What were you trying to do that didn't work?

Auditing container infrastructure RPMs for binary hardening compliance. The conmon binary has PIE and RELRO (RELRO was recently added in the 2.2.1-2 build on Feb 12, 2026) but is missing stack canary protection and FORTIFY_SOURCE.

What is the impact of this issue to you?

conmon is the container monitor process — it sits between the container runtime (cri-o/runc) and every container process, handling stdio forwarding, logging, and exit status reporting. It runs on every container on every node in an OpenShift/podman deployment. It's a C binary that links against glib2, libseccomp, and libsystemd, and parses data from container processes.

Without stack protector, stack-based buffer overflows in conmon would not be detected at runtime. Without FORTIFY_SOURCE, buffer operations that could be bounds-checked at compile time are not. Combined with conmon's role as a persistent process attached to every container, this creates unnecessary exposure.

The upstream Makefile uses CFLAGS ?= -std=c99 -Os -Wall -Wextra -Werror — the ?= operator means it will accept CFLAGS from the environment. The fix is passing %{optflags} in the spec file's %build section.

Please provide the package NVR for which the bug is seen:

conmon-2.2.1-2.el10.x86_64

How reproducible is this bug?:

Always — the spec file does not pass CFLAGS to make.

Steps to reproduce

1. rpm2cpio conmon-2.2.1-2.el10.x86_64.rpm | cpio -i --to-stdout ./usr/bin/conmon 2>/dev/null > /tmp/conmon
2. readelf -h /tmp/conmon | grep Type — shows DYN (PIE present, correct)
3. readelf -d /tmp/conmon | grep BIND_NOW — present (RELRO correct)
4. readelf -s /tmp/conmon | grep stack_chk — no output (no stack canary)
5. readelf -s /tmp/conmon | grep FORTIFY — no output (no FORTIFY_SOURCE)
6. Review spec file at https://gitlab.com/redhat/centos-stream/rpms/conmon/-/blob/c10s/conmon.spec — the %build section uses %make_build bin/conmon without passing CFLAGS="%{optflags}". The upstream Makefile at https://github.com/containers/conmon/blob/v2.2.1/Makefile uses CFLAGS ?=, which means it accepts environment CFLAGS but defaults to its own if none are provided.

Expected results

The spec file should pass RPM hardening flags to the build:
 
 
 %make_build bin/conmon CFLAGS="%{optflags}" LDFLAGS="%{build_ldflags}"
This would add -fstack-protector-strong, -D_FORTIFY_SOURCE=2, and other standard RHEL hardening flags. The Makefile's override CFLAGS += directives will correctly append the glib2/libseccomp/libsystemd flags on top.

Actual results

The spec file does not pass CFLAGS, so the Makefile falls back to its default -std=c99 -Os -Wall -Wextra -Werror which includes no hardening flags. PIE and RELRO are present (RELRO recently added in the 2.2.1-2 build), but stack protector and FORTIFY_SOURCE are absent.