Makefile: Pass CFLAGS or RPM %optflags also to the linker #40
Comments
solardiz
changed the title
|
Here's what Fedora's make %{?_smp_mflags} all locales \
CPPFLAGS="-DENABLE_NLS=1 -DHAVE_LIBAUDIT=1 -DLINUX_PAM=1" \
CFLAGS_lib="$RPM_OPT_FLAGS -W -DLINUX_PAM -fPIC" \
CFLAGS_bin="$RPM_OPT_FLAGS -W" \We should maybe add: as our We also have a Should we update it similarly? Or should we deal with this issue in |
|
@ldv-alt Do you have a preference for how we approach this? I think I may start by updating the spec file in Rocky SIG/Security. |
|
Indeed. I think we should rather deal with the issue in |
I don't know exactly how. If we do: +++ b/Makefile
@@ -75,7 +75,7 @@ XGETTEXT = xgettext
XGETTEXT_OPTS = --keyword=_ --keyword=P2_:1,1 --keyword=P3_:1,2 --language=C --add-comments
MSGMERGE = msgmerge
-LDFLAGS =
+LDFLAGS = $(CFLAGS)
LDFLAGS_shared = $(LDFLAGS) --shared
LDFLAGS_shared_LINUX = $(LDFLAGS) --shared
LDFLAGS_shared_SUN = $(LDFLAGS) -Gthis will probably break some non-Linux builds, where we pass e.g. Alternatively, we could do: +++ b/Makefile
@@ -128,8 +128,9 @@ default: all
all locales pam utils install install_lib install_locales install_pam install_utils uninstall remove remove_lib remove_locales remove_pam remove_utils:
case "`uname -s`" in \
Linux) $(MAKE) CPPFLAGS_lib="$(CPPFLAGS_lib) -DHAVE_SHADOW" \
- LDFLAGS_lib="$(LDFLAGS_lib_LINUX)" \
- LDFLAGS_pam="$(LDFLAGS_pam_LINUX)" \
+ LDFLAGS="$(LDFLAGS) $(CFLAGS)" \
+ LDFLAGS_lib="$(LDFLAGS_lib_LINUX) $(CFLAGS)" \
+ LDFLAGS_pam="$(LDFLAGS_pam_LINUX) $(CFLAGS)" \
LDLIBS_pam="$(LDLIBS_pam_LINUX)" \
$@_wrapped;; \
SunOS) $(MAKE) -e CPPFLAGS_lib="$(CPPFLAGS_lib) -DHAVE_SHADOW" \Also subtly related is issue #6. I feel that what we may be doing here is inconsistent with what we did there (supporting separation into different subsets of flags vs. combining them together even if some are to be ignored in linker invocations). @ldv-alt What do you think? Are you going to make changes to fix this issue or should I? |
|
In Rocky Linux SIG/Security, I ended up with these changes for now: +++ b/SPECS/passwdqc.spec
@@ -1,7 +1,7 @@
Summary: A password/passphrase strength checking and policy enforcement toolset
Name: passwdqc
Version: 2.0.3
-Release: 2%{?dist}
+Release: 2.2%{?dist}
# Two manual pages (pam_passwdqc.8 and passwdqc.conf.5) are under the
# 3-clause BSD-style license as specified within the files themselves.
# The rest of the files in this package fall under the terms of
@@ -99,6 +99,7 @@ make %{?_smp_mflags} all locales \
CPPFLAGS="-DENABLE_NLS=1 -DHAVE_LIBAUDIT=1 -DLINUX_PAM=1" \
CFLAGS_lib="$RPM_OPT_FLAGS -W -DLINUX_PAM -fPIC" \
CFLAGS_bin="$RPM_OPT_FLAGS -W" \
+ LDFLAGS="-pie -Wl,-z,defs -Wl,-z,relro -Wl,-z,now $RPM_OPT_FLAGS" \
#
%install
@@ -139,6 +140,9 @@ make install install_locales \
%_mandir/man1/*.1*
%changelog
+* Fri Jan 31 2025 Solar Designer <[email protected]> 2.0.3-2.2
+- Pass -pie -Wl,-z,defs -Wl,-z,relro -Wl,-z,now and RPM_OPT_FLAGS to LDFLAGS
+
* Thu Jul 20 2023 Fedora Release Engineering <[email protected]> - 2.0.3-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild
Simply passing |
Looks like for correctness with Also, for reference, here's what I just did to |
Perhaps we need the equivalent of openwall/tcb#23 also here. This may be trickier here because our
Makefilehere is smart to recognize the different systems and pass custom linker flags.Here's the current
checksecoutput on files coming from the Rocky Linux 9 SIG/Security package:For comparison, most other binaries and libraries on this distro get
Full RELRO, and most binariesPIE enabled.Since the above reuses Fedora's packaging almost verbatim, I suspect the same issue is also present on Fedora. We could fix it in the
Makefile(this issue) or in Fedora'spasswdqc.spec.The text was updated successfully, but these errors were encountered: