libapparmor not built with -fPIC

Bug #1824384 reported by Maciej Borzecki on 2019-04-11
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Undecided
Unassigned

Bug Description

Attempted to build snap-confine with DEB_BUILD_MAINT_OPTIONS = hardening=+pie. The build fails with:

mv -f snap-confine/.deps/snap_confine_snap_confine-user-support.Tpo snap-confine/.deps/snap_confine_snap_confine-user-support.Po
gcc -Wall -Wextra -Wmissing-prototypes -Wstrict-prototypes -Wno-missing-field-initializers -Wno-unused-parameter -Werror -DLIBEXECDIR=\"/usr/lib/snapd\" -DNATIVE_LIBDIR=\"/usr/lib\" -g -O2 -fPIE -fstack-protector-strong -Wformat -Werror=format-security -Wl,-Bsymbolic-functions -fPIE -pie -Wl,-z,relro -o snap-confine/snap-confine snap-confine/snap_confine_snap_confine-cookie-support.o snap-confine/snap_confine_snap_confine-mount-support-nvidia.o snap-confine/snap_confine_snap_confine-mount-support.o snap-confine/snap_confine_snap_confine-ns-support.o snap-confine/snap_confine_snap_confine-seccomp-support-ext.o snap-confine/snap_confine_snap_confine-seccomp-support.o snap-confine/snap_confine_snap_confine-snap-confine-args.o snap-confine/snap_confine_snap_confine-snap-confine-invocation.o snap-confine/snap_confine_snap_confine-snap-confine.o snap-confine/snap_confine_snap_confine-udev-support.o snap-confine/snap_confine_snap_confine-user-support.o libsnap-confine-private.a -ludev -Wl,-Bstatic -lcap -lapparmor -Wl,-Bdynamic -pthread
/usr/bin/ld: /lib/x86_64-linux-gnu/libapparmor.a(kernel.o): relocation R_X86_64_32 against `.rodata.str1.1' can not be used when making a shared object; recompile with -fPIC
/lib/x86_64-linux-gnu/libapparmor.a: error adding symbols: Bad value
collect2: error: ld returned 1 exit status

By default, because of snapd reexec support on Ubuntu (and some other distros), snap-confine will try to link a static version libapparmor. It appears that libapparmor object files are built without -fPIC though.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers