Description of problem: Latest packages of java-openjdk don't get relevant build flags from redhat-rpm-config. Version-Release number of selected component (if applicable): $ rpm -q java-openjdk java-openjdk-10.0.1.10-1.fc28.x86_64 How reproducible: 100% Steps to Reproduce: 1. Install java-openjdk-devel 2. checksec --dir /usr/lib/jvm/java-10-openjdk/bin Actual results: RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Checked Total Filename Partial RELRO No canary found NX enabled No PIE RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/appletviewer Partial RELRO No canary found NX enabled No PIE RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/idlj Partial RELRO No canary found NX enabled No PIE RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/jaotc Partial RELRO No canary found NX enabled No PIE RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/jar Partial RELRO No canary found NX enabled No PIE RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/jarsigner Partial RELRO No canary found NX enabled No PIE RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/java Partial RELRO No canary found NX enabled No PIE RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/javac Partial RELRO No canary found NX enabled No PIE RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/javadoc Partial RELRO No canary found NX enabled No PIE RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/javap Partial RELRO No canary found NX enabled No PIE RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/jcmd Partial RELRO No canary found NX enabled No PIE RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/jconsole Partial RELRO No canary found NX enabled No PIE RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/jdb Partial RELRO No canary found NX enabled No PIE RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/jdeprscan Partial RELRO No canary found NX enabled No PIE RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/jdeps Partial RELRO No canary found NX enabled No PIE RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/jhsdb Partial RELRO No canary found NX enabled No PIE RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/jimage Partial RELRO No canary found NX enabled No PIE RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/jinfo Partial RELRO No canary found NX enabled No PIE RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/jjs Partial RELRO No canary found NX enabled No PIE RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/jlink Partial RELRO No canary found NX enabled No PIE RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/jmap Partial RELRO No canary found NX enabled No PIE RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/jmod Partial RELRO No canary found NX enabled No PIE RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/jps Partial RELRO No canary found NX enabled No PIE RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/jrunscript Partial RELRO No canary found NX enabled No PIE RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/jshell Partial RELRO No canary found NX enabled No PIE RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/jstack Partial RELRO No canary found NX enabled No PIE RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/jstat Partial RELRO No canary found NX enabled No PIE RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/jstatd Partial RELRO No canary found NX enabled No PIE RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/keytool Partial RELRO No canary found NX enabled No PIE RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/orbd Partial RELRO No canary found NX enabled No PIE RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/pack200 Partial RELRO No canary found NX enabled No PIE RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/rmic Partial RELRO No canary found NX enabled No PIE RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/rmid Partial RELRO No canary found NX enabled No PIE RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/rmiregistry Partial RELRO No canary found NX enabled No PIE RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/schemagen Partial RELRO No canary found NX enabled No PIE RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/serialver Partial RELRO No canary found NX enabled No PIE RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/servertool Partial RELRO No canary found NX enabled No PIE RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/tnameserv Partial RELRO No canary found NX enabled No PIE RPATH No RUNPATH No 0 8 /usr/lib/jvm/java-10-openjdk/bin/unpack200 Partial RELRO No canary found NX enabled No PIE RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/wsgen Partial RELRO No canary found NX enabled No PIE RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/wsimport Partial RELRO No canary found NX enabled No PIE RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/xjc Expected results: RELRO STACK CANARY NX PIE RPATH RUNPATH FORTIFY Checked Total Filename Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/appletviewer Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/idlj Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/jaotc Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/jar Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/jarsigner Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/java Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/javac Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/javadoc Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/javap Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/jcmd Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/jconsole Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/jdb Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/jdeprscan Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/jdeps Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/jhsdb Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/jimage Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/jinfo Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/jjs Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/jlink Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/jmap Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/jmod Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/jps Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/jrunscript Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/jshell Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/jstack Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/jstat Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/jstatd Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/keytool Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/orbd Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/pack200 Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/rmic Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/rmid Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/rmiregistry Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/schemagen Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/serialver Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/servertool Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/tnameserv Full RELRO Canary found NX enabled PIE enabled RPATH No RUNPATH Yes 4 9 /usr/lib/jvm/java-10-openjdk/bin/unpack200 Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/wsgen Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/wsimport Full RELRO No canary found NX enabled PIE enabled RPATH No RUNPATH No 0 0 /usr/lib/jvm/java-10-openjdk/bin/xjc Additional info: The issue is that java-openjdk does not pass cflags/ldflags to the OpenJDK build system.
Initial patch, which seems to solve most of it but not all: https://src.fedoraproject.org/fork/jerboaa/rpms/java-openjdk/c/0877e9fb1b2d5df1b2ed27387407dd982d219d98?branch=f28-flags-inject $ rpm -ql java-openjdk-headless | grep libjsig /usr/lib/jvm/java-10-openjdk-10.0.1.10-3.fc28.x86_64/lib/libjsig.so $ readelf -d /usr/lib/jvm/java-10-openjdk-10.0.1.10-3.fc28.x86_64/lib/libjsig.so | grep NOW <nothing> Looking at the log we see: [...] Linking libjsig.so ( /usr/bin/gcc -Wl,--hash-style=both -Wl,-z,noexecstack -g -pipe -Wformat -Wno-cpp -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -mcet -fcf-protection -std=gnu++98 -Wno-error -fno-delete-null-pointer-checks -fno-lifetime-dse -shared -m64 -o /builddir/build/BUILD/java-10-openjdk-10.0.1.10-3.fc28.x86_64/openjdk/build/support/modules_libs/java.base/libjsig.so /builddir/build/BUILD/java-10-openjdk-10.0.1.10-3.fc28.x86_64/openjdk/build/hotspot/libjsig/objs/jsig.o -ldl [...] Thus, it's not receiving relevant linker flags.
java-openjdk-10.0.1.10-3.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-6bd87ab4e9
java-openjdk-10.0.1.10-3.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-fa5339eeb1
java-openjdk-10.0.1.10-3.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-6bd87ab4e9
java-openjdk-10.0.1.10-3.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-fa5339eeb1
java-openjdk-10.0.1.10-3.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
java-openjdk-10.0.1.10-3.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.