redhat: fix elf got hardening for vm tools
Bugzilla: INTERNAL
Upstream Status: RHEL only
Tested: rpminspect -T elf -c ~/work/centos-stream-9/redhat/rpminspect.yaml kernel-tools-5.14.0-171.el9.x86_64.rpm kernel-tools-5.14.0-172.test.el9.x86_64.rpm
MR 1308 synced redhat/ dir with ark and the following commit
commit 693b6dde0c13dd50c7c2a2318098c67af5c28580
Author: Prarit Bhargava <prarit@redhat.com>
Date: Mon Aug 29 13:59:09 2022 -0400
redhat: change tools_make macro to avoid full override of variables in Makefile
changed behavior of tools_make macro
%global tools_make \
- %{make} CFLAGS="${RPM_OPT_FLAGS}" LDFLAGS="%{__global_ldflags}" %{?make_opts}
+ CFLAGS="${RPM_OPT_FLAGS}" LDFLAGS="%{__global_ldflags}" %{make} %{?make_opts}
Since tools/vm/Makefile assigns CFLAGS and LDFLAGS, it overrides the
env variables from tools_make command and we lose some hardening
options. For example GOT RO about which rpmispect is complaining.
Result: BAD
1) /usr/bin/page_owner_sort lost full GNU_RELRO security protection on aarch64
Waiver Authorization: Security
Suggested Remedy:
Ensure executables are linked with with '-z relro -z now'
Result: BAD
2) /usr/bin/slabinfo lost full GNU_RELRO security protection on aarch64
Waiver Authorization: Security
Suggested Remedy:
Ensure executables are linked with with '-z relro -z now'
Fix this by explicitly overwrite CFLAGS and LDFLAGS for tools/vm/Makefile
with command arguments. This basically brings back the previous behavior
of tools_make for vm tools. This is ugly, because page-types actually
needs the LDFLAGS defined in the makefile, because it links against
libapi.a. But we are not building this and the problem was there before
this change too. Probably best way would be to fix the
tools/vm/Makefile.
Signed-off-by: Frantisek Hrbata <fhrbata@redhat.com>