[opensuse-factory] Build Factory with -fPIE support
Hi, I have reestablished my PIE staging project, at openSUSE:Factory:Staging:PIE First rebuilds are looking largely good. There are some weird rpmlint python backtraces that hide the interesting errors :/ (Basically you can always test this yourself, osc meta prjconf -e <yourproject> and add: Requires: gcc-PIE (Or just add BuildRequires: gcc-PIE to your package for even quicker testing.) Check: - build was successful - extract RPMs and check binaries, using "file /usr/bin/foobar" BUILT WITH PIE: $ file /usr/bin/su /usr/bin/su: setuid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 3.0.0, BuildID[sha1]=7a908643894dc9f6531406ac8ae9fa72008415dd, stripped "LSB shared object" is the trigger word. NOT YET PIE: $ file /bin/vim /bin/vim: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 3.0.0, BuildID[sha1]=e1848fb6201a18d0c17900dcf7936819c1a81ff9, stripped Ciao, Marcus -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
BUILT WITH PIE: $ file /usr/bin/su /usr/bin/su: setuid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 3.0.0, red libs), for GNU/Linux 3.0.0, BuildID[sha1]=e1848fb6201a18d0c17900dcf7936819c1a81ff9, stripped
"file" now needs to differentiate between a PIE and a shared library.. according to the interwebs.. the only way is looking for the .interp section in the executable. (that sounds fragile though) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Friday 2016-09-23 00:07, Cristian Rodríguez wrote:
BUILT WITH PIE: $ file /usr/bin/su /usr/bin/su: setuid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 3.0.0, red libs), for GNU/Linux 3.0.0, BuildID[sha1]=e1848fb6201a18d0c17900dcf7936819c1a81ff9, stripped
"file" now needs to differentiate between a PIE and a shared library..
Yeah, I can see how this blows up in some faces. rpm's scripts use `file | grep "shared object"` (scary!). find-requires: "Executables" (by file(1)'s definition) need to have the +x bit to be dependency-scanned with ldd by f-r. Shared objects do not need the +x bit to be scanned. This means now that executables which erroneously or willingly had no +x bit now get scanned when built as PIE. find-provides: No change, since executables do not have a DT_SONAME field. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Fri, Sep 23, 2016 at 08:51:45AM +0200, Jan Engelhardt wrote:
On Friday 2016-09-23 00:07, Cristian Rodríguez wrote:
BUILT WITH PIE: $ file /usr/bin/su /usr/bin/su: setuid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 3.0.0, red libs), for GNU/Linux 3.0.0, BuildID[sha1]=e1848fb6201a18d0c17900dcf7936819c1a81ff9, stripped
"file" now needs to differentiate between a PIE and a shared library..
Yeah, I can see how this blows up in some faces. rpm's scripts use `file | grep "shared object"` (scary!).
find-requires: "Executables" (by file(1)'s definition) need to have the +x bit to be dependency-scanned with ldd by f-r. Shared objects do not need the +x bit to be scanned.
This means now that executables which erroneously or willingly had no +x bit now get scanned when built as PIE.
find-provides: No change, since executables do not have a DT_SONAME field.
We have quite a lot of packages with PIE binaries already, it seems not that much of an issue or problem? I dont think we ever had binaries without +x. What is broken in this project however is a mismatch between rpmlint and python-magic (from file). [ 2022s] 0 packages and 0 specfiles checked; 0 errors, 0 warnings. [ 2022s] Traceback (most recent call last): [ 2022s] File "rpmlint.py", line 385, in <module> [ 2022s] File "rpmlint.py", line 161, in main [ 2022s] File "rpmlint.py", line 220, in runChecks [ 2022s] File "TagsCheck.py", line 634, in check [ 2022s] File "Pkg.py", line 605, in files [ 2022s] File "Pkg.py", line 700, in _gatherFilesInfo [ 2022s] File "./magic.py", line 129, in file [ 2022s] TypeError: str() takes at most 1 argument (2 given) I looked at it, but the bug seems not obvious. Ciao, Marcus -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Freitag, 23. September 2016 10:30:26 CEST Marcus Meissner wrote:
What is broken in this project however is a mismatch between rpmlint and python-magic (from file).
[ 2022s] 0 packages and 0 specfiles checked; 0 errors, 0 warnings. [ 2022s] Traceback (most recent call last): [ 2022s] File "rpmlint.py", line 385, in <module> [ 2022s] File "rpmlint.py", line 161, in main [ 2022s] File "rpmlint.py", line 220, in runChecks [ 2022s] File "TagsCheck.py", line 634, in check [ 2022s] File "Pkg.py", line 605, in files [ 2022s] File "Pkg.py", line 700, in _gatherFilesInfo [ 2022s] File "./magic.py", line 129, in file [ 2022s] TypeError: str() takes at most 1 argument (2 given)
I looked at it, but the bug seems not obvious.
Python2/3 confusion. This patch may help: https://github.com/file/file/commit/73e043d2a986234b187a00ed0c8d1f7bf83df372 https://github.com/file/file/commit/ 73e043d2a986234b187a00ed0c8d1f7bf83df372.patch Kind regards, Stefan -- Stefan Brüns / Bergstraße 21 / 52062 Aachen home: +49 241 53809034 mobile: +49 151 50412019 work: +49 2405 49936-424 -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Sep 23 2016, Cristian Rodríguez <crrodriguez@opensuse.org> wrote:
"file" now needs to differentiate between a PIE and a shared library.. according to the interwebs.. the only way is looking for the .interp section in the executable. (that sounds fragile though)
A shared library can validly have an interpreter. Andreas. -- Andreas Schwab, SUSE Labs, schwab@suse.de GPG Key fingerprint = 0196 BAD8 1CE9 1970 F4BE 1748 E4D4 88E3 0EEA B9D7 "And now for something completely different." -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Monday 2016-09-26 09:54, Andreas Schwab wrote:
On Sep 23 2016, Cristian Rodríguez <crrodriguez@opensuse.org> wrote:
"file" now needs to differentiate between a PIE and a shared library.. according to the interwebs.. the only way is looking for the .interp section in the executable. (that sounds fragile though)
A shared library can validly have an interpreter.
And a shared library (with or without an interpreter) can be meaningfully runnable from the command line, i.e. usable as a "program". Oh the joys of libc.so and ld.so. It will be interesting to see what to make of that. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Mon, Sep 26, 2016 at 4:54 AM, Andreas Schwab <schwab@suse.de> wrote:
On Sep 23 2016, Cristian Rodríguez <crrodriguez@opensuse.org> wrote:
"file" now needs to differentiate between a PIE and a shared library.. according to the interwebs.. the only way is looking for the .interp section in the executable. (that sounds fragile though)
A shared library can validly have an interpreter.
So, there seems to be no way to differentiate between them.. DT_SONAME may also be set on executables (but will be ignored) maybe the compiler or linker could add some metadata to ease identification.. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (5)
-
Andreas Schwab -
Cristian Rodríguez -
Jan Engelhardt -
Marcus Meissner -
Stefan Bruens