Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a check for consistent OPTFLAGS usage #341

Closed
msmeissn opened this issue Sep 20, 2019 · 10 comments
Closed

Add a check for consistent OPTFLAGS usage #341

msmeissn opened this issue Sep 20, 2019 · 10 comments
Labels
enhancement
Milestone
2.0

Comments

@msmeissn
Copy link

At SUSE we store the used RPM_OPT_FLAGS / %optflags in a ELF section in the .o files.

A check that verifies / compares the used options with the wanted options would help to identify
files not built with RPM_OPT_FLAGS.

This would spot files compiled without stack-protector, fortify, pointer protections or warnings etc etc
@Conan-Kudo
Copy link
Member

This is also done using annobin on RH/Fedora, but I'm not sure how to implement such a check across the board. I'm sure everyone is using different mechanisms to record this data...

@msmeissn
Copy link
Author

perhaps it could be standardized in some form?

@Conan-Kudo
Copy link
Member

I'd be happy if it was.

All I know about it is from these pages:

Does the SUSE solution look anything like this?

@scarabeusiv
Copy link
Contributor

it is stored in the debuginfo for -record-gcc-switches option that is enabled by default. So we will write extractor for that if that is present it should be stored there even for fedora.

The major problem for the fedora is that the project wanted a way to check it even for non-debuginfo packages which would need to be done by gcc plugin.

@Conan-Kudo
Copy link
Member

@scarabeusiv @msmeissn Might it make sense for SUSE to also adopt the annobin approach?

@scarabeusiv
Copy link
Contributor

why the debiginfo pkgs contain the data even on fedora, we can just scan that and be done with it, it will just not work on the general rpms which is what the fedora tooling alows

@msmeissn
Copy link
Author

The compiler writes the optflags into the elf section as I said.

Our scanner so far was just grepping over the buildlog, and did not use the optflags section.

Currently our GCC builds do not support GCC plugins.

@marxin
Copy link
Contributor

marxin commented Sep 24, 2019

it is stored in the debuginfo for -record-gcc-switches option that is enabled by default. So we will write extractor for that if that is present it should be stored there even for fedora.

I tested the -frecord-gcc-switches and it's problematic with LTO where we have merged compilation units and so that we'll miss all original compilation unit flags.

There was a recent presentation at the GNU Cauldron 2019 about Annobin and they probably also tend to have issues with LTO. Let's see what can they do with that..

@scarabeusiv scarabeusiv added this to the 2.1 milestone Feb 14, 2020
marxin added a commit to marxin/rpmlint that referenced this issue Mar 5, 2020
@marxin
Add new {missing-mandatory,forbidden}-optflags checks (rpm-software-m…
d5191a8 
…anagement#341).

The check is based on parsing of debug info and
-grecord-gcc-switches compiler option.
@Conan-Kudo
Copy link
Member

(FYI: @nickclifton)

marxin added a commit to marxin/rpmlint that referenced this issue Mar 5, 2020
@marxin
Add new {missing-mandatory,forbidden}-optflags checks (rpm-software-m…
f3945fc 
…anagement#341).

The check is based on parsing of debug info and
-grecord-gcc-switches compiler option.
marxin added a commit to marxin/rpmlint that referenced this issue Mar 5, 2020
@marxin
Add new {missing-mandatory,forbidden}-optflags checks (rpm-software-m…
48c3f4e 
…anagement#341).

The check is based on parsing of debug info and
-grecord-gcc-switches compiler option.
Conan-Kudo pushed a commit that referenced this issue Mar 14, 2020
@marxin @Conan-Kudo
Add new {missing-mandatory,forbidden}-optflags checks (#341).
d241d84 
The check is based on parsing of debug info and
-grecord-gcc-switches compiler option.
@scarabeusiv scarabeusiv modified the milestones: 2.1, 2.0 Mar 14, 2020
@scarabeusiv
Copy link
Contributor

The check is integrated. If it won't work on Fedora please open a new ticket with some solution for that one.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
2.0
Development

No branches or pull requests
4 participants
@Conan-Kudo @scarabeusiv @msmeissn @marxin