feat(stage1): add azl-bootstrap-hardening macros package#17508
Draft
himaja-kesari wants to merge 1 commit into
Draft
feat(stage1): add azl-bootstrap-hardening macros package#17508himaja-kesari wants to merge 1 commit into
himaja-kesari wants to merge 1 commit into
Conversation
Pilot for distro-wide hardening flag rollout to fix the May 2026
azl4-bootstrap-compliance BinSkim failures (BA3001/BA3003/BA3011).
- Adds base/comps/azl-bootstrap-hardening/: tiny noarch package that
drops macros.azl-bootstrap-hardening into /usr/lib/rpm/macros.d/.
Sets %_hardened_build=1 and appends PIE/RELRO/stack-protector flags
to %__global_compiler_flags and %__global_ldflags.
- Wires dracut as a pilot via BuildRequires: azl-bootstrap-hardening
(Option B in docs/hardening-flags.md). Per-component build.defines
(Option A) is preserved as a commented escape hatch.
- Documents both approaches and the recommended rollout in
docs/hardening-flags.md.
Distro-wide rollout: install the package into stage1+stage2 buildroots
via chroot_setup_cmd in distro/mock/azl4/{stage1,stage2}/azurelinux-4.0.tpl
(deferred to follow-up change after dracut validation).
🔒❌ Lock files are out of dateFIX: — run this and commit the result: azldev component update -p azl-bootstrap-hardening -p dracutOr download the fix patch and apply it: gh run download 26535501615 -R microsoft/azurelinux -n locks-patch
git apply locks.patchChanged components (2)
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pilot for distro-wide hardening flag rollout to fix the May 2026 azl4-bootstrap-compliance BinSkim failures (BA3001/BA3003/BA3011).
Distro-wide rollout: install the package into stage1+stage2 buildroots via chroot_setup_cmd in distro/mock/azl4/{stage1,stage2}/azurelinux-4.0.tpl (deferred to follow-up change after dracut validation).
Merge Checklist
All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)
*-staticsubpackages, etc.) have had theirReleasetag incremented../cgmanifest.json,./toolkit/scripts/toolchain/cgmanifest.json,.github/workflows/cgmanifest.json)./LICENSES-AND-NOTICES/SPECS/data/licenses.json,./LICENSES-AND-NOTICES/SPECS/LICENSES-MAP.md,./LICENSES-AND-NOTICES/SPECS/LICENSE-EXCEPTIONS.PHOTON)*.signatures.jsonfilessudo make go-tidy-allandsudo make go-test-coveragepassSummary
What does the PR accomplish, why was it needed?
Change Log
Does this affect the toolchain?
YES/NO
Associated issues
Links to CVEs
Test Methodology