[Cluster-devel] [PATCH dlm-tool 0/3] dlm: fix annocheck failures

[Cluster-devel] [PATCH dlm-tool 0/3] dlm: fix annocheck failures

[Alexander Aring]

This patch series fixes some issues by running annocheck. [0]

- Alex

[0] https://sourceware.org/annobin/

Alexander Aring (3):
  treewide: do always -Wl,-z,now in LDFLAGS
  dlm_controld: add -fplugin=annobin to CFLAGS
  treewide: add -fcf-protection=full to CFLAGS

 dlm_controld/Makefile |  8 ++++----
 dlm_tool/Makefile     |  4 ++--
 fence/Makefile        |  4 ++--
 libdlm/Makefile       | 11 +++++------
 4 files changed, 13 insertions(+), 14 deletions(-)

-- 
2.31.1

[Cluster-devel] [PATCH dlm-tool 1/3] treewide: do always -Wl, -z, now in LDFLAGS

[Alexander Aring]

This patch reverts commit 7bb5570a ("treewide: try to resolve symbols at
linking time") because the recommended why to avoid security related
issues is always to use -Wl,-z,now.

This is solving the following annocheck failure:

https://sourceware.org/annobin/annobin.html/Test-bind-now.html
---
 dlm_controld/Makefile | 6 +++---
 dlm_tool/Makefile     | 4 ++--
 fence/Makefile        | 4 ++--
 libdlm/Makefile       | 7 +++----
 4 files changed, 10 insertions(+), 11 deletions(-)

diff --git a/dlm_controld/Makefile b/dlm_controld/Makefile
index 8cfc97e6..a92fdebe 100644
--- a/dlm_controld/Makefile
+++ b/dlm_controld/Makefile
@@ -43,15 +43,15 @@ CFLAGS += -D_GNU_SOURCE -O2 -ggdb \
 	-Wno-sign-compare -Wno-unused-parameter -Wp,-D_FORTIFY_SOURCE=2 \
 	-fexceptions -fasynchronous-unwind-tables -fdiagnostics-show-option \
 	-Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong \
-	-fstack-clash-protection -Wl,-z,now
+	-fstack-clash-protection
 
 BIN_CFLAGS += $(CFLAGS) -fPIE -DPIE
 BIN_CFLAGS += -I../include -I../libdlm
 LIB_CFLAGS += $(CFLAGS) -fPIC
 
-BIN_LDFLAGS += $(LDFLAGS) -Wl,-z,relro -Wl,-z,defs -pie
+BIN_LDFLAGS += $(LDFLAGS) -Wl,-z,relro -Wl,-z,now -pie
 BIN_LDFLAGS += -lpthread -lrt -lcpg -lcmap -lcfg -lquorum -luuid
-LIB_LDFLAGS += $(LDFLAGS) -Wl,-z,relro -Wl,-z,defs -pie
+LIB_LDFLAGS += $(LDFLAGS) -Wl,-z,relro -Wl,-z,now -pie
 
 PKG_CONFIG ?= pkg-config
 ifeq ($(USE_SD_NOTIFY),yes)
diff --git a/dlm_tool/Makefile b/dlm_tool/Makefile
index 7b42638c..1c3d61d5 100644
--- a/dlm_tool/Makefile
+++ b/dlm_tool/Makefile
@@ -15,12 +15,12 @@ CFLAGS += -D_GNU_SOURCE -O2 -ggdb \
 	-Wno-sign-compare -Wno-unused-parameter -Wp,-D_FORTIFY_SOURCE=2 \
 	-fexceptions -fasynchronous-unwind-tables -fdiagnostics-show-option \
 	-Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong \
-	-fstack-clash-protection -Wl,-z,now
+	-fstack-clash-protection
 
 CFLAGS += -fPIE -DPIE
 CFLAGS += -I../include -I../libdlm -I../dlm_controld
 
-LDFLAGS += -Wl,-z,relro -Wl,-z,defs -pie
+LDFLAGS += -Wl,-z,relro -Wl,-z,now -pie
 LDFLAGS += -L../libdlm -L../dlm_controld
 LDFLAGS += -lpthread -ldlm -ldlmcontrol
 
diff --git a/fence/Makefile b/fence/Makefile
index 547f7ba9..ee4dfb88 100644
--- a/fence/Makefile
+++ b/fence/Makefile
@@ -15,13 +15,13 @@ CFLAGS += -D_GNU_SOURCE -O2 -ggdb \
 	-Wno-sign-compare -Wno-unused-parameter -Wp,-D_FORTIFY_SOURCE=2 \
 	-fexceptions -fasynchronous-unwind-tables -fdiagnostics-show-option \
 	-Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong \
-	-fstack-clash-protection -Wl,-z,now
+	-fstack-clash-protection
 
 CFLAGS += -fPIE -DPIE
 CFLAGS += -I../include
 CFLAGS += $(shell pkg-config --cflags pacemaker-fencing)
 
-LDFLAGS += -Wl,-z,relro -Wl,-z,defs -pie
+LDFLAGS += -Wl,-z,relro -Wl,-z,now -pie
 LDFLAGS += -ldl
 
 all: $(BIN_TARGET)
diff --git a/libdlm/Makefile b/libdlm/Makefile
index 313c2a08..5069ccf1 100644
--- a/libdlm/Makefile
+++ b/libdlm/Makefile
@@ -78,14 +78,13 @@ CFLAGS += -D_GNU_SOURCE -O2 -ggdb \
 	-fexceptions \
 	-fasynchronous-unwind-tables \
 	-fdiagnostics-show-option \
-	-fPIC \
-	-Wl,-z,now
+	-fPIC
 
 LIB_CFLAGS += $(CFLAGS) -D_REENTRANT
 LLT_CFLAGS += $(CFLAGS)
 
-LIB_LDFLAGS += $(LDFLAGS) -lpthread -Wl,-z,defs
-LLT_LDFLAGS += $(LDFLAGS) -Wl,-z,defs
+LIB_LDFLAGS += $(LDFLAGS) -lpthread -Wl,-z,now
+LLT_LDFLAGS += $(LDFLAGS) -Wl,-z,now
 
 all: $(LIB_TARGET) $(LLT_TARGET) $(LIB_PC) $(LLT_PC)
 
-- 
2.31.1

[Cluster-devel] [PATCH dlm-tool 2/3] dlm_controld: add -fplugin=annobin to CFLAGS

[Alexander Aring]

This patch adds fplugin=annobin to the CFLAGS of dlm_controld. The tool
annocheck gave a failure and it's recommended to add such flag to fix
the issue. Afterwards the failure is gone.

https://sourceware.org/annobin/annobin.html/Test-notes.html
---
 dlm_controld/Makefile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dlm_controld/Makefile b/dlm_controld/Makefile
index a92fdebe..9cf7152f 100644
--- a/dlm_controld/Makefile
+++ b/dlm_controld/Makefile
@@ -47,7 +47,7 @@ CFLAGS += -D_GNU_SOURCE -O2 -ggdb \
 
 BIN_CFLAGS += $(CFLAGS) -fPIE -DPIE
 BIN_CFLAGS += -I../include -I../libdlm
-LIB_CFLAGS += $(CFLAGS) -fPIC
+LIB_CFLAGS += $(CFLAGS) -fPIC -fplugin=annobin
 
 BIN_LDFLAGS += $(LDFLAGS) -Wl,-z,relro -Wl,-z,now -pie
 BIN_LDFLAGS += -lpthread -lrt -lcpg -lcmap -lcfg -lquorum -luuid
-- 
2.31.1

[Cluster-devel] [PATCH dlm-tool 3/3] treewide: add -fcf-protection=full to CFLAGS

[Alexander Aring]

This patch adds fcf-protection=full to CFLAGS as annocheck gave a
warning about it and the recommended way to fix it is by adding this as
compiler flag.

https://sourceware.org/annobin/annobin.html/Test-cf-protection.html
---
 dlm_controld/Makefile | 2 +-
 dlm_tool/Makefile     | 2 +-
 fence/Makefile        | 2 +-
 libdlm/Makefile       | 4 ++--
 4 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/dlm_controld/Makefile b/dlm_controld/Makefile
index 9cf7152f..ec8c360c 100644
--- a/dlm_controld/Makefile
+++ b/dlm_controld/Makefile
@@ -43,7 +43,7 @@ CFLAGS += -D_GNU_SOURCE -O2 -ggdb \
 	-Wno-sign-compare -Wno-unused-parameter -Wp,-D_FORTIFY_SOURCE=2 \
 	-fexceptions -fasynchronous-unwind-tables -fdiagnostics-show-option \
 	-Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong \
-	-fstack-clash-protection
+	-fstack-clash-protection -fcf-protection=full
 
 BIN_CFLAGS += $(CFLAGS) -fPIE -DPIE
 BIN_CFLAGS += -I../include -I../libdlm
diff --git a/dlm_tool/Makefile b/dlm_tool/Makefile
index 1c3d61d5..57629c73 100644
--- a/dlm_tool/Makefile
+++ b/dlm_tool/Makefile
@@ -15,7 +15,7 @@ CFLAGS += -D_GNU_SOURCE -O2 -ggdb \
 	-Wno-sign-compare -Wno-unused-parameter -Wp,-D_FORTIFY_SOURCE=2 \
 	-fexceptions -fasynchronous-unwind-tables -fdiagnostics-show-option \
 	-Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong \
-	-fstack-clash-protection
+	-fstack-clash-protection -fcf-protection=full
 
 CFLAGS += -fPIE -DPIE
 CFLAGS += -I../include -I../libdlm -I../dlm_controld
diff --git a/fence/Makefile b/fence/Makefile
index ee4dfb88..446f4eaa 100644
--- a/fence/Makefile
+++ b/fence/Makefile
@@ -15,7 +15,7 @@ CFLAGS += -D_GNU_SOURCE -O2 -ggdb \
 	-Wno-sign-compare -Wno-unused-parameter -Wp,-D_FORTIFY_SOURCE=2 \
 	-fexceptions -fasynchronous-unwind-tables -fdiagnostics-show-option \
 	-Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong \
-	-fstack-clash-protection
+	-fstack-clash-protection -fcf-protection=full
 
 CFLAGS += -fPIE -DPIE
 CFLAGS += -I../include
diff --git a/libdlm/Makefile b/libdlm/Makefile
index 5069ccf1..823fdaa9 100644
--- a/libdlm/Makefile
+++ b/libdlm/Makefile
@@ -80,8 +80,8 @@ CFLAGS += -D_GNU_SOURCE -O2 -ggdb \
 	-fdiagnostics-show-option \
 	-fPIC
 
-LIB_CFLAGS += $(CFLAGS) -D_REENTRANT
-LLT_CFLAGS += $(CFLAGS)
+LIB_CFLAGS += $(CFLAGS) -D_REENTRANT -fcf-protection=full
+LLT_CFLAGS += $(CFLAGS) -fcf-protection=full
 
 LIB_LDFLAGS += $(LDFLAGS) -lpthread -Wl,-z,now
 LLT_LDFLAGS += $(LDFLAGS) -Wl,-z,now
-- 
2.31.1

[Cluster-devel] [PATCH dlm-tool 1/3] treewide: do always -Wl, -z, now in LDFLAGS

[Alexander Aring]

Hi,

On Tue, Feb 8, 2022 at 4:38 PM Alexander Aring <aahringo@redhat.com> wrote:
>
> This patch reverts commit 7bb5570a ("treewide: try to resolve symbols at
> linking time") because the recommended why to avoid security related

s/why/way/

I will push them to the dlm repository.

- Alex