Bug 1570847

Summary: [aarch64] Enable hardened build
Product: [Fedora] Fedora Reporter: Severin Gehwolf <sgehwolf>
Component: java-1.8.0-openjdkAssignee: Severin Gehwolf <sgehwolf>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 28CC: ahughes, dbhole, jerboaa, jvanek, msrb, mvala, omajid
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: java-1.8.0-openjdk-1.8.0.171-3.b10.fc28 java-1.8.0-openjdk-1.8.0.171-4.b10.fc27 java-1.8.0-openjdk-1.8.0.171-4.b10.fc28 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-30 16:36:49 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1548475    

Description Severin Gehwolf 2018-04-23 14:12:55 UTC 
Description of problem:
The hardened build is disabled on aarch64. I don't seem to find any specific reason as to why that is. One comment suggested it fails to bootcycle-images build, but that does not seem the case for a scratch build which I've tried.

Version-Release number of selected component (if applicable):
java-1.8.0-openjdk-1.8.0.171-1.b10.fc28.aarch64

How reproducible:
100%

Steps to Reproduce:
1. $ checksec --dir /usr/lib/jvm/java-1.8.0-openjdk/bin | grep 'No PIE'

Actual results:
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/appletviewer
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/extcheck
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/idlj
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/jar
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/jarsigner
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/java
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/javac
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/javadoc
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/javah
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/javap
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/jcmd
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/jconsole
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/jdb
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/jdeps
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/jhat
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/jinfo
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/jjs
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/jmap
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/jps
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/jrunscript
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/jsadebugd
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/jstack
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/jstat
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/jstatd
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/keytool
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/native2ascii
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/orbd
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/pack200
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/policytool
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/rmic
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/rmid
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/rmiregistry
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/schemagen
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/serialver
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/servertool
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/tnameserv
Partial RELRO   Canary found      NX enabled    No PIE          RPATH      No RUNPATH   Yes     0               8       /usr/lib/jvm/java-1.8.0-openjdk/bin/unpack200
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/wsgen
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/wsimport
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/xjc

Expected results:
Nothing (i.e. no match)

Additional info:
Scratch build which has hardening enabled:
https://koji.fedoraproject.org/koji/taskinfo?taskID=26471763
Comment 1 Severin Gehwolf 2018-04-23 14:38:24 UTC 
Proposed fix:
https://src.fedoraproject.org/rpms/java-1.8.0-openjdk/pull-request/4
Comment 2 Andrew John Hughes 2018-04-23 15:44:03 UTC 
It was disabled based on failures on RHEL 7. I don't believe Fedora even had AArch64 support back then.

If it bootcycles on Fedora, then I see no issue with enabling it there. Fedora has a much newer version of GCC than RHEL 7 :)
Comment 4 Severin Gehwolf 2018-04-24 15:25:53 UTC 
Once this build completes this should be fixed:
https://koji.fedoraproject.org/koji/buildinfo?buildID=1075249
Comment 5 Fedora Update System 2018-04-26 07:18:22 UTC 
java-1.8.0-openjdk-1.8.0.171-4.b10.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-f06de7cbbb
Comment 6 Fedora Update System 2018-04-26 07:18:42 UTC 
java-1.8.0-openjdk-1.8.0.171-4.b10.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-1e5b8a00a0
Comment 7 Fedora Update System 2018-04-26 15:33:32 UTC 
java-1.8.0-openjdk-1.8.0.171-4.b10.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-f06de7cbbb
Comment 8 Fedora Update System 2018-04-27 07:55:21 UTC 
java-1.8.0-openjdk-1.8.0.171-4.b10.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-1e5b8a00a0
Comment 9 Fedora Update System 2018-04-30 16:36:49 UTC 
java-1.8.0-openjdk-1.8.0.171-4.b10.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2018-04-30 21:17:50 UTC 
java-1.8.0-openjdk-1.8.0.171-4.b10.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.