From d55551c763d29ddd92156829fb2ae6b4f89b5184 Mon Sep 17 00:00:00 2001
From: Jan Cholasta <jcholast@redhat.com>
Date: Wed, 27 Nov 2013 13:13:16 +0000
Subject: [PATCH 10/11] Use hardening flags for ipa-optd.
https://fedorahosted.org/freeipa/ticket/4010
Martin Kosek: note that this patch contains both Jan's original work
and squashed additional patches 206.2, 207.2, 208.2, 209.2, 212.2
implemented to fix some of the problems introduced by the original
patch.
---
Makefile | 3 +++
daemons/ipa-otpd/Makefile.am | 4 ++--
daemons/ipa-sam/Makefile.am | 1 -
daemons/ipa-slapi-plugins/ipa-cldap/Makefile.am | 1 -
daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap.c | 4 +++-
daemons/ipa-slapi-plugins/ipa-dns/Makefile.am | 1 -
daemons/ipa-slapi-plugins/ipa-enrollment/Makefile.am | 1 -
daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am | 1 -
daemons/ipa-slapi-plugins/ipa-lockout/Makefile.am | 1 -
daemons/ipa-slapi-plugins/ipa-modrdn/Makefile.am | 1 -
daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am | 3 +--
daemons/ipa-slapi-plugins/ipa-range-check/Makefile.am | 1 -
daemons/ipa-slapi-plugins/ipa-sidgen/Makefile.am | 1 -
daemons/ipa-slapi-plugins/ipa-uuid/Makefile.am | 1 -
daemons/ipa-slapi-plugins/ipa-version/Makefile.am | 1 -
daemons/ipa-slapi-plugins/ipa-winsync/Makefile.am | 1 -
freeipa.spec.in | 8 ++++++--
ipa-client/Makefile.am | 1 -
18 files changed, 15 insertions(+), 20 deletions(-)
diff --git a/Makefile b/Makefile
index a21cf7e33275fd1a783e89baf237c8dcd8db6508..9ed3bb59a0f1d52e1b40430bb9516d9438b0fcb4 100644
--- a/Makefile
+++ b/Makefile
@@ -52,6 +52,9 @@ endif
PYTHON ?= $(shell rpm -E %__python)
+CFLAGS := -g -O2 -Werror -Wall -Wextra -Wformat-security -Wno-unused-parameter -Wno-sign-compare -Wno-missing-field-initializers $(CFLAGS)
+export CFLAGS
+
all: bootstrap-autogen server tests
@for subdir in $(SUBDIRS); do \
(cd $$subdir && $(MAKE) $@) || exit 1; \
diff --git a/daemons/ipa-otpd/Makefile.am b/daemons/ipa-otpd/Makefile.am
index ed99c3ecbdf6507d18243a665daa1418f978eea1..af82a5fe08856573d2d245608ba1dbaad171c7fe 100644
--- a/daemons/ipa-otpd/Makefile.am
+++ b/daemons/ipa-otpd/Makefile.am
@@ -1,5 +1,5 @@
-AM_CFLAGS := $(CFLAGS) @LDAP_CFLAGS@ @LIBVERTO_CFLAGS@
-AM_LDFLAGS := $(LDFLAGS) @LDAP_LIBS@ @LIBVERTO_LIBS@ @KRAD_LIBS@
+AM_CFLAGS := @LDAP_CFLAGS@ @LIBVERTO_CFLAGS@
+AM_LDFLAGS := @LDAP_LIBS@ @LIBVERTO_LIBS@ @KRAD_LIBS@
noinst_HEADERS = internal.h
libexec_PROGRAMS = ipa-otpd
diff --git a/daemons/ipa-sam/Makefile.am b/daemons/ipa-sam/Makefile.am
index e8e22503a4d8e3821d6f455bac337feae8b34bfc..d55a187708eb5dda8ffc4c87abb2fcc854940ade 100644
--- a/daemons/ipa-sam/Makefile.am
+++ b/daemons/ipa-sam/Makefile.am
@@ -20,7 +20,6 @@ AM_CPPFLAGS = \
-DLDAPIDIR=\""$(localstatedir)/run"\" \
-DHAVE_LDAP \
-I $(KRB5_UTIL_DIR) \
- $(AM_CFLAGS) \
$(LDAP_CFLAGS) \
$(KRB5_CFLAGS) \
$(WARN_CFLAGS) \
diff --git a/daemons/ipa-slapi-plugins/ipa-cldap/Makefile.am b/daemons/ipa-slapi-plugins/ipa-cldap/Makefile.am
index f669d6b561482e165bedc1c1b2904b7f67a49a95..70b08835e5629026c80c21c83e0c749a387b73a4 100644
--- a/daemons/ipa-slapi-plugins/ipa-cldap/Makefile.am
+++ b/daemons/ipa-slapi-plugins/ipa-cldap/Makefile.am
@@ -12,7 +12,6 @@ AM_CPPFLAGS = \
-DLIBDIR=\""$(libdir)"\" \
-DLIBEXECDIR=\""$(libexecdir)"\" \
-DDATADIR=\""$(datadir)"\" \
- $(AM_CFLAGS) \
$(LDAP_CFLAGS) \
$(WARN_CFLAGS) \
$(NDRNBT_CFLAGS) \
diff --git a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap.c b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap.c
index 54d44ebf64b1efa0dda06773736d3413a6b70977..64ec80665de5f5b0c5c1a8605e05e34e7199a23d 100644
--- a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap.c
+++ b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap.c
@@ -82,7 +82,9 @@ static int ipa_cldap_stop(Slapi_PBlock *pb)
}
/* send stop signal to terminate worker thread */
- write(ctx->stopfd[1], "", 1);
+ do {
+ ret = write(ctx->stopfd[1], "", 1);
+ } while (ret == -1 && errno == EINTR);
close(ctx->stopfd[1]);
ret = pthread_join(ctx->tid, &retval);
diff --git a/daemons/ipa-slapi-plugins/ipa-dns/Makefile.am b/daemons/ipa-slapi-plugins/ipa-dns/Makefile.am
index 6d09c8d9c73755e89d91fea83ac66f088d9be553..31b7485e39af30224d97e4a759dbc5779bd61373 100644
--- a/daemons/ipa-slapi-plugins/ipa-dns/Makefile.am
+++ b/daemons/ipa-slapi-plugins/ipa-dns/Makefile.am
@@ -12,7 +12,6 @@ AM_CPPFLAGS = \
-DLIBDIR=\""$(libdir)"\" \
-DLIBEXECDIR=\""$(libexecdir)"\" \
-DDATADIR=\""$(datadir)"\" \
- $(AM_CFLAGS) \
$(LDAP_CFLAGS) \
$(WARN_CFLAGS) \
$(NULL)
diff --git a/daemons/ipa-slapi-plugins/ipa-enrollment/Makefile.am b/daemons/ipa-slapi-plugins/ipa-enrollment/Makefile.am
index 7ba754a48269f5c4ad9d2f08bc8cd7a0f8e6243c..3ce37ac10ad7d1ee077caa55a2f128f688388561 100644
--- a/daemons/ipa-slapi-plugins/ipa-enrollment/Makefile.am
+++ b/daemons/ipa-slapi-plugins/ipa-enrollment/Makefile.am
@@ -11,7 +11,6 @@ AM_CPPFLAGS = \
-DLIBDIR=\""$(libdir)"\" \
-DLIBEXECDIR=\""$(libexecdir)"\" \
-DDATADIR=\""$(datadir)"\" \
- $(AM_CFLAGS) \
$(LDAP_CFLAGS) \
$(KRB5_CFLAGS) \
$(WARN_CFLAGS) \
diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am b/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am
index df0c30562f09bf0e29464c9bb05f7befbd3997e1..7099a988878e2bc0cf840eab0b14fa9f40805a51 100644
--- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am
+++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am
@@ -13,7 +13,6 @@ AM_CPPFLAGS = \
-DLIBDIR=\""$(libdir)"\" \
-DLIBEXECDIR=\""$(libexecdir)"\" \
-DDATADIR=\""$(datadir)"\" \
- $(AM_CFLAGS) \
$(LDAP_CFLAGS) \
$(WARN_CFLAGS) \
$(SSSIDMAP_CFLAGS) \
diff --git a/daemons/ipa-slapi-plugins/ipa-lockout/Makefile.am b/daemons/ipa-slapi-plugins/ipa-lockout/Makefile.am
index 0c69f4d7fd79a08d98c3b967e5ed35e3668cccc2..6e4c31aa591c37d3b7fdd7110f66303af3005605 100644
--- a/daemons/ipa-slapi-plugins/ipa-lockout/Makefile.am
+++ b/daemons/ipa-slapi-plugins/ipa-lockout/Makefile.am
@@ -12,7 +12,6 @@ AM_CPPFLAGS = \
-DLIBDIR=\""$(libdir)"\" \
-DLIBEXECDIR=\""$(libexecdir)"\" \
-DDATADIR=\""$(datadir)"\" \
- $(AM_CFLAGS) \
$(LDAP_CFLAGS) \
$(WARN_CFLAGS) \
$(NULL)
diff --git a/daemons/ipa-slapi-plugins/ipa-modrdn/Makefile.am b/daemons/ipa-slapi-plugins/ipa-modrdn/Makefile.am
index 9fbd03397cf36097e3c38280330cdeda1bf5950e..a3f8d4f7b0886fd7e03f425d27fb1ee98d868913 100644
--- a/daemons/ipa-slapi-plugins/ipa-modrdn/Makefile.am
+++ b/daemons/ipa-slapi-plugins/ipa-modrdn/Makefile.am
@@ -12,7 +12,6 @@ AM_CPPFLAGS = \
-DLIBDIR=\""$(libdir)"\" \
-DLIBEXECDIR=\""$(libexecdir)"\" \
-DDATADIR=\""$(datadir)"\" \
- $(AM_CFLAGS) \
$(LDAP_CFLAGS) \
$(WARN_CFLAGS) \
$(NULL)
diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am b/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am
index b53b2e1e445ccc9e756aa1ecb2656f19980cd001..8bd89653de51ab33e295fc6b1f1d6d93576d3c64 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am
@@ -18,13 +18,12 @@ AM_CPPFLAGS = \
-DLIBDIR=\""$(libdir)"\" \
-DLIBEXECDIR=\""$(libexecdir)"\" \
-DDATADIR=\""$(datadir)"\" \
- $(AM_CFLAGS) \
$(LDAP_CFLAGS) \
$(KRB5_CFLAGS) \
$(SSL_CFLAGS) \
$(WARN_CFLAGS) \
$(NULL)
-
+
AM_LDFLAGS = \
$(KRB5_LIBS) \
$(SSL_LIBS) \
diff --git a/daemons/ipa-slapi-plugins/ipa-range-check/Makefile.am b/daemons/ipa-slapi-plugins/ipa-range-check/Makefile.am
index f23a24ed8b2c8845e7bddbce86abe5a4a2fcd8cd..5aa9b5485211dc5ac699692d8c46cf59c53a9546 100644
--- a/daemons/ipa-slapi-plugins/ipa-range-check/Makefile.am
+++ b/daemons/ipa-slapi-plugins/ipa-range-check/Makefile.am
@@ -12,7 +12,6 @@ AM_CPPFLAGS = \
-DLIBDIR=\""$(libdir)"\" \
-DLIBEXECDIR=\""$(libexecdir)"\" \
-DDATADIR=\""$(datadir)"\" \
- $(AM_CFLAGS) \
$(LDAP_CFLAGS) \
$(WARN_CFLAGS) \
$(NULL)
diff --git a/daemons/ipa-slapi-plugins/ipa-sidgen/Makefile.am b/daemons/ipa-slapi-plugins/ipa-sidgen/Makefile.am
index 4bfb0185ec589797125df747cc02dcf8a7ef30cd..642fdd599b9a3e8204232199e1cc4a5ee8b013ba 100644
--- a/daemons/ipa-slapi-plugins/ipa-sidgen/Makefile.am
+++ b/daemons/ipa-slapi-plugins/ipa-sidgen/Makefile.am
@@ -12,7 +12,6 @@ AM_CPPFLAGS = \
-DLIBDIR=\""$(libdir)"\" \
-DLIBEXECDIR=\""$(libexecdir)"\" \
-DDATADIR=\""$(datadir)"\" \
- $(AM_CFLAGS) \
$(LDAP_CFLAGS) \
$(WARN_CFLAGS) \
$(NULL)
diff --git a/daemons/ipa-slapi-plugins/ipa-uuid/Makefile.am b/daemons/ipa-slapi-plugins/ipa-uuid/Makefile.am
index 738290170da587b0bbee96d8abcda2762264ee0e..061d8483310b686db844059deb82b1465d498652 100644
--- a/daemons/ipa-slapi-plugins/ipa-uuid/Makefile.am
+++ b/daemons/ipa-slapi-plugins/ipa-uuid/Makefile.am
@@ -12,7 +12,6 @@ AM_CPPFLAGS = \
-DLIBDIR=\""$(libdir)"\" \
-DLIBEXECDIR=\""$(libexecdir)"\" \
-DDATADIR=\""$(datadir)"\" \
- $(AM_CFLAGS) \
$(LDAP_CFLAGS) \
$(WARN_CFLAGS) \
$(NULL)
diff --git a/daemons/ipa-slapi-plugins/ipa-version/Makefile.am b/daemons/ipa-slapi-plugins/ipa-version/Makefile.am
index 5396bda99c64e66428a15a17a520227f790bff00..afce915a0d76ff607c116e18ea98f959aed46d32 100644
--- a/daemons/ipa-slapi-plugins/ipa-version/Makefile.am
+++ b/daemons/ipa-slapi-plugins/ipa-version/Makefile.am
@@ -13,7 +13,6 @@ AM_CPPFLAGS = \
-DLIBDIR=\""$(libdir)"\" \
-DLIBEXECDIR=\""$(libexecdir)"\" \
-DDATADIR=\""$(datadir)"\" \
- $(AM_CFLAGS) \
$(LDAP_CFLAGS) \
$(KRB5_CFLAGS) \
$(WARN_CFLAGS) \
diff --git a/daemons/ipa-slapi-plugins/ipa-winsync/Makefile.am b/daemons/ipa-slapi-plugins/ipa-winsync/Makefile.am
index c41692864557e890d388e42c404c23e91ae8b1e9..3108f3c152c08d8b9883974a4c999f7bb89acc8e 100644
--- a/daemons/ipa-slapi-plugins/ipa-winsync/Makefile.am
+++ b/daemons/ipa-slapi-plugins/ipa-winsync/Makefile.am
@@ -11,7 +11,6 @@ AM_CPPFLAGS = \
-DLIBDIR=\""$(libdir)"\" \
-DLIBEXECDIR=\""$(libexecdir)"\" \
-DDATADIR=\""$(datadir)"\" \
- $(AM_CFLAGS) \
$(LDAP_CFLAGS) \
$(WARN_CFLAGS) \
$(NULL)
diff --git a/freeipa.spec.in b/freeipa.spec.in
index 69ec29d9ff58bf3a25e25b35d5f3ba1d43741124..ae8ee57f3ba2c0746bb0f7a1e65dab1da83cca22 100644
--- a/freeipa.spec.in
+++ b/freeipa.spec.in
@@ -5,6 +5,10 @@
%global POLICYCOREUTILSVER 2.1.12-5
%global gettext_domain ipa
+%if (0%{?fedora} > 15 || 0%{?rhel} >= 7)
+%define _hardened_build 1
+%endif
+
Name: freeipa
Version: __VERSION__
Release: __RELEASE__%{?dist}
@@ -316,8 +320,8 @@ This package contains tests that verify IPA functionality.
%setup -n freeipa-%{version} -q
%build
-export CFLAGS="$CFLAGS %{optflags}"
-export CPPFLAGS="$CPPFLAGS %{optflags}"
+export CFLAGS="%{optflags} $CFLAGS"
+export LDFLAGS="%{__global_ldflags} $LDFLAGS"
%if 0%{?fedora} >= 18
# use fedora18 platform which is based on fedora16 platform with systemd
# support + fedora18 changes
diff --git a/ipa-client/Makefile.am b/ipa-client/Makefile.am
index b7d70fd8d0d4383cac497b2978196e25893f9fe1..73076315d496d8f2be47ed18f726e5c9a6cb572f 100644
--- a/ipa-client/Makefile.am
+++ b/ipa-client/Makefile.am
@@ -25,7 +25,6 @@ AM_CPPFLAGS = \
-DLIBEXECDIR=\""$(libexecdir)"\" \
-DDATADIR=\""$(datadir)"\" \
-DLOCALEDIR=\""$(localedir)"\" \
- $(AM_CFLAGS) \
$(KRB5_CFLAGS) \
$(OPENLDAP_CFLAGS) \
$(SASL_CFLAGS) \
--
1.8.3.1