From d55551c763d29ddd92156829fb2ae6b4f89b5184 Mon Sep 17 00:00:00 2001 From: Jan Cholasta Date: Wed, 27 Nov 2013 13:13:16 +0000 Subject: [PATCH 10/11] Use hardening flags for ipa-optd. https://fedorahosted.org/freeipa/ticket/4010 Martin Kosek: note that this patch contains both Jan's original work and squashed additional patches 206.2, 207.2, 208.2, 209.2, 212.2 implemented to fix some of the problems introduced by the original patch. --- Makefile | 3 +++ daemons/ipa-otpd/Makefile.am | 4 ++-- daemons/ipa-sam/Makefile.am | 1 - daemons/ipa-slapi-plugins/ipa-cldap/Makefile.am | 1 - daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap.c | 4 +++- daemons/ipa-slapi-plugins/ipa-dns/Makefile.am | 1 - daemons/ipa-slapi-plugins/ipa-enrollment/Makefile.am | 1 - daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am | 1 - daemons/ipa-slapi-plugins/ipa-lockout/Makefile.am | 1 - daemons/ipa-slapi-plugins/ipa-modrdn/Makefile.am | 1 - daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am | 3 +-- daemons/ipa-slapi-plugins/ipa-range-check/Makefile.am | 1 - daemons/ipa-slapi-plugins/ipa-sidgen/Makefile.am | 1 - daemons/ipa-slapi-plugins/ipa-uuid/Makefile.am | 1 - daemons/ipa-slapi-plugins/ipa-version/Makefile.am | 1 - daemons/ipa-slapi-plugins/ipa-winsync/Makefile.am | 1 - freeipa.spec.in | 8 ++++++-- ipa-client/Makefile.am | 1 - 18 files changed, 15 insertions(+), 20 deletions(-) diff --git a/Makefile b/Makefile index a21cf7e33275fd1a783e89baf237c8dcd8db6508..9ed3bb59a0f1d52e1b40430bb9516d9438b0fcb4 100644 --- a/Makefile +++ b/Makefile @@ -52,6 +52,9 @@ endif PYTHON ?= $(shell rpm -E %__python) +CFLAGS := -g -O2 -Werror -Wall -Wextra -Wformat-security -Wno-unused-parameter -Wno-sign-compare -Wno-missing-field-initializers $(CFLAGS) +export CFLAGS + all: bootstrap-autogen server tests @for subdir in $(SUBDIRS); do \ (cd $$subdir && $(MAKE) $@) || exit 1; \ diff --git a/daemons/ipa-otpd/Makefile.am b/daemons/ipa-otpd/Makefile.am index ed99c3ecbdf6507d18243a665daa1418f978eea1..af82a5fe08856573d2d245608ba1dbaad171c7fe 100644 --- a/daemons/ipa-otpd/Makefile.am +++ b/daemons/ipa-otpd/Makefile.am @@ -1,5 +1,5 @@ -AM_CFLAGS := $(CFLAGS) @LDAP_CFLAGS@ @LIBVERTO_CFLAGS@ -AM_LDFLAGS := $(LDFLAGS) @LDAP_LIBS@ @LIBVERTO_LIBS@ @KRAD_LIBS@ +AM_CFLAGS := @LDAP_CFLAGS@ @LIBVERTO_CFLAGS@ +AM_LDFLAGS := @LDAP_LIBS@ @LIBVERTO_LIBS@ @KRAD_LIBS@ noinst_HEADERS = internal.h libexec_PROGRAMS = ipa-otpd diff --git a/daemons/ipa-sam/Makefile.am b/daemons/ipa-sam/Makefile.am index e8e22503a4d8e3821d6f455bac337feae8b34bfc..d55a187708eb5dda8ffc4c87abb2fcc854940ade 100644 --- a/daemons/ipa-sam/Makefile.am +++ b/daemons/ipa-sam/Makefile.am @@ -20,7 +20,6 @@ AM_CPPFLAGS = \ -DLDAPIDIR=\""$(localstatedir)/run"\" \ -DHAVE_LDAP \ -I $(KRB5_UTIL_DIR) \ - $(AM_CFLAGS) \ $(LDAP_CFLAGS) \ $(KRB5_CFLAGS) \ $(WARN_CFLAGS) \ diff --git a/daemons/ipa-slapi-plugins/ipa-cldap/Makefile.am b/daemons/ipa-slapi-plugins/ipa-cldap/Makefile.am index f669d6b561482e165bedc1c1b2904b7f67a49a95..70b08835e5629026c80c21c83e0c749a387b73a4 100644 --- a/daemons/ipa-slapi-plugins/ipa-cldap/Makefile.am +++ b/daemons/ipa-slapi-plugins/ipa-cldap/Makefile.am @@ -12,7 +12,6 @@ AM_CPPFLAGS = \ -DLIBDIR=\""$(libdir)"\" \ -DLIBEXECDIR=\""$(libexecdir)"\" \ -DDATADIR=\""$(datadir)"\" \ - $(AM_CFLAGS) \ $(LDAP_CFLAGS) \ $(WARN_CFLAGS) \ $(NDRNBT_CFLAGS) \ diff --git a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap.c b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap.c index 54d44ebf64b1efa0dda06773736d3413a6b70977..64ec80665de5f5b0c5c1a8605e05e34e7199a23d 100644 --- a/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap.c +++ b/daemons/ipa-slapi-plugins/ipa-cldap/ipa_cldap.c @@ -82,7 +82,9 @@ static int ipa_cldap_stop(Slapi_PBlock *pb) } /* send stop signal to terminate worker thread */ - write(ctx->stopfd[1], "", 1); + do { + ret = write(ctx->stopfd[1], "", 1); + } while (ret == -1 && errno == EINTR); close(ctx->stopfd[1]); ret = pthread_join(ctx->tid, &retval); diff --git a/daemons/ipa-slapi-plugins/ipa-dns/Makefile.am b/daemons/ipa-slapi-plugins/ipa-dns/Makefile.am index 6d09c8d9c73755e89d91fea83ac66f088d9be553..31b7485e39af30224d97e4a759dbc5779bd61373 100644 --- a/daemons/ipa-slapi-plugins/ipa-dns/Makefile.am +++ b/daemons/ipa-slapi-plugins/ipa-dns/Makefile.am @@ -12,7 +12,6 @@ AM_CPPFLAGS = \ -DLIBDIR=\""$(libdir)"\" \ -DLIBEXECDIR=\""$(libexecdir)"\" \ -DDATADIR=\""$(datadir)"\" \ - $(AM_CFLAGS) \ $(LDAP_CFLAGS) \ $(WARN_CFLAGS) \ $(NULL) diff --git a/daemons/ipa-slapi-plugins/ipa-enrollment/Makefile.am b/daemons/ipa-slapi-plugins/ipa-enrollment/Makefile.am index 7ba754a48269f5c4ad9d2f08bc8cd7a0f8e6243c..3ce37ac10ad7d1ee077caa55a2f128f688388561 100644 --- a/daemons/ipa-slapi-plugins/ipa-enrollment/Makefile.am +++ b/daemons/ipa-slapi-plugins/ipa-enrollment/Makefile.am @@ -11,7 +11,6 @@ AM_CPPFLAGS = \ -DLIBDIR=\""$(libdir)"\" \ -DLIBEXECDIR=\""$(libexecdir)"\" \ -DDATADIR=\""$(datadir)"\" \ - $(AM_CFLAGS) \ $(LDAP_CFLAGS) \ $(KRB5_CFLAGS) \ $(WARN_CFLAGS) \ diff --git a/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am b/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am index df0c30562f09bf0e29464c9bb05f7befbd3997e1..7099a988878e2bc0cf840eab0b14fa9f40805a51 100644 --- a/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am +++ b/daemons/ipa-slapi-plugins/ipa-extdom-extop/Makefile.am @@ -13,7 +13,6 @@ AM_CPPFLAGS = \ -DLIBDIR=\""$(libdir)"\" \ -DLIBEXECDIR=\""$(libexecdir)"\" \ -DDATADIR=\""$(datadir)"\" \ - $(AM_CFLAGS) \ $(LDAP_CFLAGS) \ $(WARN_CFLAGS) \ $(SSSIDMAP_CFLAGS) \ diff --git a/daemons/ipa-slapi-plugins/ipa-lockout/Makefile.am b/daemons/ipa-slapi-plugins/ipa-lockout/Makefile.am index 0c69f4d7fd79a08d98c3b967e5ed35e3668cccc2..6e4c31aa591c37d3b7fdd7110f66303af3005605 100644 --- a/daemons/ipa-slapi-plugins/ipa-lockout/Makefile.am +++ b/daemons/ipa-slapi-plugins/ipa-lockout/Makefile.am @@ -12,7 +12,6 @@ AM_CPPFLAGS = \ -DLIBDIR=\""$(libdir)"\" \ -DLIBEXECDIR=\""$(libexecdir)"\" \ -DDATADIR=\""$(datadir)"\" \ - $(AM_CFLAGS) \ $(LDAP_CFLAGS) \ $(WARN_CFLAGS) \ $(NULL) diff --git a/daemons/ipa-slapi-plugins/ipa-modrdn/Makefile.am b/daemons/ipa-slapi-plugins/ipa-modrdn/Makefile.am index 9fbd03397cf36097e3c38280330cdeda1bf5950e..a3f8d4f7b0886fd7e03f425d27fb1ee98d868913 100644 --- a/daemons/ipa-slapi-plugins/ipa-modrdn/Makefile.am +++ b/daemons/ipa-slapi-plugins/ipa-modrdn/Makefile.am @@ -12,7 +12,6 @@ AM_CPPFLAGS = \ -DLIBDIR=\""$(libdir)"\" \ -DLIBEXECDIR=\""$(libexecdir)"\" \ -DDATADIR=\""$(datadir)"\" \ - $(AM_CFLAGS) \ $(LDAP_CFLAGS) \ $(WARN_CFLAGS) \ $(NULL) diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am b/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am index b53b2e1e445ccc9e756aa1ecb2656f19980cd001..8bd89653de51ab33e295fc6b1f1d6d93576d3c64 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/Makefile.am @@ -18,13 +18,12 @@ AM_CPPFLAGS = \ -DLIBDIR=\""$(libdir)"\" \ -DLIBEXECDIR=\""$(libexecdir)"\" \ -DDATADIR=\""$(datadir)"\" \ - $(AM_CFLAGS) \ $(LDAP_CFLAGS) \ $(KRB5_CFLAGS) \ $(SSL_CFLAGS) \ $(WARN_CFLAGS) \ $(NULL) - + AM_LDFLAGS = \ $(KRB5_LIBS) \ $(SSL_LIBS) \ diff --git a/daemons/ipa-slapi-plugins/ipa-range-check/Makefile.am b/daemons/ipa-slapi-plugins/ipa-range-check/Makefile.am index f23a24ed8b2c8845e7bddbce86abe5a4a2fcd8cd..5aa9b5485211dc5ac699692d8c46cf59c53a9546 100644 --- a/daemons/ipa-slapi-plugins/ipa-range-check/Makefile.am +++ b/daemons/ipa-slapi-plugins/ipa-range-check/Makefile.am @@ -12,7 +12,6 @@ AM_CPPFLAGS = \ -DLIBDIR=\""$(libdir)"\" \ -DLIBEXECDIR=\""$(libexecdir)"\" \ -DDATADIR=\""$(datadir)"\" \ - $(AM_CFLAGS) \ $(LDAP_CFLAGS) \ $(WARN_CFLAGS) \ $(NULL) diff --git a/daemons/ipa-slapi-plugins/ipa-sidgen/Makefile.am b/daemons/ipa-slapi-plugins/ipa-sidgen/Makefile.am index 4bfb0185ec589797125df747cc02dcf8a7ef30cd..642fdd599b9a3e8204232199e1cc4a5ee8b013ba 100644 --- a/daemons/ipa-slapi-plugins/ipa-sidgen/Makefile.am +++ b/daemons/ipa-slapi-plugins/ipa-sidgen/Makefile.am @@ -12,7 +12,6 @@ AM_CPPFLAGS = \ -DLIBDIR=\""$(libdir)"\" \ -DLIBEXECDIR=\""$(libexecdir)"\" \ -DDATADIR=\""$(datadir)"\" \ - $(AM_CFLAGS) \ $(LDAP_CFLAGS) \ $(WARN_CFLAGS) \ $(NULL) diff --git a/daemons/ipa-slapi-plugins/ipa-uuid/Makefile.am b/daemons/ipa-slapi-plugins/ipa-uuid/Makefile.am index 738290170da587b0bbee96d8abcda2762264ee0e..061d8483310b686db844059deb82b1465d498652 100644 --- a/daemons/ipa-slapi-plugins/ipa-uuid/Makefile.am +++ b/daemons/ipa-slapi-plugins/ipa-uuid/Makefile.am @@ -12,7 +12,6 @@ AM_CPPFLAGS = \ -DLIBDIR=\""$(libdir)"\" \ -DLIBEXECDIR=\""$(libexecdir)"\" \ -DDATADIR=\""$(datadir)"\" \ - $(AM_CFLAGS) \ $(LDAP_CFLAGS) \ $(WARN_CFLAGS) \ $(NULL) diff --git a/daemons/ipa-slapi-plugins/ipa-version/Makefile.am b/daemons/ipa-slapi-plugins/ipa-version/Makefile.am index 5396bda99c64e66428a15a17a520227f790bff00..afce915a0d76ff607c116e18ea98f959aed46d32 100644 --- a/daemons/ipa-slapi-plugins/ipa-version/Makefile.am +++ b/daemons/ipa-slapi-plugins/ipa-version/Makefile.am @@ -13,7 +13,6 @@ AM_CPPFLAGS = \ -DLIBDIR=\""$(libdir)"\" \ -DLIBEXECDIR=\""$(libexecdir)"\" \ -DDATADIR=\""$(datadir)"\" \ - $(AM_CFLAGS) \ $(LDAP_CFLAGS) \ $(KRB5_CFLAGS) \ $(WARN_CFLAGS) \ diff --git a/daemons/ipa-slapi-plugins/ipa-winsync/Makefile.am b/daemons/ipa-slapi-plugins/ipa-winsync/Makefile.am index c41692864557e890d388e42c404c23e91ae8b1e9..3108f3c152c08d8b9883974a4c999f7bb89acc8e 100644 --- a/daemons/ipa-slapi-plugins/ipa-winsync/Makefile.am +++ b/daemons/ipa-slapi-plugins/ipa-winsync/Makefile.am @@ -11,7 +11,6 @@ AM_CPPFLAGS = \ -DLIBDIR=\""$(libdir)"\" \ -DLIBEXECDIR=\""$(libexecdir)"\" \ -DDATADIR=\""$(datadir)"\" \ - $(AM_CFLAGS) \ $(LDAP_CFLAGS) \ $(WARN_CFLAGS) \ $(NULL) diff --git a/freeipa.spec.in b/freeipa.spec.in index 69ec29d9ff58bf3a25e25b35d5f3ba1d43741124..ae8ee57f3ba2c0746bb0f7a1e65dab1da83cca22 100644 --- a/freeipa.spec.in +++ b/freeipa.spec.in @@ -5,6 +5,10 @@ %global POLICYCOREUTILSVER 2.1.12-5 %global gettext_domain ipa +%if (0%{?fedora} > 15 || 0%{?rhel} >= 7) +%define _hardened_build 1 +%endif + Name: freeipa Version: __VERSION__ Release: __RELEASE__%{?dist} @@ -316,8 +320,8 @@ This package contains tests that verify IPA functionality. %setup -n freeipa-%{version} -q %build -export CFLAGS="$CFLAGS %{optflags}" -export CPPFLAGS="$CPPFLAGS %{optflags}" +export CFLAGS="%{optflags} $CFLAGS" +export LDFLAGS="%{__global_ldflags} $LDFLAGS" %if 0%{?fedora} >= 18 # use fedora18 platform which is based on fedora16 platform with systemd # support + fedora18 changes diff --git a/ipa-client/Makefile.am b/ipa-client/Makefile.am index b7d70fd8d0d4383cac497b2978196e25893f9fe1..73076315d496d8f2be47ed18f726e5c9a6cb572f 100644 --- a/ipa-client/Makefile.am +++ b/ipa-client/Makefile.am @@ -25,7 +25,6 @@ AM_CPPFLAGS = \ -DLIBEXECDIR=\""$(libexecdir)"\" \ -DDATADIR=\""$(datadir)"\" \ -DLOCALEDIR=\""$(localedir)"\" \ - $(AM_CFLAGS) \ $(KRB5_CFLAGS) \ $(OPENLDAP_CFLAGS) \ $(SASL_CFLAGS) \ -- 1.8.3.1