Systemtap on linux does not properly apply hardening CFLAGS when compiling using --with-dtrace

[stratakis]

Bug report

Bug description:

When compiling using --with-dtrace, Linux uses the systemtap script which utilizes a common default CFLAGS set to provide the object file. When extra hardening flags are passed during the compilation through the build environment, dtrace is not capturing them, resulting in the final binary or shared library missing some protections.

This behavior was documented recently

Discovered when testing the -mbranch-protection=standard on aarch64 where pydtrace.o was missing the proper gnu property and the relevant hardware protections.

See https://bugzilla.redhat.com/show_bug.cgi?id=2350935

In order to fix that, adding the CFLAGS variable to the Makefile before the dtrace invocation resolves the issue.

On systems that use the original dtrace, changing the CFLAGS there should have no effects.

php dealt with a similar issue before, see:

php/php-src@717b367
php/php-src@475fd29
php/php-src@02b3fb1

CPython versions tested on:

CPython main branch, 3.14, 3.13, 3.12, 3.11, 3.10, 3.9

Operating systems tested on:

Linux

Linked PRs

• gh-131865: Properly apply exported CFLAGS for dtrace/systemtap builds #131866
• [3.13] gh-131865: Properly apply exported CFLAGS for dtrace/systemtap builds (GH-131866) #131950
• [3.12] gh-131865: Properly apply exported CFLAGS for dtrace/systemtap builds (GH-131866) #131951

[picnixz]

Is it a CPython issue or a systemap issue perhaps?

NVM I thought systemap was an external project.

[vstinner]

Fixed by change 0cd4bef.