Major Description
https://rpmdiff.engineering.redhat.com/run/535106/7/
Detecting usr/sbin/qdrouterd with not-hardened warnings ' Hardened: qdrouterd: FAIL: pie test because not built with '-Wl,-pie' (gcc/clang) or '-buildmode pie' (go) Hardened: qdrouterd: FAIL: bind-now test because not linked with -Wl,-z,now BuiltBy: qdrouterd: could not determine builder. Hardened: qdrouterd: FAIL: cf-protection test because no .note.gnu.property section = no control flow information Hardened: qdrouterd: MAYB: test: fortify because no valid notes found regarding this test Hardened: qdrouterd: FAIL: property-note test because no .note.gnu.property section found Hardened: qdrouterd: MAYB: test: stack-clash because no notes found regarding this test Hardened: Rerun annocheck with --verbose to see more information on the tests. ' on x86_64
Detecting usr/lib/qpid-dispatch/libqpid-dispatch.so with not-hardened warnings ' Hardened: libqpid-dispatch.so: FAIL: bind-now test because not linked with -Wl,-z,now BuiltBy: libqpid-dispatch.so: could not determine builder. Hardened: libqpid-dispatch.so: FAIL: cf-protection test because no .note.gnu.property section = no control flow information Hardened: libqpid-dispatch.so: MAYB: test: fortify because no valid notes found regarding this test Hardened: libqpid-dispatch.so: FAIL: property-note test because no .note.gnu.property section found Hardened: libqpid-dispatch.so: MAYB: test: stack-clash because no notes found regarding this test Hardened: Rerun annocheck with --verbose to see more information on the tests. ' on x86_64
https://rpmdiff.engineering.redhat.com/run/535105/7/
Detecting usr/lib64/libwebsockets.so.12 with not-hardened warnings ' Hardened: libwebsockets.so.12: FAIL: bind-now test because not linked with -Wl,-z,now BuiltBy: libwebsockets.so.12: could not determine builder. Hardened: libwebsockets.so.12: FAIL: cf-protection test because no .note.gnu.property section = no control flow information Hardened: libwebsockets.so.12: MAYB: test: fortify because no valid notes found regarding this test Hardened: libwebsockets.so.12: FAIL: property-note test because no .note.gnu.property section found Hardened: libwebsockets.so.12: MAYB: test: stack-clash because no notes found regarding this test Hardened: Rerun annocheck with --verbose to see more information on the tests. ' on x86_64
The build logs from brew are at
- http://download.eng.bos.redhat.com/brewroot/vol/rhel-7/packages/qpid-dispatch/1.14.0/6.el7_9/data/logs/x86_64/build.log
- http://download.eng.bos.redhat.com/brewroot/vol/rhel-7/packages/libwebsockets/2.4.2/3.el7_9/data/logs/x86_64/build.log
From the warning messages from RPMDiff, it seems to me that binaries need to be built/linked with -Wl,-pie and shared libraries need to be linked with -Wl,-z,now. Looking at the brew build logs, these options are indeed not used.
Regarding .note.gnu.property, I'd've expected to see annobin gcc plugin mentioned somewhere in the build logs (because that plugin is responsible for adding these annotations, I think. But, again, it is not mentioned anywhere.
Looking at the rhel8 build, http://download.eng.bos.redhat.com/brewroot/vol/rhel-8/packages/qpid-dispatch/1.14.0/6.el8/data/logs/x86_64/build.log, I see that annobin is present there, so is -Wl,z,now but pie is not, at least not directly. It is likely it is included through -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1.
So, now, maybe the rhel 7 environment has old version of rpm macros package (is that even possible?), or somehow the RPMDiff checks require something that rhel7 builds don't normally do, or there is something else broken.
rgranzot Do you think waiving the RPMDiff for the release is correct decision? I am inclined to say yes, given the urgency of delivering the fix, and (most importantly) given that this is not a regression, the previous el7 errata did not have these hardening options either and back then it passed the check.
It is the check that probably changed. Would be helpful to find out when it changed and why, but in any case, this is a valid bug for the future, I think.
