This is an automated email from the git hooks/post-receive script.
simo pushed a change to branch master in repository gssproxy.
from 1e8afa9 Package runtests.py in dist tarball new 4ac6451 Add configure option for build hardening
The 1 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "adds" were already present in the repository and have only been added to this reference.
Summary of changes: proxy/Makefile.am | 14 ++++++++++++-- proxy/conf_macros.m4 | 11 +++++++++++ proxy/configure.ac | 1 + 3 files changed, 24 insertions(+), 2 deletions(-)
This is an automated email from the git hooks/post-receive script.
simo pushed a commit to branch master in repository gssproxy.
commit 4ac6451491e8d4dfc4e371eee4c162b297283c0a Author: Robbie Harwood rharwood@redhat.com Date: Tue Sep 6 22:38:57 2016 +0000
Add configure option for build hardening
Ticket: https://fedorahosted.org/gss-proxy/ticket/147
Signed-off-by: Robbie Harwood rharwood@redhat.com Reviewed-by: Simo Sorce simo@redhat.com Merges #30 --- proxy/Makefile.am | 14 ++++++++++++-- proxy/conf_macros.m4 | 11 +++++++++++ proxy/configure.ac | 1 + 3 files changed, 24 insertions(+), 2 deletions(-)
diff --git a/proxy/Makefile.am b/proxy/Makefile.am index f03f3ea..4359938 100644 --- a/proxy/Makefile.am +++ b/proxy/Makefile.am @@ -31,7 +31,9 @@ pkgconfigdir = $(libdir)/pkgconfig gpstatedir = @gpstatedir@ gpclidir = @gpstatedir@/clients
+AM_CPPFLAGS = AM_CFLAGS = +AM_LDFLAGS = if WANT_AUX_INFO AM_CFLAGS += -aux-info $@.X endif @@ -41,7 +43,15 @@ if HAVE_GCC AM_CFLAGS += -Wall -Wshadow -Wstrict-prototypes -Wpointer-arith \ -Wcast-qual -Wcast-align -Wwrite-strings \ -fstrict-aliasing -Wstrict-aliasing -Werror=strict-aliasing \ - -Werror-implicit-function-declaration + -Werror-implicit-function-declaration \ + -Werror=format-security + + AM_CPPFLAGS += -Wdate-time +endif +if BUILD_HARDENING + AM_CPPFLAGS += -D_FORTIFY_SOURCE=2 + AM_CFLAGS += -fPIE -fstack-protector-strong + AM_LDFLAGS += -fPIE -pie -fPIC -Wl,-z,relro -Wl,-z,now endif
dist_pkgconfig_DATA = @@ -65,7 +75,7 @@ dist_noinst_DATA = # Global compilation settings # ###############################
-AM_CPPFLAGS = \ +AM_CPPFLAGS += \ -Wall \ -Iinclude \ -I.. \ diff --git a/proxy/conf_macros.m4 b/proxy/conf_macros.m4 index a0ecb13..b35eae1 100644 --- a/proxy/conf_macros.m4 +++ b/proxy/conf_macros.m4 @@ -281,3 +281,14 @@ AC_DEFUN([WITH_GPP_DEFAULT_BEHAVIOR], AC_DEFINE_UNQUOTED(GPP_DEFAULT_BEHAVIOR, $default_behavior, [Default gssproxy interposer plugin behavior]) ])
+AC_DEFUN([WITH_HARDENING], + [ AC_ARG_WITH([hardening], + [AC_HELP_STRING([--with-hardening], + [Whether to add extra hardening flags [no]] + ) + ], + [], + with_hardening=no + ) + AM_CONDITIONAL([BUILD_HARDENING], [test x"$with_hardening" = xyes]) + ]) diff --git a/proxy/configure.ac b/proxy/configure.ac index 409584d..c75515e 100644 --- a/proxy/configure.ac +++ b/proxy/configure.ac @@ -68,6 +68,7 @@ WITH_SELINUX WITH_GSSIDEBUG WITH_GPSTATE_PATH WITH_GPP_DEFAULT_BEHAVIOR +WITH_HARDENING
m4_include([external/pkg.m4]) m4_include([external/libpopt.m4])
On (08/09/16 18:47), git repository hosting wrote:
This is an automated email from the git hooks/post-receive script.
simo pushed a commit to branch master in repository gssproxy.
commit 4ac6451491e8d4dfc4e371eee4c162b297283c0a Author: Robbie Harwood rharwood@redhat.com Date: Tue Sep 6 22:38:57 2016 +0000
Add configure option for build hardening
Ticket: https://fedorahosted.org/gss-proxy/ticket/147
Signed-off-by: Robbie Harwood rharwood@redhat.com Reviewed-by: Simo Sorce simo@redhat.com Merges #30
proxy/Makefile.am | 14 ++++++++++++-- proxy/conf_macros.m4 | 11 +++++++++++ proxy/configure.ac | 1 + 3 files changed, 24 insertions(+), 2 deletions(-)
diff --git a/proxy/Makefile.am b/proxy/Makefile.am index f03f3ea..4359938 100644 --- a/proxy/Makefile.am +++ b/proxy/Makefile.am @@ -31,7 +31,9 @@ pkgconfigdir = $(libdir)/pkgconfig gpstatedir = @gpstatedir@ gpclidir = @gpstatedir@/clients
+AM_CPPFLAGS = AM_CFLAGS = +AM_LDFLAGS = if WANT_AUX_INFO AM_CFLAGS += -aux-info $@.X endif @@ -41,7 +43,15 @@ if HAVE_GCC AM_CFLAGS += -Wall -Wshadow -Wstrict-prototypes -Wpointer-arith \ -Wcast-qual -Wcast-align -Wwrite-strings \ -fstrict-aliasing -Wstrict-aliasing -Werror=strict-aliasing \
-Werror-implicit-function-declaration
-Werror-implicit-function-declaration \
-Werror=format-security
- AM_CPPFLAGS += -Wdate-time
May I asked why compile time warning was added into pre-processor flags? It make sense to add -D_FORTIFY_SOURCE=2 into AM_CPPFLAGS.
I know it works even with current version :-) But from semantical point of view it should be part of CFLAGS.
+endif +if BUILD_HARDENING
- AM_CPPFLAGS += -D_FORTIFY_SOURCE=2
- AM_CFLAGS += -fPIE -fstack-protector-strong
- AM_LDFLAGS += -fPIE -pie -fPIC -Wl,-z,relro -Wl,-z,now
endif
IIRC the same task could be achieved in spec file with "%global _hardened_build 1". But it owuld be better to check with utilities from bin-utils or ask someone more familiar with toolchain in fedora/el
LS
Lukas Slebodnik lslebodn@redhat.com writes:
On (08/09/16 18:47), git repository hosting wrote:
This is an automated email from the git hooks/post-receive script.
simo pushed a commit to branch master in repository gssproxy.
commit 4ac6451491e8d4dfc4e371eee4c162b297283c0a Author: Robbie Harwood rharwood@redhat.com Date: Tue Sep 6 22:38:57 2016 +0000
Add configure option for build hardening
Ticket: https://fedorahosted.org/gss-proxy/ticket/147
Signed-off-by: Robbie Harwood rharwood@redhat.com Reviewed-by: Simo Sorce simo@redhat.com Merges #30
proxy/Makefile.am | 14 ++++++++++++-- proxy/conf_macros.m4 | 11 +++++++++++ proxy/configure.ac | 1 + 3 files changed, 24 insertions(+), 2 deletions(-)
diff --git a/proxy/Makefile.am b/proxy/Makefile.am index f03f3ea..4359938 100644 --- a/proxy/Makefile.am +++ b/proxy/Makefile.am @@ -31,7 +31,9 @@ pkgconfigdir = $(libdir)/pkgconfig gpstatedir = @gpstatedir@ gpclidir = @gpstatedir@/clients
+AM_CPPFLAGS = AM_CFLAGS = +AM_LDFLAGS = if WANT_AUX_INFO AM_CFLAGS += -aux-info $@.X endif @@ -41,7 +43,15 @@ if HAVE_GCC AM_CFLAGS += -Wall -Wshadow -Wstrict-prototypes -Wpointer-arith \ -Wcast-qual -Wcast-align -Wwrite-strings \ -fstrict-aliasing -Wstrict-aliasing -Werror=strict-aliasing \
-Werror-implicit-function-declaration
-Werror-implicit-function-declaration \
-Werror=format-security
- AM_CPPFLAGS += -Wdate-time
May I asked why compile time warning was added into pre-processor flags? It make sense to add -D_FORTIFY_SOURCE=2 into AM_CPPFLAGS.
I know it works even with current version :-) But from semantical point of view it should be part of CFLAGS.
It's not a compile time, it's a preprocessor check. It will warn on the macros __TIME__, __DATE__, and __TIMESTAMP__ as per the gcc man page. This means it belongs in CPPFLAGS. (This is also where Debian puts it.)
+endif +if BUILD_HARDENING
- AM_CPPFLAGS += -D_FORTIFY_SOURCE=2
- AM_CFLAGS += -fPIE -fstack-protector-strong
- AM_LDFLAGS += -fPIE -pie -fPIC -Wl,-z,relro -Wl,-z,now
endif
IIRC the same task could be achieved in spec file with "%global _hardened_build 1". But it owuld be better to check with utilities from bin-utils or ask someone more familiar with toolchain in fedora/el
For fedora it happens automatically as far as I can tell. (It is also automatic in Debian and friends.) The chosen route forward here is to add a configure flag for the convenience of anyone building from source, as per Simo's request.
On (08/09/16 18:24), Robbie Harwood wrote:
Lukas Slebodnik lslebodn@redhat.com writes:
On (08/09/16 18:47), git repository hosting wrote:
This is an automated email from the git hooks/post-receive script.
simo pushed a commit to branch master in repository gssproxy.
commit 4ac6451491e8d4dfc4e371eee4c162b297283c0a Author: Robbie Harwood rharwood@redhat.com Date: Tue Sep 6 22:38:57 2016 +0000
Add configure option for build hardening
Ticket: https://fedorahosted.org/gss-proxy/ticket/147
Signed-off-by: Robbie Harwood rharwood@redhat.com Reviewed-by: Simo Sorce simo@redhat.com Merges #30
proxy/Makefile.am | 14 ++++++++++++-- proxy/conf_macros.m4 | 11 +++++++++++ proxy/configure.ac | 1 + 3 files changed, 24 insertions(+), 2 deletions(-)
diff --git a/proxy/Makefile.am b/proxy/Makefile.am index f03f3ea..4359938 100644 --- a/proxy/Makefile.am +++ b/proxy/Makefile.am @@ -31,7 +31,9 @@ pkgconfigdir = $(libdir)/pkgconfig gpstatedir = @gpstatedir@ gpclidir = @gpstatedir@/clients
+AM_CPPFLAGS = AM_CFLAGS = +AM_LDFLAGS = if WANT_AUX_INFO AM_CFLAGS += -aux-info $@.X endif @@ -41,7 +43,15 @@ if HAVE_GCC AM_CFLAGS += -Wall -Wshadow -Wstrict-prototypes -Wpointer-arith \ -Wcast-qual -Wcast-align -Wwrite-strings \ -fstrict-aliasing -Wstrict-aliasing -Werror=strict-aliasing \
-Werror-implicit-function-declaration
-Werror-implicit-function-declaration \
-Werror=format-security
- AM_CPPFLAGS += -Wdate-time
May I asked why compile time warning was added into pre-processor flags? It make sense to add -D_FORTIFY_SOURCE=2 into AM_CPPFLAGS.
I know it works even with current version :-) But from semantical point of view it should be part of CFLAGS.
It's not a compile time, it's a preprocessor check. It will warn on the macros __TIME__, __DATE__, and __TIMESTAMP__ as per the gcc man page. This means it belongs in CPPFLAGS. (This is also where Debian puts it.)
I should have checked man page before asking questin.
+endif +if BUILD_HARDENING
- AM_CPPFLAGS += -D_FORTIFY_SOURCE=2
- AM_CFLAGS += -fPIE -fstack-protector-strong
- AM_LDFLAGS += -fPIE -pie -fPIC -Wl,-z,relro -Wl,-z,now
endif
IIRC the same task could be achieved in spec file with "%global _hardened_build 1". But it owuld be better to check with utilities from bin-utils or ask someone more familiar with toolchain in fedora/el
For fedora it happens automatically as far as I can tell. (It is also automatic in Debian and friends.) The chosen route forward here is to add a configure flag for the convenience of anyone building from source, as per Simo's request.
Make sense. Thank you for answer.
BTW there is a warning in current master. CC src/mechglue/proxymech_la-gpp_display_status.lo src/mechglue/gpp_init_sec_context.c: In function ‘gssi_init_sec_context’: src/mechglue/gpp_init_sec_context.c:159:40: warning: passing argument 3 of ‘gppint_get_def_creds’ from incompatible pointer type [-Wincompatible-pointer-types] GSS_C_NO_NAME, ^~~~~~~~~~~~~ In file included from src/mechglue/gpp_init_sec_context.c:3:0: src/mechglue/gss_plugin.h:116:11: note: expected ‘struct gpp_name_handle *’ but argument is of type ‘struct gss_name_struct *’ OM_uint32 gppint_get_def_creds(OM_uint32 *minor_status, ^~~~~~~~~~~~~~~~~~~~
Is it intentional?
LS
Lukas Slebodnik lslebodn@redhat.com writes:
BTW there is a warning in current master. CC src/mechglue/proxymech_la-gpp_display_status.lo src/mechglue/gpp_init_sec_context.c: In function ‘gssi_init_sec_context’: src/mechglue/gpp_init_sec_context.c:159:40: warning: passing argument 3 of ‘gppint_get_def_creds’ from incompatible pointer type [-Wincompatible-pointer-types] GSS_C_NO_NAME, ^~~~~~~~~~~~~ In file included from src/mechglue/gpp_init_sec_context.c:3:0: src/mechglue/gss_plugin.h:116:11: note: expected ‘struct gpp_name_handle *’ but argument is of type ‘struct gss_name_struct *’ OM_uint32 gppint_get_def_creds(OM_uint32 *minor_status, ^~~~~~~~~~~~~~~~~~~~
Is it intentional?
It is not: https://pagure.io/gssproxy/pull-request/31
However, my compiler doesn't warn about it. The two types in question are related, which I expect is how it came about.
Thanks!
On Thu, 2016-09-08 at 23:34 +0200, Lukas Slebodnik wrote:
On (08/09/16 18:47), git repository hosting wrote:
This is an automated email from the git hooks/post-receive script.
simo pushed a commit to branch master in repository gssproxy.
commit 4ac6451491e8d4dfc4e371eee4c162b297283c0a Author: Robbie Harwood rharwood@redhat.com Date: Tue Sep 6 22:38:57 2016 +0000
Add configure option for build hardening
Ticket: https://fedorahosted.org/gss-proxy/ticket/147
Signed-off-by: Robbie Harwood rharwood@redhat.com Reviewed-by: Simo Sorce simo@redhat.com Merges #30
proxy/Makefile.am | 14 ++++++++++++-- proxy/conf_macros.m4 | 11 +++++++++++ proxy/configure.ac | 1 + 3 files changed, 24 insertions(+), 2 deletions(-)
diff --git a/proxy/Makefile.am b/proxy/Makefile.am index f03f3ea..4359938 100644 --- a/proxy/Makefile.am +++ b/proxy/Makefile.am @@ -31,7 +31,9 @@ pkgconfigdir = $(libdir)/pkgconfig gpstatedir = @gpstatedir@ gpclidir = @gpstatedir@/clients
+AM_CPPFLAGS = AM_CFLAGS = +AM_LDFLAGS = if WANT_AUX_INFO AM_CFLAGS += -aux-info $@.X endif @@ -41,7 +43,15 @@ if HAVE_GCC AM_CFLAGS += -Wall -Wshadow -Wstrict-prototypes -Wpointer-arith \ -Wcast-qual -Wcast-align -Wwrite-strings \ -fstrict-aliasing -Wstrict-aliasing -Werror=strict-aliasing \
-Werror-implicit-function-declaration
-Werror-implicit-function-declaration \
-Werror=format-security
- AM_CPPFLAGS += -Wdate-time
May I asked why compile time warning was added into pre-processor flags? It make sense to add -D_FORTIFY_SOURCE=2 into AM_CPPFLAGS.
I know it works even with current version :-) But from semantical point of view it should be part of CFLAGS.
PR welcome ;)
+endif +if BUILD_HARDENING
- AM_CPPFLAGS += -D_FORTIFY_SOURCE=2
- AM_CFLAGS += -fPIE -fstack-protector-strong
- AM_LDFLAGS += -fPIE -pie -fPIC -Wl,-z,relro -Wl,-z,now
endif
IIRC the same task could be achieved in spec file with "%global _hardened_build 1". But it owuld be better to check with utilities from bin-utils or ask someone more familiar with toolchain in fedora/el
I wanted a configure switch for people that build from source and not through srpm. We are not planning to use the switch on fedora, we'll let fedora project decide what defaults it wants.
Simo.
gss-proxy@lists.fedorahosted.org