[PATCH 1/3] build: Enable BIND_NOW

[PATCH 1/3] build: Enable BIND_NOW

[Bastien Nocera]

From: Florian Weimer <fweimer@redhat.com>

Partial RELRO means that the object is GNU_RELRO but not BIND_NOW.  This
reduces the effectiveness of RELRO.  bluez triggers this because it
enables PIE during the build, and rpmdiff takes this as an indicator
that the best possible hardening is desired.

https://bugzilla.redhat.com/show_bug.cgi?id=983161
---
 acinclude.m4 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/acinclude.m4 b/acinclude.m4
index bc39c6d73..efce2f3cb 100644
--- a/acinclude.m4
+++ b/acinclude.m4
@@ -50,7 +50,7 @@ AC_DEFUN([MISC_FLAGS], [
 		if (test "${enableval}" = "yes" &&
 				test "${ac_cv_prog_cc_pie}" = "yes"); then
 			misc_cflags="$misc_cflags -fPIC"
-			misc_ldflags="$misc_ldflags -pie"
+			misc_ldflags="$misc_ldflags -pie -Wl,-z,now"
 		fi
 	])
 	if (test "$enable_coverage" = "yes"); then
-- 
2.13.5

[PATCH 2/3] obexd: Fix compilation error on F27

[Bastien Nocera]

In file included from obexd/plugins/mas.c:41:0:
./obexd/src/obex.h:37:1: error: unknown type name ‘ssize_t’; did you mean ‘size_t’?
 ssize_t obex_get_size(struct obex_session *os);
 ^~~~~~~
---
 obexd/src/obex.h | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/obexd/src/obex.h b/obexd/src/obex.h
index fc1674755..67593f11b 100644
--- a/obexd/src/obex.h
+++ b/obexd/src/obex.h
@@ -22,6 +22,8 @@
  *
  */
 
+#include <unistd.h>
+
 #define OBJECT_SIZE_UNKNOWN -1
 #define OBJECT_SIZE_DELETE -2
 
-- 
2.13.5

[PATCH 3/3] build: Add a few default configure options

[Bastien Nocera]

Add 3 optional features that are currently used and distributed in
the Fedora packages to the default build configuration.

The additional build time is minimal, and it ensures that the build
gets maximum coverage.
---
 bootstrap-configure | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/bootstrap-configure b/bootstrap-configure
index 658eef296..cb19b56bd 100755
--- a/bootstrap-configure
+++ b/bootstrap-configure
@@ -24,4 +24,7 @@ fi
 		--enable-sixaxis \
 		--enable-midi \
 		--enable-mesh \
+		--enable-pie \
+		--enable-cups \
+		--enable-library \
 		--disable-datafiles $*
-- 
2.13.5

Re: [PATCH 1/3] build: Enable BIND_NOW

[Bastien Nocera]

On Thu, 2017-08-24 at 20:28 +0200, Bastien Nocera wrote:
> From: Florian Weimer <fweimer@redhat.com>
> 
> Partial RELRO means that the object is GNU_RELRO but not
> BIND_NOW.  This
> reduces the effectiveness of RELRO.  bluez triggers this because it
> enables PIE during the build, and rpmdiff takes this as an indicator
> that the best possible hardening is desired.
> 
> https://bugzilla.redhat.com/show_bug.cgi?id=983161

Florian made the comments, I made the patch and sent it. Feel free to
remove the internal Bugzilla reference before pushing.

Cheers

Re: [PATCH 1/3] build: Enable BIND_NOW

[Florian Weimer]

On 08/24/2017 08:30 PM, Bastien Nocera wrote:
> On Thu, 2017-08-24 at 20:28 +0200, Bastien Nocera wrote:
>> From: Florian Weimer <fweimer@redhat.com>
>>
>> Partial RELRO means that the object is GNU_RELRO but not
>> BIND_NOW.  This
>> reduces the effectiveness of RELRO.  bluez triggers this because it
>> enables PIE during the build, and rpmdiff takes this as an indicator
>> that the best possible hardening is desired.
>>
>> https://bugzilla.redhat.com/show_bug.cgi?id=983161
> 
> Florian made the comments, I made the patch and sent it. Feel free to
> remove the internal Bugzilla reference before pushing.

It might be simpler to just pass through any CC/CFLAGS/LDFLAGS settings 
the build environment is using, without trying to second-guess what the 
user is doing.

Thanks,
Florian

Re: [PATCH 3/3] build: Add a few default configure options

[Bastien Nocera]

On Thu, 2017-08-24 at 20:28 +0200, Bastien Nocera wrote:
> Add 3 optional features that are currently used and distributed in
> the Fedora packages to the default build configuration.
> 
> The additional build time is minimal, and it ensures that the build
> gets maximum coverage.

This still applies as well.