Bug 2023392

Summary: Environment CFLAGS are not respected by the libdnf plugin
Product: Red Hat Enterprise Linux 8 Reporter: Pino Toscano <ptoscano>
Component: subscription-managerAssignee: Pino Toscano <ptoscano>
Status: CLOSED ERRATA QA Contact: Red Hat subscription-manager QE Team <rhsm-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: ---CC: candlepin-bugs, jsefler, redakkan, rhsm-qe
Target Milestone: rcKeywords: Triaged
Target Release: 8.6   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: subscription-manager-1.28.25-1.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 2023391 Environment:
Last Closed: 2022-05-10 15:22:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2023391    
Bug Blocks:    
Deadline: 2022-01-11   

Description Pino Toscano 2021-11-15 15:36:52 UTC 
+++ This bug was initially created as a clone of Bug #2023391 +++

The libdnf plugin is written in C and built with CMake; unfortunately, the project CMakeLists.txt overwrites the C build flags:

  if (CMAKE_COMPILER_IS_GNUCC)
      set (CMAKE_C_FLAGS "-Wall -fPIC -Wextra -pedantic -Wno-long-long -std=c99")
      if (CMAKE_BUILD_TYPE STREQUAL "Debug")
          set (CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -ggdb -O0 --coverage")
      elseif( CMAKE_BUILD_TYPE STREQUAL "Release" )
          set (CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -DNDEBUG -g -O3 -fno-strict-aliasing")
      endif ()
  endif (CMAKE_COMPILER_IS_GNUCC)

This causes the loss of CFLAGS exported in the build environment, or even passed to the cmake command line at configure time. This causes the lack of the distribution build flags for the built plugin.

This can be checked in two ways:
a) checking the build logs: in a verbose build, all the environment CFLAGS should appear in the gcc command line that build the sources for the libdnf plugin
b) with annocheck: annocheck --ignore-unknown --verbose product-id.so

Actual result:
annocheck shows at least two failures:
Hardened: usr/lib64/libdnf/plugins/product-id.so: FAIL: cf-protection test because no .note.gnu.property section = no control flow information 
Hardened: usr/lib64/libdnf/plugins/product-id.so: FAIL: property-note test because no .note.gnu.property section found 

Expected result:
- build log that shows the environment CFLAGS as used during the build
- no errors reported by annocheck
Comment 1 Rehana 2022-01-24 11:51:29 UTC 
Reproducing on :
----------------
subscription management server: 3.2.22-1
subscription management rules: 5.41
subscription-manager: 1.28.21-3.el8

# annocheck --ignore-unknown --verbose --skip-lto /usr/lib64/libdnf/plugins/product-id.so
annocheck: Version 9.65.
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: pie test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: writeable-got test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: dynamic-segment test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: bind-now test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: info: set binary producer to Gas version 2.
Hardened: /usr/lib64/libdnf/plugins/product-id.so: info: notes produced by assembler plugin version 1
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: gnu-stack test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: gnu-relro test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: notes test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: skip: branch-protection test because not an AArch64 binary 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: FAIL: cf-protection test because no .note.gnu.property section = no control flow information 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: skip: dynamic-tags test because AArch64 specific 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: entry test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: skip: fortify test because no compiled code found 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: skip: glibcxx-assertions test because no compiled code found 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: skip: go-revision test because no GO compiled code found 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: skip: only-go test because no GO compiled code found 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: skip: optimization test because not compiled code 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: skip: pic test because not compiled code 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: FAIL: property-note test because no .note.gnu.property section found 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: run-path test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: rwx-seg test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: short-enum test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: skip: stack-clash test because no compiled code found 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: skip: stack-prot test because no compiled code found 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: skip: stack-realign test because no compiled code found 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: textrel test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: threads test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: skip: warnings test because no compiled code found 

Pre-testing on :
----------------
subscription management server: 3.2.22-1
subscription management rules: 5.41
subscription-manager: 1.28.25-1.el8

# rpm -qa subscription-manager --changelog | grep 2023392
- 2023392: libdnf: respect environment CFLAGS (ptoscano)

# annocheck --ignore-unknown --verbose --skip-lto /usr/lib64/libdnf/plugins/product-id.so
annocheck: Version 10.29.
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: pie test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: writable-got test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: cf-protection test because correct flags found in .note.gnu.property note 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: property-note test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: dynamic-segment test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: bind-now test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: stack-prot test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: pic test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: fortify test because fortify note found 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: glibcxx-assertions test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: optimization test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: warnings test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: stack-clash test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: skip: entry test because shared libraries do not use entry points 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: gnu-stack test because stack segment exists with the correct permissions 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: gnu-relro test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: notes test because no gaps found 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: skip: not-branch-protection test because not an AArch64 binary 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: skip: not-dynamic-tags test because AArch64 specific 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: skip: go-revision test because no GO compiled code found 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: skip: only-go test because no GO compiled code found 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: production test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: run-path test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: rwx-seg test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: short-enums test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: skip: stack-realign test because not an x86 executable 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: textrel test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: threads test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: unicode test 
Hardened: product-id.so: Overall: PASS.

Notice the Overall result is PASS. Based on the above results pre-verifying the bug.
Comment 4 Rehana 2022-01-31 09:38:06 UTC 
Verifying on :
==============

# subscription-manager version
server type: This system is currently not registered.
subscription management server: 3.2.22-1
subscription management rules: 5.41
subscription-manager: 1.28.25-1.el8

# rpm -qa subscription-manager --changelog | grep 2023392
- 2023392: libdnf: respect environment CFLAGS (ptoscano)

# annocheck --ignore-unknown --verbose --skip-lto /usr/lib64/libdnf/plugins/product-id.so
annocheck: Version 10.29.
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: pie test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: writable-got test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: cf-protection test because correct flags found in .note.gnu.property note 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: property-note test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: dynamic-segment test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: bind-now test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: stack-prot test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: pic test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: fortify test because fortify note found 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: glibcxx-assertions test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: optimization test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: warnings test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: stack-clash test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: skip: entry test because shared libraries do not use entry points 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: gnu-stack test because stack segment exists with the correct permissions 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: gnu-relro test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: notes test because no gaps found 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: skip: not-branch-protection test because not an AArch64 binary 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: skip: not-dynamic-tags test because AArch64 specific 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: skip: go-revision test because no GO compiled code found 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: skip: only-go test because no GO compiled code found 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: production test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: run-path test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: rwx-seg test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: short-enums test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: skip: stack-realign test because not an x86 executable 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: textrel test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: threads test 
Hardened: /usr/lib64/libdnf/plugins/product-id.so: PASS: unicode test 
Hardened: product-id.so: Overall: PASS.
Comment 6 errata-xmlrpc 2022-05-10 15:22:58 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (subscription-manager bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:2047