From d55551c763d29ddd92156829fb2ae6b4f89b5184 Mon Sep 17 00:00:00 2001

From: Jan Cholasta <jcholast@redhat.com>

Date: Wed, 27 Nov 2013 13:13:16 +0000

Subject: [PATCH 10/11] Use hardening flags for ipa-optd.

https://fedorahosted.org/freeipa/ticket/4010

Martin Kosek: note that this patch contains both Jan's original work

and squashed additional patches 206.2, 207.2, 208.2, 209.2, 212.2

implemented to fix some of the problems introduced by the original

patch.

---

 Makefile                                               | 3 +++

 daemons/ipa-otpd/Makefile.am                           | 4 ++--

 daemons/ipa-sam/Makefile.am                            | 1 -

 daemons/ipa-slapi-plugins/ipa-cldap/Makefile.am        | 1 -

 daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap.c        | 4 +++-

 daemons/ipa-slapi-plugins/ipa-dns/Makefile.am          | 1 -

 daemons/ipa-slapi-plugins/ipa-enrollment/Makefile.am   | 1 -

 daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am | 1 -

 daemons/ipa-slapi-plugins/ipa-lockout/Makefile.am      | 1 -

 daemons/ipa-slapi-plugins/ipa-modrdn/Makefile.am       | 1 -

 daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am    | 3 +--

 daemons/ipa-slapi-plugins/ipa-range-check/Makefile.am  | 1 -

 daemons/ipa-slapi-plugins/ipa-sidgen/Makefile.am       | 1 -

 daemons/ipa-slapi-plugins/ipa-uuid/Makefile.am         | 1 -

 daemons/ipa-slapi-plugins/ipa-version/Makefile.am      | 1 -

 daemons/ipa-slapi-plugins/ipa-winsync/Makefile.am      | 1 -

 freeipa.spec.in                                        | 8 ++++++--

 ipa-client/Makefile.am                                 | 1 -

 18 files changed, 15 insertions(+), 20 deletions(-)

diff --git a/Makefile b/Makefile

index a21cf7e33275fd1a783e89baf237c8dcd8db6508..9ed3bb59a0f1d52e1b40430bb9516d9438b0fcb4 100644

--- a/Makefile

+++ b/Makefile

@@ -52,6 +52,9 @@ endif

 PYTHON ?= $(shell rpm -E %__python)

+CFLAGS := -g -O2 -Werror -Wall -Wextra -Wformat-security -Wno-unused-parameter -Wno-sign-compare -Wno-missing-field-initializers $(CFLAGS)

+export CFLAGS

+

 all: bootstrap-autogen server tests

 	@for subdir in $(SUBDIRS); do \

 		(cd $$subdir && $(MAKE) $@) || exit 1; \

diff --git a/daemons/ipa-otpd/Makefile.am b/daemons/ipa-otpd/Makefile.am

index ed99c3ecbdf6507d18243a665daa1418f978eea1..af82a5fe08856573d2d245608ba1dbaad171c7fe 100644

--- a/daemons/ipa-otpd/Makefile.am

+++ b/daemons/ipa-otpd/Makefile.am

@@ -1,5 +1,5 @@

-AM_CFLAGS := $(CFLAGS) @LDAP_CFLAGS@ @LIBVERTO_CFLAGS@

-AM_LDFLAGS := $(LDFLAGS) @LDAP_LIBS@ @LIBVERTO_LIBS@ @KRAD_LIBS@

+AM_CFLAGS := @LDAP_CFLAGS@ @LIBVERTO_CFLAGS@

+AM_LDFLAGS := @LDAP_LIBS@ @LIBVERTO_LIBS@ @KRAD_LIBS@

 noinst_HEADERS = internal.h

 libexec_PROGRAMS = ipa-otpd

diff --git a/daemons/ipa-sam/Makefile.am b/daemons/ipa-sam/Makefile.am

index e8e22503a4d8e3821d6f455bac337feae8b34bfc..d55a187708eb5dda8ffc4c87abb2fcc854940ade 100644

--- a/daemons/ipa-sam/Makefile.am

+++ b/daemons/ipa-sam/Makefile.am

@@ -20,7 +20,6 @@ AM_CPPFLAGS =						\

 	-DLDAPIDIR=\""$(localstatedir)/run"\"		\

 	-DHAVE_LDAP					\

 	-I $(KRB5_UTIL_DIR)				\

-	$(AM_CFLAGS)					\

 	$(LDAP_CFLAGS)					\

 	$(KRB5_CFLAGS)					\

 	$(WARN_CFLAGS)					\

diff --git a/daemons/ipa-slapi-plugins/ipa-cldap/Makefile.am b/daemons/ipa-slapi-plugins/ipa-cldap/Makefile.am

index f669d6b561482e165bedc1c1b2904b7f67a49a95..70b08835e5629026c80c21c83e0c749a387b73a4 100644

--- a/daemons/ipa-slapi-plugins/ipa-cldap/Makefile.am

+++ b/daemons/ipa-slapi-plugins/ipa-cldap/Makefile.am

@@ -12,7 +12,6 @@ AM_CPPFLAGS =							\

 	-DLIBDIR=\""$(libdir)"\" 				\

 	-DLIBEXECDIR=\""$(libexecdir)"\"			\

 	-DDATADIR=\""$(datadir)"\"				\

-	$(AM_CFLAGS)						\

 	$(LDAP_CFLAGS)						\

 	$(WARN_CFLAGS)						\

 	$(NDRNBT_CFLAGS)					\

diff --git a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap.c b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap.c

index 54d44ebf64b1efa0dda06773736d3413a6b70977..64ec80665de5f5b0c5c1a8605e05e34e7199a23d 100644

--- a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap.c

+++ b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap.c

@@ -82,7 +82,9 @@ static int ipa_cldap_stop(Slapi_PBlock *pb)

     }

     /* send stop signal to terminate worker thread */

-    write(ctx->stopfd[1], "", 1);

+    do {

+        ret = write(ctx->stopfd[1], "", 1);

+    } while (ret == -1 && errno == EINTR);

     close(ctx->stopfd[1]);

     ret = pthread_join(ctx->tid, &retval);

diff --git a/daemons/ipa-slapi-plugins/ipa-dns/Makefile.am b/daemons/ipa-slapi-plugins/ipa-dns/Makefile.am

index 6d09c8d9c73755e89d91fea83ac66f088d9be553..31b7485e39af30224d97e4a759dbc5779bd61373 100644

--- a/daemons/ipa-slapi-plugins/ipa-dns/Makefile.am

+++ b/daemons/ipa-slapi-plugins/ipa-dns/Makefile.am

@@ -12,7 +12,6 @@ AM_CPPFLAGS =							\

 	-DLIBDIR=\""$(libdir)"\" 				\

 	-DLIBEXECDIR=\""$(libexecdir)"\"			\

 	-DDATADIR=\""$(datadir)"\"				\

-	$(AM_CFLAGS)						\

 	$(LDAP_CFLAGS)						\

 	$(WARN_CFLAGS)						\

 	$(NULL)

diff --git a/daemons/ipa-slapi-plugins/ipa-enrollment/Makefile.am b/daemons/ipa-slapi-plugins/ipa-enrollment/Makefile.am

index 7ba754a48269f5c4ad9d2f08bc8cd7a0f8e6243c..3ce37ac10ad7d1ee077caa55a2f128f688388561 100644

--- a/daemons/ipa-slapi-plugins/ipa-enrollment/Makefile.am

+++ b/daemons/ipa-slapi-plugins/ipa-enrollment/Makefile.am

@@ -11,7 +11,6 @@ AM_CPPFLAGS =							\

 	-DLIBDIR=\""$(libdir)"\" 				\

 	-DLIBEXECDIR=\""$(libexecdir)"\"			\

 	-DDATADIR=\""$(datadir)"\"				\

-	$(AM_CFLAGS)						\

 	$(LDAP_CFLAGS)					\

 	$(KRB5_CFLAGS)						\

 	$(WARN_CFLAGS)						\

diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am b/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am

index df0c30562f09bf0e29464c9bb05f7befbd3997e1..7099a988878e2bc0cf840eab0b14fa9f40805a51 100644

--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am

+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am

@@ -13,7 +13,6 @@ AM_CPPFLAGS =							\

 	-DLIBDIR=\""$(libdir)"\" 				\

 	-DLIBEXECDIR=\""$(libexecdir)"\"			\

 	-DDATADIR=\""$(datadir)"\"				\

-	$(AM_CFLAGS)						\

 	$(LDAP_CFLAGS)						\

 	$(WARN_CFLAGS)						\

 	$(SSSIDMAP_CFLAGS)					\

diff --git a/daemons/ipa-slapi-plugins/ipa-lockout/Makefile.am b/daemons/ipa-slapi-plugins/ipa-lockout/Makefile.am

index 0c69f4d7fd79a08d98c3b967e5ed35e3668cccc2..6e4c31aa591c37d3b7fdd7110f66303af3005605 100644

--- a/daemons/ipa-slapi-plugins/ipa-lockout/Makefile.am

+++ b/daemons/ipa-slapi-plugins/ipa-lockout/Makefile.am

@@ -12,7 +12,6 @@ AM_CPPFLAGS =							\

 	-DLIBDIR=\""$(libdir)"\" 				\

 	-DLIBEXECDIR=\""$(libexecdir)"\"			\

 	-DDATADIR=\""$(datadir)"\"				\

-	$(AM_CFLAGS)						\

 	$(LDAP_CFLAGS)					\

 	$(WARN_CFLAGS)						\

 	$(NULL)

diff --git a/daemons/ipa-slapi-plugins/ipa-modrdn/Makefile.am b/daemons/ipa-slapi-plugins/ipa-modrdn/Makefile.am

index 9fbd03397cf36097e3c38280330cdeda1bf5950e..a3f8d4f7b0886fd7e03f425d27fb1ee98d868913 100644

--- a/daemons/ipa-slapi-plugins/ipa-modrdn/Makefile.am

+++ b/daemons/ipa-slapi-plugins/ipa-modrdn/Makefile.am

@@ -12,7 +12,6 @@ AM_CPPFLAGS =							\

 	-DLIBDIR=\""$(libdir)"\" 				\

 	-DLIBEXECDIR=\""$(libexecdir)"\"			\

 	-DDATADIR=\""$(datadir)"\"				\

-	$(AM_CFLAGS)						\

 	$(LDAP_CFLAGS)					\

 	$(WARN_CFLAGS)						\

 	$(NULL)

diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am b/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am

index b53b2e1e445ccc9e756aa1ecb2656f19980cd001..8bd89653de51ab33e295fc6b1f1d6d93576d3c64 100644

--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am

+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am

@@ -18,13 +18,12 @@ AM_CPPFLAGS =							\

 	-DLIBDIR=\""$(libdir)"\" 				\

 	-DLIBEXECDIR=\""$(libexecdir)"\"			\

 	-DDATADIR=\""$(datadir)"\"				\

-	$(AM_CFLAGS)						\

 	$(LDAP_CFLAGS)					\

 	$(KRB5_CFLAGS)						\

 	$(SSL_CFLAGS)						\

 	$(WARN_CFLAGS)						\

 	$(NULL)

-	

+

 AM_LDFLAGS = \

 	$(KRB5_LIBS)	\

 	$(SSL_LIBS)	\

diff --git a/daemons/ipa-slapi-plugins/ipa-range-check/Makefile.am b/daemons/ipa-slapi-plugins/ipa-range-check/Makefile.am

index f23a24ed8b2c8845e7bddbce86abe5a4a2fcd8cd..5aa9b5485211dc5ac699692d8c46cf59c53a9546 100644

--- a/daemons/ipa-slapi-plugins/ipa-range-check/Makefile.am

+++ b/daemons/ipa-slapi-plugins/ipa-range-check/Makefile.am

@@ -12,7 +12,6 @@ AM_CPPFLAGS =							\

 	-DLIBDIR=\""$(libdir)"\" 				\

 	-DLIBEXECDIR=\""$(libexecdir)"\"			\

 	-DDATADIR=\""$(datadir)"\"				\

-	$(AM_CFLAGS)						\

 	$(LDAP_CFLAGS)					\

 	$(WARN_CFLAGS)						\

 	$(NULL)

diff --git a/daemons/ipa-slapi-plugins/ipa-sidgen/Makefile.am b/daemons/ipa-slapi-plugins/ipa-sidgen/Makefile.am

index 4bfb0185ec589797125df747cc02dcf8a7ef30cd..642fdd599b9a3e8204232199e1cc4a5ee8b013ba 100644

--- a/daemons/ipa-slapi-plugins/ipa-sidgen/Makefile.am

+++ b/daemons/ipa-slapi-plugins/ipa-sidgen/Makefile.am

@@ -12,7 +12,6 @@ AM_CPPFLAGS =							\

 	-DLIBDIR=\""$(libdir)"\" 				\

 	-DLIBEXECDIR=\""$(libexecdir)"\"			\

 	-DDATADIR=\""$(datadir)"\"				\

-	$(AM_CFLAGS)						\

 	$(LDAP_CFLAGS)					\

 	$(WARN_CFLAGS)						\

 	$(NULL)

diff --git a/daemons/ipa-slapi-plugins/ipa-uuid/Makefile.am b/daemons/ipa-slapi-plugins/ipa-uuid/Makefile.am

index 738290170da587b0bbee96d8abcda2762264ee0e..061d8483310b686db844059deb82b1465d498652 100644

--- a/daemons/ipa-slapi-plugins/ipa-uuid/Makefile.am

+++ b/daemons/ipa-slapi-plugins/ipa-uuid/Makefile.am

@@ -12,7 +12,6 @@ AM_CPPFLAGS =							\

 	-DLIBDIR=\""$(libdir)"\" 				\

 	-DLIBEXECDIR=\""$(libexecdir)"\"			\

 	-DDATADIR=\""$(datadir)"\"				\

-	$(AM_CFLAGS)						\

 	$(LDAP_CFLAGS)					\

 	$(WARN_CFLAGS)						\

 	$(NULL)

diff --git a/daemons/ipa-slapi-plugins/ipa-version/Makefile.am b/daemons/ipa-slapi-plugins/ipa-version/Makefile.am

index 5396bda99c64e66428a15a17a520227f790bff00..afce915a0d76ff607c116e18ea98f959aed46d32 100644

--- a/daemons/ipa-slapi-plugins/ipa-version/Makefile.am

+++ b/daemons/ipa-slapi-plugins/ipa-version/Makefile.am

@@ -13,7 +13,6 @@ AM_CPPFLAGS =							\

 	-DLIBDIR=\""$(libdir)"\" 				\

 	-DLIBEXECDIR=\""$(libexecdir)"\"			\

 	-DDATADIR=\""$(datadir)"\"				\

-	$(AM_CFLAGS)						\

 	$(LDAP_CFLAGS)					\

 	$(KRB5_CFLAGS)						\

 	$(WARN_CFLAGS)						\

diff --git a/daemons/ipa-slapi-plugins/ipa-winsync/Makefile.am b/daemons/ipa-slapi-plugins/ipa-winsync/Makefile.am

index c41692864557e890d388e42c404c23e91ae8b1e9..3108f3c152c08d8b9883974a4c999f7bb89acc8e 100644

--- a/daemons/ipa-slapi-plugins/ipa-winsync/Makefile.am

+++ b/daemons/ipa-slapi-plugins/ipa-winsync/Makefile.am

@@ -11,7 +11,6 @@ AM_CPPFLAGS =							\

 	-DLIBDIR=\""$(libdir)"\" 				\

 	-DLIBEXECDIR=\""$(libexecdir)"\"			\

 	-DDATADIR=\""$(datadir)"\"				\

-	$(AM_CFLAGS)						\

 	$(LDAP_CFLAGS)					\

 	$(WARN_CFLAGS)						\

 	$(NULL)

diff --git a/freeipa.spec.in b/freeipa.spec.in

index 69ec29d9ff58bf3a25e25b35d5f3ba1d43741124..ae8ee57f3ba2c0746bb0f7a1e65dab1da83cca22 100644

--- a/freeipa.spec.in

+++ b/freeipa.spec.in

@@ -5,6 +5,10 @@

 %global POLICYCOREUTILSVER 2.1.12-5

 %global gettext_domain ipa

+%if (0%{?fedora} > 15 || 0%{?rhel} >= 7)

+%define _hardened_build 1

+%endif

+

 Name:           freeipa

 Version:        __VERSION__

 Release:        __RELEASE__%{?dist}

@@ -316,8 +320,8 @@ This package contains tests that verify IPA functionality.

 %setup -n freeipa-%{version} -q

 %build

-export CFLAGS="$CFLAGS %{optflags}"

-export CPPFLAGS="$CPPFLAGS %{optflags}"

+export CFLAGS="%{optflags} $CFLAGS"

+export LDFLAGS="%{__global_ldflags} $LDFLAGS"

 %if 0%{?fedora} >= 18

 # use fedora18 platform which is based on fedora16 platform with systemd

 # support + fedora18 changes

diff --git a/ipa-client/Makefile.am b/ipa-client/Makefile.am

index b7d70fd8d0d4383cac497b2978196e25893f9fe1..73076315d496d8f2be47ed18f726e5c9a6cb572f 100644

--- a/ipa-client/Makefile.am

+++ b/ipa-client/Makefile.am

@@ -25,7 +25,6 @@ AM_CPPFLAGS =							\

 	-DLIBEXECDIR=\""$(libexecdir)"\"			\

 	-DDATADIR=\""$(datadir)"\"				\

 	-DLOCALEDIR=\""$(localedir)"\"				\

-	$(AM_CFLAGS)						\

 	$(KRB5_CFLAGS)						\

 	$(OPENLDAP_CFLAGS)					\

 	$(SASL_CFLAGS)						\

-- 

1.8.3.1