Bug 2044826

Summary: annocheck FAIL: pie test (criu)
Product: Red Hat Enterprise Linux 9 Reporter: rlemosor
Component: criuAssignee: Adrian Reber <areber>
Status: CLOSED ERRATA QA Contact: Chao Ye <cye>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 9.0CC: lilu
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: criu-3.15-13.el9 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-17 12:28:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2044387    

Description rlemosor 2022-01-25 09:49:31 UTC 
Failed test: pie test

Test results:
Hardened: criu: FAIL: pie test because not built with '-Wl'-pie' (gcc/clang) or '-buildmode pie' (go)
Hardened: criu: FAIL: bind-now test because not linked with -Wl'-z'now

Applicable RPMs:
criu-3.15-12.el9.aarch64.rpm; criu-3.15-12.el9.ppc64le.rpm; criu-3.15-12.el9.s390x.rpm; criu-3.15-12.el9.x86_64.rpm; criu-libs-3.15-12.el9.aarch64.rpm; criu-libs-3.15-12.el9.ppc64le.rpm; criu-libs-3.15-12.el9.s390x.rpm; criu-libs-3.15-12.el9.x86_64.rpm

Recommendation: Please fix the build system for the package or else add a skip of tests to the rpminspect.yaml file. For more details please see https://sourceware.org/annobin/annobin.html/Test-pie.html and https://sourceware.org/annobin/annobin.html/Waiving-Hardened-Results.html#Waiving-Hardened-Results.

Why this bug was filed: All packages in RHEL 9 built with gcc (g++, etc.) are required to use a common set of flags provided by the distribution. These flags turn on important security and performance features so it is critical that any package that lacks these flags be repaired. A scanning tool named annocheck, part of the annobin package, was used to scan RHEL 9 packages. This BZ was created because binary packages of this component with the mentioned NVRs were not built with the requisite flags for one or more RHEL 9 architectures.

How to reproduce the failure: You could try running annocheck locally against your builds: https://developers.redhat.com/blog/2019/02/04/annocheck-examining-the-contents-of-binary-files.

This bug report is part of a subset of annocheck failures that were understood as critical enough to warrant a package correction. The package set was analyzed on a nightly compose, outside of OSCI gating.

Annocheck resources:
* annobin documentation: https://sourceware.org/annobin/annobin.html/index.html
* annocheck on the customer portal: https://access.redhat.com/documentation/en-us/red_hat_developer_toolset/9/html/user_guide/chap-annobin.

Contacts:
* Instant messaging: #tools on IRC
* Email: use tools for generic questions. Otherwise, use go-tools and llvm-clang-list for Go and Clang/LLVM specific questions.
* annobin-annocheck maintainer: Nick Clifton (nickc)
Comment 1 rlemosor 2022-01-25 09:49:33 UTC 
Deadline: Please consider resolving all annocheck defects by ITM 26, Mon 2022-02-28, the end of DevTestDoc phase. This means moving this bug report to VERIFIED by that time.

Workflow:
* Please follow the RHEL workflow, as described on the Development Guide: https://one.redhat.com/rhel-developer-guide/#con_rhel-workflows_assembly_development
* As pre-verification, you can add a link to the CI dashboard proving your latest build passes annocheck, e.g. for inkscape: https://dashboard.osci.redhat.com/#/artifact/brew-build/aid/42485499.
* If you have later builds that do not exhibit the same failure, you can close the bug as “Not a Bug”, providing a link to the CI dashboard that shows it.
* Ideally, fix the failure upstream as well.

Additional resources: Red Hat internal links:
* Test classification: CRITICAL. More on annocheck failure classification: https://docs.google.com/document/d/1-YhkP5SFRHZABVN7M5NVV9b1MKKLlp9GyaSeP-NK24g/edit#heading=h.ri9jkka1ysuk.
* DevGuide section on annocheck: https://one.redhat.com/rhel-developer-guide/#proc_ensuring-comprehensive-elf-distro-flags-with-annocheck_assembly_maintenance-and-post-release-processes.
* rpminspect goal for 9 GA (Google Doc): https://docs.google.com/document/d/1-YhkP5SFRHZABVN7M5NVV9b1MKKLlp9GyaSeP-NK24g/edit#heading=h.nqmmegfwl4yk.
Comment 3 Chao Ye 2022-02-07 08:23:32 UTC 
Set Verified:Tested according to https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=42691795
Comment 6 Chao Ye 2022-02-07 08:45:11 UTC 
Move to VERIFIED per comment #3.
Comment 8 errata-xmlrpc 2022-05-17 12:28:29 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: criu), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:2316