Accepting request 1073295 from home:gbelinassi

- Enable livepatching on main library on x86_64. We are enabling livepatching support on this library because SAP Hana link against it. OBS-URL: https://build.opensuse.org/request/show/1073295 OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=146
2023-03-20 19:59:00 +00:00 · 2023-03-20 19:59:00 +00:00 · 28591f1543
commit 28591f1543
parent 405fcdff1b
2 changed files with 41 additions and 0 deletions
--- a/audit.changes
+++ b/audit.changes
@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Mon Mar 20 14:53:26 UTC 2023 - Giuliano Belinassi <giuliano.belinassi@suse.com>
+
+- Enable livepatching on main library on x86_64.
+
 -------------------------------------------------------------------
 Mon Feb 20 14:12:55 UTC 2023 - Paolo Stivanin <info@paolostivanin.com>

--- a/audit.spec
+++ b/audit.spec
@ -16,6 +16,12 @@
 #


+%ifarch x86_64
+%bcond_without livepatching
+%else
+%bcond_with livepatching
+%endif
+
 Name:           audit
 Version:        3.1
 Release:        0
@ -79,6 +85,9 @@ libraries.
 %build
 autoreconf -fi
 export CFLAGS="%{optflags} -fno-strict-aliasing"
+%if %{with livepatching}
+export CFLAGS="$CFLAGS -fpatchable-function-entry=16,14 -fdump-ipa-clones"
+%endif
 export CXXFLAGS="$CFLAGS"
 export LDFLAGS="-Wl,-z,relro,-z,now"
 # no krb support (omit --enable-gssapi-krb5=yes), see audit-no-gss.patch
@ -102,6 +111,33 @@ export LDFLAGS="-Wl,-z,relro,-z,now"
 %make_build -C auparse
 %make_build -C docs

+%if %{with livepatching}
+# Workaround bsc#1208721: remove _patchable_function_entry from static libs.
+find . -name "*.a" -exec \
+       objcopy --remove-section "__patchable_function_entries" {} \;
+
+%define tar_basename audit-livepatch-%{version}-%{release}
+%define tar_package_name %{tar_basename}.%{_arch}.tar.xz
+%define clones_dest_dir %{tar_basename}/%{_arch}
+
+# Ipa-clones are files generated by gcc which logs changes made across
+# functions, and we need to know such changes to build livepatches
+# correctly. These files are intended to be used by the livepatch
+# developers and may be retrieved by using `osc getbinaries`.
+#
+# Create ipa-clones destination folder and move clones there.
+mkdir -p ipa-clones/%{clones_dest_dir}
+find . -name "*.ipa-clones" ! -empty \
+       -exec cp -t ipa-clones/%{clones_dest_dir} --parents {} +
+
+# Create tarball with ipa-clones.
+tar -cJf %{tar_package_name} -C ipa-clones \
+    --owner root --group root --sort name %{tar_basename}
+
+# Copy tarball to the OTHER folder to store it as artifact.
+cp %{tar_package_name} %{_topdir}/OTHER
+%endif
+
 %install
 %make_install -C common
 %make_install -C lib