Bug 807831

Summary: default to partial relro
Product: [Fedora] Fedora Reporter: Bill Nottingham <notting>
Component: binutilsAssignee: Nick Clifton <nickc>
Status: CLOSED RAWHIDE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 17CC: jakub, nickc, rvokal, sgrubb
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-04-25 15:03:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Bill Nottingham 2012-03-28 20:43:09 UTC 
Description of problem:

We want to have partial relro enabled everywhere. At the moment, we do that by setting a global LDFLAGS in redhat-rpm-config.

However, packages' build systems are dumb, and don't always notice this.

Ergo, it would be far simpler to just change the default in ld.

Version-Release number of selected component (if applicable):

binutils-2.21.53.0.1-6.fc16.x86_64

How reproducible:

100%
Comment 1 Bill Nottingham 2012-03-28 20:52:49 UTC 
https://build.opensuse.org/package/view_file?file=ld-relro.diff&package=binutils&project=Base%3Abuild&rev=a2de7c822f64bc0f148dbcaea1a9fb43 looks like it would do the trick, at a first glance.
Comment 2 Jakub Jelinek 2012-03-28 21:00:59 UTC 
What else is binutils-2.22.52.0.1-relro-on-by-default.patch in f18 binutils?
Comment 3 Bill Nottingham 2012-03-28 21:31:34 UTC 
Ah, OK. I was looking at f17 builds.

That being said:

diff --git a/binutils.spec b/binutils.spec
index f4c2e8d..46ecc1d 100644
--- a/binutils.spec
+++ b/binutils.spec
@@ -149,7 +149,7 @@ using libelf instead of BFD.
 %patch08 -p1 -b .weakdef~
 %patch09 -p1 -b .ld-13621~
 %patch10 -p1 -b .cxxfilt-docs~
-%if 0%{?fedora} >= 18
+%if 0%{?fedora} >= 18 || 0%{?rhel} >= 7
 %patch11 -p0 -b .relro~
 %endif
 %patch12 -p0 -b .x86_64-hidden-ifunc~
@@ -459,7 +459,7 @@ exit 0
 - Fix up handling of hidden ifunc relocs on x86_64
 - Add Intel TSX support
 
-%if 0%{?fedora} >= 18
+%if 0%{?fedora} >= 18 || 0%{?rhel} >= 7
 * Tue Mar 06 2012 Nick Clifton <nickc> - 2.22.52.0.1-7
 - Enable -zrelro be default. (#621983)
 %endif

would be nice.
Comment 4 Steve Grubb 2012-04-25 14:43:25 UTC 
Just checking on this. I was hoping it would have been in place by now. Any problems created by this patch?
Comment 5 Bill Nottingham 2012-04-25 15:03:04 UTC 
Fixed in:
 
commit 29ab3f6c024684fa2ec527dda4949f9e2d97b079 (HEAD, origin/master, origin/HEA
Author: Nick Clifton <nickc>
Date:   Tue Apr 3 15:49:11 2012 +0100

    Enable -zrelro by default for RHEL 7+. (#807831)

in -11.