2044850 – annocheck FAIL: bind-now test (conntrack-tools)

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 2044850 - annocheck FAIL: bind-now test (conntrack-tools)

Summary: annocheck FAIL: bind-now test (conntrack-tools)

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	conntrack-tools
Sub Component:
Version:	9.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Phil Sutter
QA Contact:	Jianwen Ji
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2044387 2062810
TreeView+	depends on / blocked

Reported:	2022-01-25 10:25 UTC by Rui Ormonde
Modified:	2023-04-03 08:12 UTC (History)
CC List:	6 users (show)
Fixed In Version:	conntrack-tools-1.4.5-10.el9_0
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Clones:	2062265 2062810 (view as bug list)
Environment:
Last Closed:	2022-05-17 14:23:38 UTC
Type:	---
Target Upstream Version:
Embargoed:
Dependent Products:
Flags:	pm-rhel: mirror+

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	RHELPLAN-109517	0	None	None	None	2022-01-25 10:32:33 UTC
Red Hat Product Errata	RHBA-2022:2777	0	None	None	None	2022-05-17 14:23:41 UTC

Description Rui Ormonde 2022-01-25 10:25:07 UTC

Failed test: bind-now test

Test results:
\n Hardened: ct_helper_amanda.so: FAIL: bind-now test because not linked with -Wl'-z'now \n Hardened: ct_helper_amanda.so: FAIL: stack-prot test because stack protection deliberately disabled \n Hardened: ct_helper_dhcpv6.so: FAIL: bind-now test because not linked with -Wl'-z'now \n Hardened: ct_helper_dhcpv6.so: FAIL: stack-prot test because stack protection deliberately disabled \n Hardened: ct_helper_ftp.so: FAIL: bind-now test because not linked with -Wl'-z'now \n Hardened: ct_helper_ftp.so: FAIL: stack-prot test because stack protection deliberately disabled \n Hardened: ct_helper_mdns.so: FAIL: bind-now test because not linked with -Wl'-z'now \n Hardened: ct_helper_mdns.so: FAIL: stack-prot test because stack protection deliberately disabled \n Hardened: ct_helper_rpc.so: FAIL: bind-now test because not linked with -Wl'-z'now \n Hardened: ct_helper_rpc.so: FAIL: stack-prot test because stack protection deliberately disabled \n Hardened: ct_helper_sane.so: FAIL: bind-now test because not linked with -W

Applicable RPMs:
conntrack-tools-1.4.5-9.el9.aarch64.rpm; conntrack-tools-1.4.5-9.el9.ppc64le.rpm; conntrack-tools-1.4.5-9.el9.s390x.rpm; conntrack-tools-1.4.5-9.el9.x86_64.rpm

Recommendation: Please fix the build system for the package or else add a skip of tests to the rpminspect.yaml file. For more details please see https://sourceware.org/annobin/annobin.html/Test-bind-now.html and https://sourceware.org/annobin/annobin.html/Waiving-Hardened-Results.html#Waiving-Hardened-Results.

Why this bug was filed: All packages in RHEL 9 built with gcc (g++, etc.) are required to use a common set of flags provided by the distribution. These flags turn on important security and performance features so it is critical that any package that lacks these flags be repaired. A scanning tool named annocheck, part of the annobin package, was used to scan RHEL 9 packages. This BZ was created because binary packages of this component with the mentioned NVRs were not built with the requisite flags for one or more RHEL 9 architectures.

How to reproduce the failure: You could try running annocheck locally against your builds: https://developers.redhat.com/blog/2019/02/04/annocheck-examining-the-contents-of-binary-files.

Annocheck resources:
* annobin documentation: https://sourceware.org/annobin/annobin.html/index.html
* annocheck on the customer portal: https://access.redhat.com/documentation/en-us/red_hat_developer_toolset/9/html/user_guide/chap-annobin

Contacts:
* Instant messaging: #tools on IRC
* Email: use tools for generic questions. Otherwise, use go-tools and llvm-clang-list for Go and Clang/LLVM specific questions.
* annobin-annocheck maintainer: Nick Clifton (nickc)

Comment 2 Phil Sutter 2022-01-25 13:14:49 UTC

Spec file defined CFLAGS and CXXFLAGS variables prior to calling %make_build, this might be the culprit. While being at it:

* Replace the 'sed' call to fix for failing RPC header search with upstream patch (and follow-up)
* Call autoreconf since above patches change configure.ac
* Drop old unused patch files from dist-git

Comment 3 Phil Sutter 2022-01-25 15:42:54 UTC

I don't get it:

Trying to verify my changes, I did a local build as well as a scratch build and annocheck complains for both. Since the package's build system is autotools-based, things should just work. To verify I'm really loosing compiler flags along the way, I did this:

| --- a/conntrack-tools.spec
| +++ b/conntrack-tools.spec
| @@ -52,6 +52,8 @@ show an event message (one line) per newly established connection.
|  %autosetup -p1
|  
|  %build
| +echo "CFLAGS: %{build_cflags}"
| +echo "LDFLAGS: %{build_ldflags}"
|  autoreconf -fi
|  rm -Rf autom4te*.cache config.h.in~
|  %configure --disable-static --enable-systemd

Here's the relevant excerpt from 'centpkg local':

| Executing(%build): /bin/sh -e /var/tmp/rpm-tmp.8HHPpf
| + umask 022
| + cd /home/psutter/centpkg/conntrack-tools
| + cd conntrack-tools-1.4.5
| + echo 'CFLAGS: -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS  -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1  -m64  -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection'
| CFLAGS: -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS  -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1  -m64  -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection
| + echo 'LDFLAGS: -Wl,-z,relro -Wl,--as-needed   -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1  -Wl,--build-id=sha1'
| LDFLAGS: -Wl,-z,relro -Wl,--as-needed   -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1  -Wl,--build-id=sha1
| + autoreconf -fi

There is no -Wl'-z'now among linker flags. So if this isn't a general problem with RPM build system (which is pretty unlikely), I'm hunting heisenbugs here and local as well as scratch builds just don't match candidate builds (which is a pity).

Jiji, please consider this ticket for qa_ack+ and select an ITM as you see fit. I already created a merge request, let's just hope my changes are effective and the candidate build will be fine.

Comment 4 Rui Ormonde 2022-01-26 09:13:56 UTC

@fweimer , would you like to review Phil's results above?

Comment 5 Florian Weimer 2022-01-26 09:46:22 UTC

https://fedora.softwarefactory-project.io/rpminspect-report/?url=https://centos.softwarefactory-project.io/logs//2/2/759e58a7df7b7602ba50500918bebf49361fd469/check/rpm-rpminspect/1b59048/result.json still shows failures.

The build log shows that -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld is missing from the linker invocation:

2022-01-25 14:27:54.242985 | cloud-host | DEBUG: libtool: link: gcc -shared  -fPIC -DPIC  .libs/ct_helper_amanda_la-amanda.o   -lnetfilter_conntrack -lnfnetlink  -O2 -flto=auto -g -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -march=x86-64-v2 -mtune=generic -Wl,-z -Wl,lazy -Wl,-z -Wl,relro -Wl,--as-needed -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1   -Wl,-soname -Wl,ct_helper_amanda.so -o .libs/ct_helper_amanda.so

Comment 6 Phil Sutter 2022-01-26 13:37:13 UTC

(In reply to Florian Weimer from comment #5)
> https://fedora.softwarefactory-project.io/rpminspect-report/?url=https://
> centos.softwarefactory-project.io/logs//2/2/
> 759e58a7df7b7602ba50500918bebf49361fd469/check/rpm-rpminspect/1b59048/result.
> json still shows failures.
> 
> The build log shows that -Wl,-z,now
> -specs=/usr/lib/rpm/redhat/redhat-hardened-ld is missing from the linker
> invocation:
> 
> 2022-01-25 14:27:54.242985 | cloud-host | DEBUG: libtool: link: gcc -shared 
> -fPIC -DPIC  .libs/ct_helper_amanda_la-amanda.o   -lnetfilter_conntrack
> -lnfnetlink  -O2 -flto=auto -g -grecord-gcc-switches
> -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -march=x86-64-v2
> -mtune=generic -Wl,-z -Wl,lazy -Wl,-z -Wl,relro -Wl,--as-needed
> -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1   -Wl,-soname
> -Wl,ct_helper_amanda.so -o .libs/ct_helper_amanda.so

That's the symptom, I'm asking for the cause. Another try at identifying input
to configure call:

|  %build
| +env
| +echo "CFLAGS: %{build_cflags}"
| +echo "LDFLAGS: %{build_ldflags}"
|  autoreconf -fi

Here's build.log for x86_64 build:
https://kojihub.stream.rdu2.redhat.com/kojifiles/work/tasks/5001/905001/build.log

In summary:

- env contains:

RPM_LD_FLAGS=-Wl,-z,relro -Wl,--as-needed   -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 
RPM_OPT_FLAGS=-O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS  -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1  -m64 -march=x86-64-v2 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-

- build_cflags/build_ldflags are:

CFLAGS: -O2 -flto=auto -ffat-lto-objects -fexceptions -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS  -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1  -m64 -march=x86-64-v2 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection
LDFLAGS: -Wl,-z,relro -Wl,--as-needed   -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1

So if build system is not broken, how does it pass the required linker flags to
the package build? I can work around it by setting the missing flags manually,
but would like to have an official statement before implementing such hacks.

Comment 7 Florian Weimer 2022-01-26 13:52:25 UTC

(In reply to Phil Sutter from comment #6)
> So if build system is not broken, how does it pass the required linker flags
> to
> the package build? I can work around it by setting the missing flags
> manually,
> but would like to have an official statement before implementing such hacks.

I'm not sure what you are looking here, sorry. There is no official makefile-based build system, each package brings its own version. As a result, build flags handling varies from package to package.

I *suspect* it could be related to -specs= support, which was added upstream, but is missing from Fedora/downstream:

https://src.fedoraproject.org/rpms/libtool/pull-request/7

Frédéric, do you think we should backport this upstream enhancement?

Comment 8 Phil Sutter 2022-01-26 14:07:54 UTC

Hmm. Maybe this is a misunderstanding, our replies seem to drift. Let me reiterate from my perspective, maybe you find the spot where I took a wrong turn:

- Annocheck fails for missing linker flag '-Wl,-z,now'

- If this is a problem with conntrack-tools' build system, the relevant flag
  must get lost inside of configure or during 'make' call, but I don't see
  where

- I assume the missing flag is passed by rpmbuild, so looking at 'env' or any
  "spec file variables" (%{...}) should show it, but it's not there

- If my package should be built with a specific linker flag, it needs to know.
  How is the information submitted?

Comment 9 Florian Weimer 2022-01-26 14:30:46 UTC

I looked at this properly, and the spec file disables hardening explicitly:

%undefine _hardened_build
[…]
CFLAGS="${CFLAGS} -Wl,-z,lazy"
CXXFLAGS="${CXXFLAGS} -Wl,-z,lazy"

This is the result of an improper fix for bug 1413408. The root cause for this bug seems to be that the plugin API is only defined by /usr/sbin/conntrackd, which means that /usr/sbin/nfct cannot load those plugins. There are several ways to solve this: merge the command line tools into one binary, factor out these interfaces into a new DSO, or (but this is more of a quick hack) use weak symbol references.

Comment 10 Phil Sutter 2022-01-26 14:44:43 UTC

(In reply to Florian Weimer from comment #9)
> I looked at this properly, and the spec file disables hardening explicitly:
> 
> %undefine _hardened_build

Argh, I missed this statement. Clearly explains why things didn't make sense
from my perspective. Thanks for pointing it out!

> […]
> CFLAGS="${CFLAGS} -Wl,-z,lazy"
> CXXFLAGS="${CXXFLAGS} -Wl,-z,lazy"
> 
> This is the result of an improper fix for bug 1413408. The root cause for
> this bug seems to be that the plugin API is only defined by
> /usr/sbin/conntrackd, which means that /usr/sbin/nfct cannot load those
> plugins. There are several ways to solve this: merge the command line tools
> into one binary, factor out these interfaces into a new DSO, or (but this is
> more of a quick hack) use weak symbol references.

Thanks, I'll evaluate on the possible options.

Comment 11 Phil Sutter 2022-02-01 14:17:27 UTC

Patch to merge nfct into conntrackd sent upstream:
https://lore.kernel.org/netfilter-devel/20220126224930.31730-1-phil@nwl.cc/

Comment 16 Phil Sutter 2022-03-02 10:32:20 UTC

Given the potentially unwanted side-effects of a much bigger nfct binary, I
submitted a new approach which adds the missing symbols to nfct if requested by
a configure option:

https://lore.kernel.org/netfilter-devel/20220208160100.27527-1-phil@nwl.cc/

Upstream promised to either come up with an own solution or accept mine within
this week.

Comment 18 Phil Sutter 2022-03-09 13:07:20 UTC

Upstream commit to backport:

commit dc454a657f57a5cf143fddc5c1dd87a510c1790a (HEAD -> master, origin/master, origin/HEAD)
Author: Pablo Neira Ayuso <pablo>
Date:   Tue Mar 8 23:05:39 2022 +0100

    nfct: remove lazy binding
    
    Since cd5135377ac4 ("conntrackd: cthelper: Set up userspace helpers when
    daemon starts"), userspace conntrack helpers do not depend on a previous
    invocation of nfct to set up the userspace helpers.
    
    Move helper definitions to nfct-extensions/helper.c since existing
    deployments might still invoke nfct, even if not required anymore.
    
    This patch was motivated by the removal of the lazy binding.
    
    Phil Sutter says:
    
    "For security purposes, distributions might want to pass -Wl,-z,now
    linker flags to all builds, thereby disabling lazy binding globally.
    
    In the past, nfct relied upon lazy binding: It uses the helper objects'
    parsing functions without but doesn't provide all symbols the objects
    use."
    
    Acked-by: Phil Sutter <phil>
    Signed-off-by: Pablo Neira Ayuso <pablo>

Comment 20 Phil Sutter 2022-03-09 14:47:16 UTC

Jiji, Please set ITM as you see fit.

Comment 24 Phil Sutter 2022-03-11 13:59:25 UTC

Jiji,

Pagure is not functional at the moment[1], so let us please use a "manual"
process. Here[2] is a scratch build of the new release, could you please give
it a try and set Verified:Tested if it resolves this BZ?

Thanks!

[1] https://issues.redhat.com/browse/OSCI-3013
[2] https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=43755313

Comment 26 Phil Sutter 2022-03-15 14:45:46 UTC

Oh, indeed. Apparently I pushed releases which still contain the '%undefine
_hardened_build' directive. Sorry for the mess, I'll have to push a new release
for C9S and update the release for RHEL9.0. At least Pagure dist-git sync is
back, so we can use a PR-based workflow again.

Comment 27 Phil Sutter 2022-03-15 15:54:27 UTC

Here it is:

https://src.osci.redhat.com/rpms/conntrack-tools/pull-request/7

It also fixes the build instructions in tests.yml - they needed adjustment due to the backported patches.

Comment 35 errata-xmlrpc 2022-05-17 14:23:38 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (new packages: conntrack-tools), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:2777

Note You need to log in before you can comment on or make changes to this bug.