diff --git a/SOURCES/bz1092531-enable_hardening.patch b/SOURCES/bz1092531-enable_hardening.patch new file mode 100644 index 0000000..4eeb56c --- /dev/null +++ b/SOURCES/bz1092531-enable_hardening.patch @@ -0,0 +1,84 @@ +diff -ur a/client/Makefile.in b/client/Makefile.in +--- a/client/Makefile.in 2014-06-23 15:56:09.000000000 -0400 ++++ b/client/Makefile.in 2017-05-22 12:33:13.587241001 -0400 +@@ -40,10 +40,10 @@ + ln -snf $^ $@ + + fence_virt: ${fence_virt_SOURCES:.c=.o} +- $(CC) -o $@ $^ $(LIBS) -L../common -lfence_virt ++ $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ $(LIBS) -L../common -lfence_virt + + %.o: %.c +- $(CC) $(CFLAGS) -c -o $@ $^ $(INCLUDES) ++ $(CC) -c -o $@ $^ $(INCLUDES) $(CFLAGS) + + install: all + if [ ! -d ${DESTDIR}/${sbindir} ]; then \ +diff -ur a/Makefile.top.in b/Makefile.top.in +--- a/Makefile.top.in 2014-06-23 15:56:09.000000000 -0400 ++++ b/Makefile.top.in 2017-05-22 12:24:26.973934895 -0400 +@@ -1,8 +1,9 @@ + CC=@CC@ + CXX=@CXX@ + +-CFLAGS=@CFLAGS@ +-CFLAGS+=-fPIC -Wall -Wstrict-prototypes -Wshadow -D_GNU_SOURCE ++CFLAGS=-fPIC -Wall -Wstrict-prototypes -Wshadow -D_GNU_SOURCE -Wl,-z,relro,-z,now ++CFLAGS_BIN=@CFLAGS@ ++LDFLAGS=@LDFLAGS@ + + LEX=@LEX@ + YACC=@YACC@ +diff -ur a/server/Makefile.in b/server/Makefile.in +--- a/server/Makefile.in 2014-06-23 15:56:09.000000000 -0400 ++++ b/server/Makefile.in 2017-05-22 13:03:14.183158260 -0400 +@@ -152,38 +152,38 @@ + all: ${TARGETS} ${MODULES} + + fence_virtd: ${fence_virtd_SOURCES:.c=.o} ${fence_virtd_cxx_SOURCES:.cpp=.opp} +- $(CXX) -o $@ $^ $(MAIN_LIBS) $(LIBS) ++ $(CXX) $(CFLAGS) $(LDFLAGS) -o $@ $^ $(MAIN_LIBS) $(LIBS) + + multicast.so: ${multicast_so_SOURCES:.c=.o} +- $(CC) -o $@ $^ $(LIBS) -shared $(NSS_LIBS) ++ $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ $(LIBS) -shared $(NSS_LIBS) + + libvirt.so: ${libvirt_so_SOURCES:.c=.o} +- $(CC) -o $@ $^ $(LIBS) -shared $(VIRT_LIBS) $(UUID_LIBS) ++ $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ $(LIBS) -shared $(VIRT_LIBS) $(UUID_LIBS) + + libvirt-qmf.so: ${libvirt_qmf_so_SOURCES:.c=.o} ${libvirt_qmf_cxx_so_SOURCES:.cpp=.opp} +- $(CXX) -o $@ $^ $(LIBS) -shared $(VIRT_QPID) ++ $(CXX) $(CFLAGS) $(LDFLAGS) -o $@ $^ $(LIBS) -shared $(VIRT_QPID) + + pm-fence.so: ${pm_fence_so_SOURCES:.c=.o} +- $(CC) -o $@ $^ $(LIBS) -shared $(PACEMAKER_LIBS) ++ $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ $(LIBS) -shared $(PACEMAKER_LIBS) + + null.so: ${null_so_SOURCES:.c=.o} +- $(CC) -o $@ $^ $(LIBS) -shared ++ $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ $(LIBS) -shared + + checkpoint.so: ${checkpoint_so_SOURCES:.c=.o} +- $(CC) -o $@ $^ $(LIBS) -shared $(AIS_LIBS) $(VIRT_LIBS) \ ++ $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ $(LIBS) -shared $(AIS_LIBS) $(VIRT_LIBS) \ + $(COROSYNC_LIBS) $(CMAN_LIBS) + + serial.so: ${serial_so_SOURCES:.c=.o} +- $(CC) -o $@ $^ $(LIBS) -shared $(VIRT_LIBS) $(UUID_LIBS) $(XML_LIBS) ++ $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ $(LIBS) -shared $(VIRT_LIBS) $(UUID_LIBS) $(XML_LIBS) + + tcp.so: ${tcp_so_SOURCES:.c=.o} +- $(CC) -o $@ $^ $(LIBS) -shared $(NSS_LIBS) ++ $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^ $(LIBS) -shared $(NSS_LIBS) + + %.o: %.c +- $(CC) $(CFLAGS) -c -o $@ $^ $(INCLUDES) ++ $(CC) -c -o $@ $^ $(INCLUDES) $(CFLAGS) + + %.opp: %.cpp +- $(CXX) $(CFLAGS) -c -o $@ $^ $(INCLUDES) ++ $(CXX) -c -o $@ $^ $(INCLUDES) $(CFLAGS) + + install: all + if [ ! -d ${DESTDIR}/${sbindir} ]; then \ diff --git a/SOURCES/bz1334170-cleanup_documentation_of_the_tcp_listener.patch b/SOURCES/bz1334170-cleanup_documentation_of_the_tcp_listener.patch new file mode 100644 index 0000000..21d7d2d --- /dev/null +++ b/SOURCES/bz1334170-cleanup_documentation_of_the_tcp_listener.patch @@ -0,0 +1,51 @@ +From 0015556ddfbf22a1deca3b86217d0ac29afd3fbc Mon Sep 17 00:00:00 2001 +From: Ryan McCabe +Date: Wed, 17 May 2017 13:21:33 -0400 +Subject: [PATCH] fence-virtd: Cleanup documentation of the TCP listener + +Remove overly specific documentation of the TCP listener. vios-proxy appears to be dead, +so all references to that and its configuration have been removed. + +Resolves: rhbz#1334170 +Signed-off-by: Ryan McCabe +--- + man/fence_virt.conf.5 | 16 ++-------------- + 1 file changed, 2 insertions(+), 14 deletions(-) + +diff --git a/man/fence_virt.conf.5 b/man/fence_virt.conf.5 +index 412e769..dcf0d21 100644 +--- a/man/fence_virt.conf.5 ++++ b/man/fence_virt.conf.5 +@@ -154,19 +154,7 @@ This selects the type of sockets to register. Valid values are "serial" + (default) and "vmchannel". + + .SS tcp +-The tcp plugin was designed to be used with vios-proxy. vios-proxy uses a virtio-serial channel to proxy TCP connections between guests and a host. In order to use the tcp plugin, vios-proxy-host must be running on all the physical cluster nodes, and vios-proxy-guest must be running on all guest cluster nodes. Prior to running vios-proxy-host or vios-proxy-guest, the virtio-serial channel and host sockets must be configured for all guest domains. Example libvirt XML: +- +-.in 8 +- <\fBcontroller\fP type='virtio-serial' index='0'> +-
+- +- +- <\fBchannel\fP type='unix'> +- +- +-
+- +-.in 0 ++The tcp listener operates similarly to the multicast listener but uses TCP sockets for communication instead of using multicast packets. + + .TP + .B key_file +@@ -193,7 +181,7 @@ the IP family to use (default: ipv4, but may be ipv6) + .TP + .B address + . +-the IP address to listen on (default: 127.0.0.1) ++the IP address to listen on (default: 127.0.0.1 for IPv4, ::1 for IPv6) + + .TP + .B port +-- +2.9.3 + diff --git a/SOURCES/bz1393958-cleanup_numeric_argument_parsing.patch b/SOURCES/bz1393958-cleanup_numeric_argument_parsing.patch new file mode 100644 index 0000000..eba1b26 --- /dev/null +++ b/SOURCES/bz1393958-cleanup_numeric_argument_parsing.patch @@ -0,0 +1,118 @@ +diff -ur a/client/options.c b/client/options.c +--- a/client/options.c 2017-03-13 17:48:52.083747432 -0400 ++++ b/client/options.c 2017-03-13 17:50:37.289128784 -0400 +@@ -130,14 +130,18 @@ + static inline void + assign_port(fence_virt_args_t *args, struct arg_info *arg, char *value) + { ++ char *p; ++ int ret; ++ + if (!value) + return; + +- args->net.port = atoi(value); +- if (args->net.port <= 0 || args->net.port >= 65536) { ++ ret = strtol(value, &p, 0); ++ if (ret <= 0 || ret >= 65536 || *p != '\0') { + printf("Invalid port: '%s'\n", value); + args->flags |= F_ERR; +- } ++ } else ++ args->net.port = ret; + } + + +@@ -154,14 +158,18 @@ + static inline void + assign_retrans(fence_virt_args_t *args, struct arg_info *arg, char *value) + { ++ char *p; ++ int ret; ++ + if (!value) + return; + +- args->retr_time = atoi(value); +- if (args->retr_time <= 0) { ++ ret = strtol(value, &p, 0); ++ if (ret <= 0 || *p != '\0') { + printf("Invalid retransmit time: '%s'\n", value); + args->flags |= F_ERR; +- } ++ } else ++ args->retr_time = ret; + } + + static inline void +@@ -319,27 +327,35 @@ + static inline void + assign_timeout(fence_virt_args_t *args, struct arg_info *arg, char *value) + { ++ char *p; ++ int ret; ++ + if (!value) + return; + +- args->timeout = atoi(value); +- if (args->timeout <= 0) { ++ ret = strtol(value, &p, 0); ++ if (ret <= 0 || *p != '\0') { + printf("Invalid timeout: '%s'\n", value); + args->flags |= F_ERR; +- } ++ } else ++ args->timeout = ret; + } + + static inline void + assign_delay(fence_virt_args_t *args, struct arg_info *arg, char *value) + { ++ char *p; ++ int ret; ++ + if (!value) + return; + +- args->delay = atoi(value); +- if (args->delay <= 0) { ++ ret = strtol(value, &p, 0); ++ if (ret < 0 || *p != '\0') { + printf("Invalid delay: '%s'\n", value); + args->flags |= F_ERR; +- } ++ } else ++ args->delay = ret; + } + + static inline void +diff -ur a/server/config.c b/server/config.c +--- a/server/config.c 2017-03-13 17:48:52.081747462 -0400 ++++ b/server/config.c 2017-03-13 17:49:08.526494450 -0400 +@@ -237,9 +237,10 @@ + + do { + text_input("Multicast IP Port", val, inp, sizeof(inp)); ++ char *p; + +- done = atoi(inp); +- if (done <= 0 || done >= 65536) { ++ done = strtol(inp, &p, 0); ++ if (*p != '\0' || done <= 0 || done >= 65536) { + printf("Port value '%s' is out of range\n", val); + continue; + } +@@ -374,9 +375,10 @@ + + do { + text_input("TCP Listen Port", val, inp, sizeof(inp)); ++ char *p; + +- done = atoi(inp); +- if (done <= 0 || done != (done & 0xffff)) { ++ done = strtol(inp, &p, 0); ++ if (*p != '\0' || done <= 0 || done >= 65536) { + printf("Port value '%s' is out of range\n", val); + continue; + } diff --git a/SOURCES/bz1411910-fence_virtd_drop_legacy_sysvstartpriority_from_service.patch b/SOURCES/bz1411910-fence_virtd_drop_legacy_sysvstartpriority_from_service.patch new file mode 100644 index 0000000..fb91778 --- /dev/null +++ b/SOURCES/bz1411910-fence_virtd_drop_legacy_sysvstartpriority_from_service.patch @@ -0,0 +1,40 @@ +From 16503d909bec51b87732cf34efd004818021ed28 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jan=20Pokorn=C3=BD?= +Date: Mon, 3 Aug 2015 18:17:44 +0200 +Subject: [PATCH] fence_virtd: drop legacy SysVStartPriority from service + unit +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Since systemd-218[1], systemd will emit following lines in the +journal upon (re)loading its configuration: + +Support for option SysVStartPriority= has been removed and it is +ignored + +As it allegedly had no importance for some time even before, simply +drop it. + +[1] http://cgit.freedesktop.org/systemd/systemd/commit/?id=9e37c95 + +Signed-off-by: Jan Pokorný +--- + fence_virtd.service.in | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/fence_virtd.service.in b/fence_virtd.service.in +index e69d3d3..14c2b3a 100644 +--- a/fence_virtd.service.in ++++ b/fence_virtd.service.in +@@ -17,7 +17,6 @@ WantedBy=multi-user.target + [Service] + Type=forking + Restart=on-failure +-SysVStartPriority=99 + Environment="FENCE_VIRTD_ARGS=-w" + + # Autogenerated below here +-- +2.9.3 + diff --git a/SPECS/fence-virt.spec b/SPECS/fence-virt.spec index 599e9d4..ee7cf80 100644 --- a/SPECS/fence-virt.spec +++ b/SPECS/fence-virt.spec @@ -1,12 +1,12 @@ Name: fence-virt Version: 0.3.2 -Release: 5%{?dist} +Release: 12%{?dist} Summary: A pluggable fencing framework for virtual machines Group: System Environment/Base License: GPLv2+ %if 0%{?rhel} -ExclusiveArch: i686 x86_64 +ExclusiveArch: i686 x86_64 ppc64le %endif URL: http://fence-virt.sourceforge.net @@ -19,6 +19,10 @@ Patch3: bz1204877-remove_delay_from_the_status,_monitor_and_list.patch Patch4: bz1334170-allow_fence_virtd_to_run_as_non_root.patch Patch5: bz1334170-2-fix_use_of_undefined_#define.patch Patch6: bz1291522-Install_firewalld_unit_file.patch +Patch7: bz1393958-cleanup_numeric_argument_parsing.patch +Patch8: bz1411910-fence_virtd_drop_legacy_sysvstartpriority_from_service.patch +Patch9: bz1334170-cleanup_documentation_of_the_tcp_listener.patch +Patch10: bz1092531-enable_hardening.patch BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX) @@ -37,6 +41,7 @@ Conflicts: fence-agents < 3.0.5-2 %description Fencing agent for virtual machines. +%global _hardened_build 1 %package -n fence-virtd Summary: Daemon which handles requests from fence-virt @@ -97,8 +102,23 @@ machines on a desktop. %patch4 -p1 -b .bz1334170.1 %patch5 -p1 -b .bz1334170.2 %patch6 -p1 -b .bz1291522.1 +%patch7 -p1 -b .bz1393958.1 +%patch8 -p1 -b .bz1411910.1 +%patch9 -p1 -b .bz1334170.1 +%patch10 -p1 -b .bz1092531.1 %build +%ifarch s390 s390x sparcv9 sparc64 +export PIECFLAGS="-fPIE" +%else +export PIECFLAGS="-fpie" +%endif + +export RELRO="-Wl,-z,relro,-z,now" +export CFLAGS="$RPM_OPT_FLAGS $CPPFLAGS $PIECFLAGS $RELRO" +export CXXFLAGS="$RPM_OPT_FLAGS $CPPFLAGS $PIECFLAGS $RELRO" +export LDFLAGS="$LDFLAGS -pie" + ./autogen.sh %{configure} --disable-libvirt-qmf-plugin --enable-tcp-plugin make %{?_smp_mflags} @@ -189,6 +209,34 @@ fi %{_libdir}/%{name}/libvirt.so %changelog +* Wed Jun 14 2017 Ryan McCabe - 0.3.2-12 +- fence-virt: Rebuild to restore debuginfo + Resolves: rhbz#1092531 + +* Mon May 22 2017 Ryan McCabe - 0.3.2-11 +- fence-virt: Enable PIE and full RELRO + Resolves: rhbz#1092531 + +* Mon May 22 2017 Ryan McCabe - 0.3.2-10 +- fence-virt: Enable PIE and RELRO + Resolves: rhbz#1092531 + +* Wed May 17 2017 Ryan McCabe - 0.3.2-9 +- fence-virtd: Cleanup documentation of the TCP listener + Resolves: rhbz#1334170 + +* Wed Mar 15 2017 Ryan McCabe - 0.3.2-8 +- fence-virt: Build for ppc64le + Resolves: rhbz#1402572 + +* Mon Mar 13 2017 Ryan McCabe - 0.3.2-7 +- fence_virtd: drop legacy SysVStartPriority from service + Resolves: rhbz#1411910 + +* Mon Mar 13 2017 Ryan McCabe - 0.3.2-6 +- fence-virt: Cleanup numeric argument parsing + Resolves: rhbz#1393958 + * Tue Jun 28 2016 Ryan McCabe - 0.3.2-5 - fence-virt: Add firewalld service file. Resolves: rhbz#1291522