diff --git a/buildflags.md b/buildflags.md index c740892..5151a82 100644 --- a/buildflags.md +++ b/buildflags.md @@ -76,7 +76,7 @@ the `CFLAGS` variable contents). ### Strict symbol checks in the link editor (ld) -By default, the link editor will refuse to link shared objects which +Optionally, the link editor will refuse to link shared objects which contain undefined symbols. Such symbols lack symbol versioning information and can be bound to the wrong (compatibility) symbol version at run time, and not the actual (default) symbol version which @@ -86,10 +86,14 @@ not have complete dependency information (in the form of DT_NEEDED entries), which can lead to errors (crashes) if IFUNC resolvers are executed before the shared object containing them is fully relocated. -With the default flags, link failures will occur if the linker command -line does not list all shared objects which are needed. In this case, -you need to add the missing DSOs (with linker arguments such as -`-lm`). As a result, the link editor will also generated the +To switch on these checks, define this macro in the RPM spec file: + + %define _strict_symbol_defs_build 1 + +If this RPM spec option is active, link failures will occur if the +linker command line does not list all shared objects which are needed. +In this case, you need to add the missing DSOs (with linker arguments +such as `-lm`). As a result, the link editor will also generated the necessary DT_NEEDED entries. In some cases (such as when a DSO is loaded as a plugin and is @@ -262,7 +266,7 @@ to the compiler driver `gcc`, and not directly to the link editor dynamic linking. Full protection of relocation data requires the `-z now` flag (see below). * `-z defs`: Refuse to link shared objects (DSOs) with undefined symbols - (see above). + (optional, see above). For hardened builds, the `-specs=/usr/lib/rpm/redhat/redhat-hardened-ld` flag is added to the diff --git a/macros b/macros index a429980..c997d28 100644 --- a/macros +++ b/macros @@ -167,9 +167,9 @@ %_annotated_cflags %{?_annotated_build:%{_annobin_cflags}} # Fail linking if there are undefined symbols. Required for proper -# ELF symbol versioning support. -# Use %undefine _strict_symbol_defs_build" to disable. -%_strict_symbol_defs_build 1 +# ELF symbol versioning support. Disabled by default. +# Use "%define _strict_symbol_defs_build 1" to enable. +#%_strict_symbol_defs_build 1 %_ld_symbols_flags %{?_strict_symbol_defs_build:-Wl,-z,defs} %__global_compiler_flags -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches %{_hardened_cflags} %{_annotated_cflags} diff --git a/redhat-rpm-config.spec b/redhat-rpm-config.spec index bdb9bf5..c878317 100644 --- a/redhat-rpm-config.spec +++ b/redhat-rpm-config.spec @@ -6,7 +6,7 @@ Summary: Red Hat specific rpm configuration files Name: redhat-rpm-config -Version: 86 +Version: 87 Release: 1%{?dist} # No version specified. License: GPL+ @@ -160,6 +160,9 @@ install -p -m 755 -t %{buildroot}%{_rpmconfigdir} kmod.prov %{_rpmconfigdir}/macros.d/macros.kmp %changelog +* Mon Jan 29 2018 Florian Weimer - 87-1 +- Build flags: Disable -z defs again (#1535422) + * Mon Jan 29 2018 Florian Weimer - 86-1 - Build flags: Enable CET on i686, x86_64 (#1538725)