Bug 2022973

Summary: annobin needs to be taught about /usr/sbin/ldconfig
Product: Red Hat Enterprise Linux 9 Reporter: Jan Pazdziora <jpazdziora>
Component: annobinAssignee: Nick Clifton <nickc>
Status: CLOSED ERRATA QA Contact: Václav Kadlčík <vkadlcik>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.0CC: ashankar, codonell, dj, fweimer, jpazdziora, mcermak, mnewsome, nickc, pfrankli, rlemosor, sipoyare, vkadlcik
Target Milestone: rcKeywords: Bugfix, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: annobin-10.25-1.el9 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-17 12:33:12 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Pazdziora 2021-11-13 15:04:06 UTC 
Description of problem:

The ldconfig file is packaged by glibc as /sbin/ldconfig even if /sbin is a symlink to /usr/sbin so the file actually lands on disk as /usr/sbin/ldconfig.

One effect of this inconsistency is that on aarch64, it then causes annocheck to fail when we try to test all files on the disk, while avoiding symlinks.

Version-Release number of selected component (if applicable):

glibc-2.34-7.el9.aarch64
annobin-annocheck-10.23-1.el9.aarch64

How reproducible:

Deterministic.

Steps to Reproduce:
1. dnf install -y /usr/bin/annocheck /sbin/ldconfig
2. dnf -y --nogpgcheck debuginfo-install glibc glibc-gconv-extra
3. annocheck --verbose --ignore-gaps --skip-all --test-stack-prot /sbin/ldconfig
4. annocheck --verbose --ignore-gaps --skip-all --test-stack-prot /usr/sbin/ldconfig

Actual results:

annocheck: Version 10.23.
Hardened: /usr/sbin/ldconfig: Command line options not recorded in DWARF DW_AT_producer variable.
Hardened: /usr/sbin/ldconfig: info: ALSO written in C (source: DW_AT_language string).
Hardened: /usr/sbin/ldconfig: PASS: stack-prot test 
Hardened: /usr/sbin/ldconfig: skip: stack-prot test because function _dl_start is part of the C library's startup code, which executes before stack protection is established 
Hardened: /usr/sbin/ldconfig: FAIL: stack-prot test because stack protection deliberately disabled (function: _dl_tls_static_surplus_init) 
Hardened: /usr/sbin/ldconfig: info: For more information visit: https://sourceware.org/annobin/annobin.html/Test-stack-prot.html
Hardened: ldconfig: Overall: FAIL.

Expected results:

annocheck: Version 10.23.
Hardened: /usr/sbin/ldconfig: Command line options not recorded in DWARF DW_AT_producer variable.
Hardened: /usr/sbin/ldconfig: info: ALSO written in C (source: DW_AT_language string).
Hardened: /usr/sbin/ldconfig: PASS: stack-prot test 
Hardened: /usr/sbin/ldconfig: skip: stack-prot test because the ldconfig binary is a special case, hand-crafted by the glibc build system 
Hardened: ldconfig: Overall: PASS.

Additional info:
Comment 1 Jan Pazdziora 2021-11-13 15:07:33 UTC 
I filed this against glibc because the inconsistency of the %files with the disk layout bothers me in general. But maybe annocheck should be able to handle this situation gracefully.

Adding Nick to Cc for potential assessment whether this is truly just a bug in annocheck.
Comment 3 Nick Clifton 2021-11-15 14:05:19 UTC 
(In reply to Jan Pazdziora from comment #1)

> Adding Nick to Cc for potential assessment whether this is truly just a bug
> in annocheck.

It kind of is and is not a bug.  Annocheck has a special exception for the ldconfig executable because it is known to be built in a special way, and without a lot of the usual security features.  The code however checks the absolute path:

  /* The ldconfig binary is known to be compiled with most security features.  */
  if (streq (data->full_filename, "/sbin/ldconfig"))
    {
      sprintf (reason, "the ldconfig binary is a special case, hand-crafted by the glibc build system");
      skip (data, check < TEST_MAX ? check : TEST_NOTES, SOURCE_SKIP_CHECKS, reason);
      return true;
    }

I did this because I was trying to keep the exception as narrow as possible,  I did not want anybody to call their program "ldconfig" and then avoid the annocheck tests.  But obviously I missed the AArch64 symlink case.  I will fix this in the next release of annobin.
Comment 4 Florian Weimer 2021-11-15 14:09:51 UTC 
We are going to implement full UsrMove in glibc eventually (maybe even for RHEL 9 GA), so annobin needs to be taught about /usr/sbin/ldconfig.
Comment 5 Nick Clifton 2021-11-16 17:33:40 UTC 
Should be fixed in annobin-10.25-1.el9
Comment 12 errata-xmlrpc 2022-05-17 12:33:12 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: annobin), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2022:2342