{buildroot}/%{_libdir}/dotnet/packs/Microsoft.NETCore.App.Host.%{runtime_id}/%{runtime_version}/runtimes/%{runtime_id}/native/nethost.h -chmod 0644 %{buildroot}/%{_libdir}/dotnet/packs/Microsoft.AspNetCore.App.Ref/3.1.8/ref/netcoreapp3.1/*.xml -chmod 0644 %{buildroot}/%{_libdir}/dotnet/packs/Microsoft.AspNetCore.App.Ref/3.1.8/data/PackageOverrides.txt chmod 0644 %{buildroot}/%{_libdir}/dotnet/packs/Microsoft.AspNetCore.App.Ref/3.1.8/data/FrameworkList.xml +chmod 0644 %{buildroot}/%{_libdir}/dotnet/packs/Microsoft.AspNetCore.App.Ref/3.1.8/data/PackageOverrides.txt chmod 0644 %{buildroot}/%{_libdir}/dotnet/packs/Microsoft.AspNetCore.App.Ref/3.1.8/data/PlatformManifest.txt -chmod 0644 %{buildroot}/%{_libdir}/dotnet/packs/Microsoft.NETCore.App.Ref/3.1.0/data/PackageOverrides.txt +chmod 0644 %{buildroot}/%{_libdir}/dotnet/packs/Microsoft.AspNetCore.App.Ref/3.1.8/ref/netcoreapp3.1/*.xml +chmod 0644 %{buildroot}/%{_libdir}/dotnet/packs/Microsoft.NETCore.App.Host.%{runtime_id}/%{runtime_version}/runtimes/%{runtime_id}/native/nethost.h chmod 0644 %{buildroot}/%{_libdir}/dotnet/packs/Microsoft.NETCore.App.Ref/3.1.0/data/FrameworkList.xml +chmod 0644 %{buildroot}/%{_libdir}/dotnet/packs/Microsoft.NETCore.App.Ref/3.1.0/data/PackageOverrides.txt chmod 0644 %{buildroot}/%{_libdir}/dotnet/packs/Microsoft.NETCore.App.Ref/3.1.0/data/PlatformManifest.txt -chmod 0644 %{buildroot}/%{_libdir}/dotnet/packs/NETStandard.Library.Ref/2.1.0/data/PackageOverrides.txt chmod 0644 %{buildroot}/%{_libdir}/dotnet/packs/NETStandard.Library.Ref/2.1.0/data/FrameworkList.xml +chmod 0644 %{buildroot}/%{_libdir}/dotnet/packs/NETStandard.Library.Ref/2.1.0/data/PackageOverrides.txt +chmod 0755 %{buildroot}/%{_libdir}/dotnet/packs/Microsoft.NETCore.App.Host.%{runtime_id}/%{runtime_version}/runtimes/%{runtime_id}/native/apphost +chmod 0755 %{buildroot}/%{_libdir}/dotnet/packs/Microsoft.NETCore.App.Host.%{runtime_id}/%{runtime_version}/runtimes/%{runtime_id}/native/libnethost.so -install -dm 0755 %{buildroot}%{_sysconfdir}/profile.d/ -install dotnet.sh %{buildroot}%{_sysconfdir}/profile.d/ +# Provided by dotnet-host from another SRPM +#install -dm 0755 %%{buildroot}%{_sysconfdir}/profile.d/ +#install dotnet.sh %%{buildroot}%{_sysconfdir}/profile.d/ -install -dm 0755 %{buildroot}/%{_datadir}/bash-completion/completions +# Provided by dotnet-host from another SRPM +#install -dm 0755 %%{buildroot}/%%{_datadir}/bash-completion/completions # dynamic completion needs the file to be named the same as the base command -install src/cli.*/scripts/register-completions.bash %{buildroot}/%{_datadir}/bash-completion/completions/dotnet +#install src/cli.*/scripts/register-completions.bash %%{buildroot}/%%{_datadir}/bash-completion/completions/dotnet # TODO: the zsh completion script needs to be ported to use #compdef #install -dm 755 %%{buildroot}/%%{_datadir}/zsh/site-functions #install src/cli/scripts/register-completions.zsh %%{buildroot}/%%{_datadir}/zsh/site-functions/_dotnet -install -dm 0755 %{buildroot}%{_bindir} -ln -s ../../%{_libdir}/dotnet/dotnet %{buildroot}%{_bindir}/ +# Provided by dotnet-host from another SRPM +#install -dm 0755 %%{buildroot}%%{_bindir} +#ln -s ../../%%{_libdir}/dotnet/dotnet %%{buildroot}%%{_bindir}/ -install -dm 0755 %{buildroot}%{_mandir}/man1/ -find -iname 'dotnet*.1' -type f -exec cp {} %{buildroot}%{_mandir}/man1/ \; +# Provided by dotnet-host from another SRPM +#install -dm 0755 %%{buildroot}%%{_mandir}/man1/ +#find -iname 'dotnet*.1' -type f -exec cp {} %%{buildroot}%%{_mandir}/man1/ \; -echo "%{_libdir}/dotnet" >> install_location -install -dm 0755 %{buildroot}%{_sysconfdir}/dotnet -install install_location %{buildroot}%{_sysconfdir}/dotnet/ +# Provided by dotnet-host from another SRPM +#echo "%%{_libdir}/dotnet" >> install_location +#install -dm 0755 %%{buildroot}%%{_sysconfdir}/dotnet +#install install_location %%{buildroot}%%{_sysconfdir}/dotnet/ # Check debug symbols in all elf objects. This is not in %%check # because native binaries are stripped by rpm-build after %%install. @@ -407,28 +414,16 @@ install install_location %{buildroot}%{_sysconfdir}/dotnet/ echo "Testing build results for debug symbols..." %{SOURCE100} -v %{buildroot}%{_libdir}/dotnet/ - -%check +# Self-check %{buildroot}%{_libdir}/dotnet/dotnet --info +# Provided by dotnet-host from another SRPM +rm %{buildroot}%{_libdir}/dotnet/LICENSE.txt +rm %{buildroot}%{_libdir}/dotnet/ThirdPartyNotices.txt +rm %{buildroot}%{_libdir}/dotnet/dotnet -%files -n dotnet -# empty package useful for dependencies - -%files -n dotnet-host -%dir %{_libdir}/dotnet -%{_libdir}/dotnet/dotnet -%dir %{_libdir}/dotnet/host -%dir %{_libdir}/dotnet/host/fxr -%{_bindir}/dotnet -%license %{_libdir}/dotnet/LICENSE.txt -%license %{_libdir}/dotnet/ThirdPartyNotices.txt -%doc %{_mandir}/man1/dotnet*.1.gz -%{_sysconfdir}/profile.d/dotnet.sh -%{_sysconfdir}/dotnet -%dir %{_datadir}/bash-completion -%dir %{_datadir}/bash-completion/completions -%{_datadir}/bash-completion/completions/dotnet +# Provided by netstandard-targeting-pack-2.1 from another SRPM +rm -rf %{buildroot}%{_libdir}/dotnet/packs/NETStandard.Library.Ref/2.1.0 %files -n dotnet-hostfxr-3.1 %dir %{_libdir}/dotnet/host/fxr @@ -454,38 +449,60 @@ echo "Testing build results for debug symbols..." %dir %{_libdir}/dotnet/packs %changelog -* Tue Sep 02 2020 Omair Majid - 3.1.108-2 -- Rebuild to fix tests -- Resolves: RHBZ#1874512 - -* Tue Sep 01 2020 Omair Majid - 3.1.108-1 -- Update to .NET Core Runtime 3.1.8 and SDK 3.1.108 -- Resolves: RHBZ#1874512 - -* Fri Jul 31 2020 Omair Majid - 3.1.107-1 -- Update to .NET Core Runtime 3.1.7 and SDK 3.1.107 -- Resolves: RHBZ#1862593 -- Resolves: RHBZ#1861113 - -* Mon Jul 06 2020 Omair Majid - 3.1.106-1 -- Update to .NET Core Runtime 3.1.6 and SDK 3.1.106 -- Resolves: RHBZ#1854137 - -* Mon Jun 08 2020 Omair Majid - 3.1.105-2 -- Remove incorrectly installed files -- Resolves: RHBZ#1844515 - -* Fri Jun 05 2020 Omair Majid - 3.1.105-1 +* Fri Sep 18 2020 Omair Majid - 3.1.108-3 +- Bump release to preserve upgrade path +- Resolves: RHBZ#1874503 + +* Fri Sep 04 2020 Omair Majid - 3.1.108-2 +- Stop producing netstandard-targeting-pack-2.1 +- Resolves: RHBZ#1874503 + +* Fri Sep 04 2020 Omair Majid - 3.1.108-1 +- Update to .NET Core SDK 3.1.108 and Runtime 3.1.8 +- Resolves: RHBZ#1874503 +- Resolves: RHBZ#1873454 + +* Mon Aug 17 2020 Omair Majid - 3.1.107-2 +- Remove subpackages that conflict with dotnet5.0 +- Resolves: RHBZ#1862590 + +* Thu Aug 13 2020 Omair Majid - 3.1.107-1 +- Update to .NET Core SDK 3.1.107 and Runtime 3.1.7 +- Resolves: RHBZ#1862590 +- Resolves: RHBZ#1861114 + +* Thu Jul 30 2020 Omair Majid - 3.1.106-6 +- Remove duplicate LDFLAGS (actually typoed ASMFLAGS) for build +- Resolves: RHBZ#1811776 + +* Wed Jul 29 2020 Omair Majid - 3.1.106-5 +- Export ASMFLAGS during build +- Resolves: RHBZ#1811776 + +* Tue Jul 28 2020 Omair Majid - 3.1.106-4 +- Enable -fcf-protection +- Resolves: RHBZ#1811776 + +* Mon Jul 27 2020 Omair Majid - 3.1.106-3 +- Improve hardening in core-setup and corefx +- Resolves: RHBZ#1811776 + +* Fri Jul 24 2020 Omair Majid - 3.1.106-2 +- Improve hardening in CoreCLR +- Resolves: RHBZ#1811776 + +* Thu Jul 16 2020 Omair Majid - 3.1.106-1 +- Update to .NET Core SDK 3.1.106 and Runtime 3.1.6 +- Resolves: RHBZ#1853772 +- Resolves: RHBZ#1856939 + +* Tue Jun 09 2020 Omair Majid - 3.1.105-1 - Update to .NET Core Runtime 3.1.5 and SDK 3.1.105 -- Resolves: RHBZ#1844515 - -* Thu May 07 2020 Omair Majid - 3.1.104-2 -- Update to new release -- Resolves: RHBZ#1833091 +- Resolves: RHBZ#1844491 -* Thu May 07 2020 Omair Majid - 3.1.104-1 +* Mon Jun 01 2020 Omair Majid - 3.1.104-3 - Update to .NET Core Runtime 3.1.4 and SDK 3.1.104 -- Resolves: RHBZ#1833091 +- Resolves: RHBZ#1832685 * Fri Mar 20 2020 Omair Majid - 3.1.103-2 - Update to .NET Core Runtime 3.1.3 and SDK 3.1.103