Bug 1571359

Summary: [java-openjdk] No build flags injection
Product: [Fedora] Fedora Reporter: Severin Gehwolf <sgehwolf>
Component: java-openjdkAssignee: Severin Gehwolf <sgehwolf>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 28CC: jerboaa, jvanek
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: java-openjdk-10.0.1.10-3.fc28 java-openjdk-10.0.1.10-3.fc27 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-05-09 21:23:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1539083    

Description Severin Gehwolf 2018-04-24 15:14:30 UTC 
Description of problem:
Latest packages of java-openjdk don't get relevant build flags from redhat-rpm-config.

Version-Release number of selected component (if applicable):
$ rpm -q java-openjdk
java-openjdk-10.0.1.10-1.fc28.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Install java-openjdk-devel
2. checksec --dir /usr/lib/jvm/java-10-openjdk/bin

Actual results:
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FORTIFY Checked         Total   Filename
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/appletviewer
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/idlj
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/jaotc
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/jar
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/jarsigner
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/java
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/javac
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/javadoc
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/javap
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/jcmd
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/jconsole
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/jdb
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/jdeprscan
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/jdeps
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/jhsdb
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/jimage
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/jinfo
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/jjs
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/jlink
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/jmap
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/jmod
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/jps
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/jrunscript
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/jshell
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/jstack
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/jstat
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/jstatd
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/keytool
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/orbd
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/pack200
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/rmic
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/rmid
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/rmiregistry
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/schemagen
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/serialver
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/servertool
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/tnameserv
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No	0		8	/usr/lib/jvm/java-10-openjdk/bin/unpack200
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/wsgen
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/wsimport
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/xjc


Expected results:
RELRO           STACK CANARY      NX            PIE             RPATH      RUNPATH      FORTIFY Checked         Total   Filename
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/appletviewer
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/idlj
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/jaotc
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/jar
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/jarsigner
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/java
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/javac
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/javadoc
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/javap
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/jcmd
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/jconsole
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/jdb
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/jdeprscan
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/jdeps
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/jhsdb
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/jimage
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/jinfo
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/jjs
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/jlink
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/jmap
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/jmod
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/jps
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/jrunscript
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/jshell
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/jstack
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/jstat
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/jstatd
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/keytool
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/orbd
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/pack200
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/rmic
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/rmid
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/rmiregistry
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/schemagen
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/serialver
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/servertool
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/tnameserv
Full RELRO      Canary found      NX enabled    PIE enabled     RPATH      No RUNPATH   Yes	4		9	/usr/lib/jvm/java-10-openjdk/bin/unpack200
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/wsgen
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/wsimport
Full RELRO      No canary found   NX enabled    PIE enabled     RPATH      No RUNPATH   No	0		0	/usr/lib/jvm/java-10-openjdk/bin/xjc

Additional info:
The issue is that java-openjdk does not pass cflags/ldflags to the OpenJDK build system.
Comment 1 Severin Gehwolf 2018-04-24 15:49:05 UTC 
Initial patch, which seems to solve most of it but not all:
https://src.fedoraproject.org/fork/jerboaa/rpms/java-openjdk/c/0877e9fb1b2d5df1b2ed27387407dd982d219d98?branch=f28-flags-inject

$ rpm -ql java-openjdk-headless | grep libjsig
/usr/lib/jvm/java-10-openjdk-10.0.1.10-3.fc28.x86_64/lib/libjsig.so
$ readelf -d /usr/lib/jvm/java-10-openjdk-10.0.1.10-3.fc28.x86_64/lib/libjsig.so | grep NOW
<nothing>

Looking at the log we see:
[...]
Linking libjsig.so
( /usr/bin/gcc -Wl,--hash-style=both -Wl,-z,noexecstack -g -pipe -Wformat -Wno-cpp -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -mcet -fcf-protection -std=gnu++98 -Wno-error -fno-delete-null-pointer-checks -fno-lifetime-dse -shared -m64 -o /builddir/build/BUILD/java-10-openjdk-10.0.1.10-3.fc28.x86_64/openjdk/build/support/modules_libs/java.base/libjsig.so /builddir/build/BUILD/java-10-openjdk-10.0.1.10-3.fc28.x86_64/openjdk/build/hotspot/libjsig/objs/jsig.o -ldl
[...]

Thus, it's not receiving relevant linker flags.
Comment 2 Fedora Update System 2018-04-30 08:33:54 UTC 
java-openjdk-10.0.1.10-3.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-6bd87ab4e9
Comment 3 Fedora Update System 2018-04-30 08:34:01 UTC 
java-openjdk-10.0.1.10-3.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-fa5339eeb1
Comment 4 Fedora Update System 2018-04-30 18:43:52 UTC 
java-openjdk-10.0.1.10-3.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-6bd87ab4e9
Comment 5 Fedora Update System 2018-04-30 19:54:49 UTC 
java-openjdk-10.0.1.10-3.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-fa5339eeb1
Comment 6 Fedora Update System 2018-05-09 21:23:57 UTC 
java-openjdk-10.0.1.10-3.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2018-05-10 19:15:30 UTC 
java-openjdk-10.0.1.10-3.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.