1570847 – [aarch64] Enable hardened build

Bug 1570847 - [aarch64] Enable hardened build

Summary: [aarch64] Enable hardened build

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	java-1.8.0-openjdk
Sub Component:
Version:	28
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Severin Gehwolf
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1548475
TreeView+	depends on / blocked

Reported:	2018-04-23 14:12 UTC by Severin Gehwolf
Modified:	2018-04-30 21:17 UTC (History)
CC List:	7 users (show)
Fixed In Version:	java-1.8.0-openjdk-1.8.0.171-3.b10.fc28 java-1.8.0-openjdk-1.8.0.171-4.b10.fc27 java-1.8.0-openjdk-1.8.0.171-4.b10.fc28
Clone Of:
Environment:
Last Closed:	2018-04-30 16:36:49 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Severin Gehwolf 2018-04-23 14:12:55 UTC

Description of problem:
The hardened build is disabled on aarch64. I don't seem to find any specific reason as to why that is. One comment suggested it fails to bootcycle-images build, but that does not seem the case for a scratch build which I've tried.

Version-Release number of selected component (if applicable):
java-1.8.0-openjdk-1.8.0.171-1.b10.fc28.aarch64

How reproducible:
100%

Steps to Reproduce:
1. $ checksec --dir /usr/lib/jvm/java-1.8.0-openjdk/bin | grep 'No PIE'

Actual results:
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/appletviewer
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/extcheck
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/idlj
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/jar
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/jarsigner
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/java
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/javac
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/javadoc
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/javah
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/javap
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/jcmd
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/jconsole
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/jdb
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/jdeps
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/jhat
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/jinfo
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/jjs
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/jmap
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/jps
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/jrunscript
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/jsadebugd
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/jstack
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/jstat
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/jstatd
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/keytool
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/native2ascii
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/orbd
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/pack200
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/policytool
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/rmic
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/rmid
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/rmiregistry
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/schemagen
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/serialver
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/servertool
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/tnameserv
Partial RELRO   Canary found      NX enabled    No PIE          RPATH      No RUNPATH   Yes     0               8       /usr/lib/jvm/java-1.8.0-openjdk/bin/unpack200
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/wsgen
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/wsimport
Partial RELRO   No canary found   NX enabled    No PIE          RPATH      No RUNPATH   No      0               0       /usr/lib/jvm/java-1.8.0-openjdk/bin/xjc

Expected results:
Nothing (i.e. no match)

Additional info:
Scratch build which has hardening enabled:
https://koji.fedoraproject.org/koji/taskinfo?taskID=26471763

Comment 1 Severin Gehwolf 2018-04-23 14:38:24 UTC

Proposed fix:
https://src.fedoraproject.org/rpms/java-1.8.0-openjdk/pull-request/4

Comment 2 Andrew John Hughes 2018-04-23 15:44:03 UTC

It was disabled based on failures on RHEL 7. I don't believe Fedora even had AArch64 support back then.

If it bootcycles on Fedora, then I see no issue with enabling it there. Fedora has a much newer version of GCC than RHEL 7 :)

Comment 4 Severin Gehwolf 2018-04-24 15:25:53 UTC

Once this build completes this should be fixed:
https://koji.fedoraproject.org/koji/buildinfo?buildID=1075249

Comment 5 Fedora Update System 2018-04-26 07:18:22 UTC

java-1.8.0-openjdk-1.8.0.171-4.b10.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-f06de7cbbb

Comment 6 Fedora Update System 2018-04-26 07:18:42 UTC

java-1.8.0-openjdk-1.8.0.171-4.b10.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-1e5b8a00a0

Comment 7 Fedora Update System 2018-04-26 15:33:32 UTC

java-1.8.0-openjdk-1.8.0.171-4.b10.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-f06de7cbbb

Comment 8 Fedora Update System 2018-04-27 07:55:21 UTC

java-1.8.0-openjdk-1.8.0.171-4.b10.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-1e5b8a00a0

Comment 9 Fedora Update System 2018-04-30 16:36:49 UTC

java-1.8.0-openjdk-1.8.0.171-4.b10.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2018-04-30 21:17:50 UTC

java-1.8.0-openjdk-1.8.0.171-4.b10.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.