What were you trying to do that didn't work?

Auditing RPM packages for binary hardening compliance. The criu binary has zero security hardening — no PIE/ASLR, no stack canary, no FORTIFY_SOURCE, no RELRO. The spec file deliberately disables all build hardening flags.

What is the impact of this issue to you?

criu is a privileged binary (/usr/sbin/criu, 1.5MB) that runs as root and performs security-sensitive operations: ptrace on target processes, parsing protobuf-c checkpoint images (potentially untrusted), manipulating /proc, handling network state and file descriptors. Without any hardening, a memory corruption vulnerability in criu would be trivially exploitable — no ASLR to bypass, no stack canaries to defeat, no FORTIFY to catch buffer overflows.

The spec file contains three directives that strip hardening:
 
 
 {{%undefine _annotated_build
%undefine _auto_set_build_flags
CFLAGS+=`echo %{optflags} | sed -e 's,-fstack-protector\S*,,g'`}}
The comments explain: "CRIU's parasite code breaks if annobin is enabled" and "-fstack-protector breaks build." The parasite code is position-dependent by design (injected into target processes during checkpoint), which explains the PIE conflict. However, the main criu binary and its libraries do not need to be unhardened — only the parasite code compilation units require special treatment.

Please provide the package NVR for which the bug is seen:

criu-4.2-1.el10.x86_64

How reproducible is this bug?:

Always — the hardening is stripped in the spec file.

Steps to reproduce

1. rpm2cpio criu-4.2-1.el10.x86_64.rpm | cpio -i --to-stdout ./usr/sbin/criu 2>/dev/null > /tmp/criu
2. readelf -h /tmp/criu | grep Type — shows EXEC (no PIE)
3. readelf -s /tmp/criu | grep stack_chk — no output (no stack canary)
4. readelf -s /tmp/criu | grep FORTIFY — no output (no FORTIFY_SOURCE)
5. readelf -d /tmp/criu | grep RELRO — no output (no RELRO)
6. Review spec file at https://gitlab.com/redhat/centos-stream/rpms/criu/-/blob/c10s/criu.spec — lines %undefine _annotated_build, %undefine _auto_set_build_flags, and the sed command stripping -fstack-protector.

Expected results

The main criu binary and shared libraries should be built with standard RHEL hardening (PIE, stack protector, FORTIFY_SOURCE, full RELRO). Hardening exceptions should be scoped to only the parasite code object files that require position-dependent compilation, using per-target CFLAGS overrides in the Makefile rather than globally disabling all hardening for the entire package.

Actual results

The entire package is built with zero hardening. The spec file globally disables _annotated_build, _auto_set_build_flags, and explicitly strips -fstack-protector from CFLAGS. The resulting /usr/sbin/criu binary is a 1.5MB EXEC (no PIE) with no stack canary, no FORTIFY_SOURCE, and no RELRO — a 0% hardening score on a privileged binary that parses untrusted input.