diff options
| -rw-r--r-- | Makefile.am | 9 | ||||
| -rw-r--r-- | NEWS | 19 | ||||
| -rw-r--r-- | configure.ac | 10 | ||||
| -rw-r--r-- | macros.in | 54 | ||||
| -rw-r--r-- | redhat-hardened-cc1 | 5 | ||||
| -rw-r--r-- | redhat-hardened-clang.cfg | 1 | ||||
| -rw-r--r-- | redhat-hardened-ld | 2 | ||||
| -rw-r--r-- | rpmrc.in | 2 |
8 files changed, 93 insertions, 9 deletions
diff --git a/Makefile.am b/Makefile.am index 2f7673b..d745843 100644 --- a/Makefile.am +++ b/Makefile.am @@ -50,6 +50,11 @@ pkg_attr_defs = \ redhat_scripts = \ brp-mangle-shebangs +redhat_hardened = \ + redhat-hardened-cc1 \ + redhat-hardened-clang.cfg \ + redhat-hardened-ld + BUILT_SOURCES = macros-perarch make_arch_macrosfiles.sh rpmgenplatform foobar_pkglibdir = @RPMVENDORDIR@ @@ -78,6 +83,7 @@ EXTRA_DIST = \ $(pkg_scripts) \ $(pkg_scripts_in) \ $(redhat_scripts) \ + $(redhat_hardened) \ macros-perarch.in make_arch_macrosfiles.sh.in \ rpmgenplatform.in rpmrc.in \ rpm-spec-mode.el \ @@ -129,6 +135,9 @@ endif for i in $(redhat_scripts); do \ $(install_sh_SCRIPT) $${i} $(DESTDIR)$(RPMLIBDIR)/redhat/$${i}; \ done + for i in $(redhat_hardened); do \ + $(install_sh_DATA) $${i} $(DESTDIR)$(RPMLIBDIR)/redhat/$${i}; \ + done if RPMPLATFORM for i in $(pkg_gconfig); do \ $(install_sh_DATA) $${i} $(DESTDIR)$(RPMSYSCONFDIR)/$${i}; \ @@ -1,3 +1,22 @@ +Version 2.79.1 - 21 April 2024, by Jani Välimaa +- Makefile: add hardening configs to source tarball + +Version 2.79 - 21 April 2024, by Jani Välimaa +- macros: add %_hardened_build (from Fedora) to build pkgs with position-independent code by default + +Version 2.78 - 10 April 2024, by Jani Välimaa +- macros: use -D_FORTIFY_SOURCE=3 by default (mga#30920) + +Version 2.77 - 2 April 2024, by Jani Välimaa +- configure: add support for i686 target, and use it as a secondary target for x86_64 + +Version 2.76.1 - 31 March 2024, by Jani Välimaa +- rpmrc: don't use -fstack-clash-protection on aarch64 with the clang toolchain + +Version 2.76 - 30 March 2024, by Jani Välimaa +- macros: add support for toolchain selection (GCC/Clang) + +Version 2.75.1 - 24 March 2024, by Jani Välimaa - configure: force armv7hl target arch when building for armv7hl with armv8l/aarch64 host machine - macros: make _host_cpu identical with _target_cpu as ATM rpm uses real build host's arch and it can be different what we really want (armv8l vs. armv7hl) diff --git a/configure.ac b/configure.ac index d1638ed..aa5032f 100644 --- a/configure.ac +++ b/configure.ac @@ -2,7 +2,7 @@ # Process this file with autoconf to produce a configure script. AC_PREREQ([2.69]) -AC_INIT([rpm-mageia-setup],[2.75],[https://bugs.mageia.org/]) +AC_INIT([rpm-mageia-setup],[2.79.1],[https://bugs.mageia.org/]) AC_CANONICAL_TARGET AM_INIT_AUTOMAKE(1.9 -Wno-portability foreign no-dist-gzip dist-xz) AC_CONFIG_SRCDIR @@ -42,14 +42,18 @@ ARMV7CANONTARGETCPU="armv5tl" ARMV8CANONTARGETCPU="armv8l" case "${target_cpu}" in - *86|athlon|k6|pentium*) + i[3,4,5]86|athlon|k6|pentium3) RPMALLARCH="i386 i486 i586 i686 k6 athlon pentium3 pentium4" CANONTARGETCPU=i586 ;; + i686|pentium4) + RPMALLARCH="i386 i486 i586 i686 k6 athlon pentium3 pentium4" + CANONTARGETCPU=i686 + ;; x86_64|amd64) RPMALLARCH="i386 i486 i586 i686 k6 athlon pentium3 pentium4 amd64 x86_64" CANONTARGETCPU=x86_64 - CANONTARGETCPU32=i586 + CANONTARGETCPU32=i686 ;; ppc|powerpc) RPMALLARCH="ppc" @@ -1,5 +1,5 @@ # @RPMVENDORDIR@/macros: -# Main Mangeia rpm configuration +# Main Mageia rpm configuration # Only modified macros goes here # # @@ -192,9 +192,43 @@ GCONF_CONFIG_SOURCE=`%{_gconftool_bin} --get-default-source` %{_gconftool_bin} - # '%{version}-%{release}', ie. to automatically add distepoch or epoch if present %EVRD %{?epoch:%{epoch}:}%{?version:%{version}}%{?release:-%{release}}%{?distepoch::%{distepoch}} +# GCC toolchain +%__cc_gcc gcc +%__cxx_gcc g++ +%__cpp_gcc gcc -E + +# Clang toolchain +%__cc_clang clang +%__cxx_clang clang++ +%__cpp_clang clang-cpp + +# Default to the GCC toolchain +%toolchain gcc + +%__cc %{expand:%%{__cc_%{toolchain}}} +%__cxx %{expand:%%{__cxx_%{toolchain}}} +%__cpp %{expand:%%{__cpp_%{toolchain}}} + +# Compiler macros to use for invoking compilers in spec files for packages that +# want to use the default compiler and don't care which compiler that is. +%build_cc %{__cc} +%build_cxx %{__cxx} +%build_cpp %{__cpp} + #============================================================================== # ---- compiler flags. +%_hardening_gcc_cflags -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 +%_hardening_clang_cflags --config /usr/lib/rpm/redhat/redhat-hardened-clang.cfg +%_hardening_cflags %{expand:%%{_hardening_%{toolchain}_cflags}} + +%_hardening_ldflags %[ "%{toolchain}" == "gcc" ? "-specs=/usr/lib/rpm/redhat/redhat-hardened-ld" : "" ] + +# Use "%undefine _hardened_build" to disable. +%_hardened_build 1 +%_hardened_cflags %{?_hardened_build:%{_hardening_cflags}} +%_hardened_ldflags %{?_hardened_build:%{_hardening_ldflags}} + # C compiler flags. This is traditionally called CFLAGS in makefiles. # Historically also available as %%{optflags}, and %%build sets the # environment variable RPM_OPT_FLAGS to this value. @@ -219,7 +253,15 @@ GCONF_CONFIG_SOURCE=`%{_gconftool_bin} --get-default-source` %{_gconftool_bin} - # the flags, while intended for ld, are still passed through the gcc # compiler driver. At the beginning of %%build, the environment # variable RPM_LD_FLAGS to this value. -%build_ldflags %{?!_disable_ld_as_needed: -Wl,--as-needed}%{?!_disable_ld_no_undefined: -Wl,--no-undefined}%{?!_disable_ld_relro: -Wl,-z,relro%{?!_disable_ld_now: -Wl,-z,now}}%{?!_disable_ld_O1: -Wl,-O1}%{?!_disable_ld_build_id: %_build_id_flags}%{?!_disable_ld_enable_new_dtags: -Wl,--enable-new-dtags} +%build_ldflags %{shrink: \ + %{?!_disable_ld_as_needed: -Wl,--as-needed} \ + %{?!_disable_ld_no_undefined: -Wl,--no-undefined} \ + %{?!_disable_ld_relro: -Wl,-z,relro} \ + %{?!_disable_ld_now: -Wl,-z,now} \ + %{?!_disable_ld_O1: -Wl,-O1} \ + %{?!_disable_ld_build_id: %_build_id_flags} \ + %{?!_disable_ld_enable_new_dtags: -Wl,--enable-new-dtags} \ + %{_hardened_ldflags}} # For compatibility %ldflags %build_ldflags @@ -237,7 +279,9 @@ GCONF_CONFIG_SOURCE=`%{_gconftool_bin} --get-default-source` %{_gconftool_bin} - VALAFLAGS="${VALAFLAGS:-%{build_valaflags}}" ; export VALAFLAGS ; \ RUSTFLAGS="${RUSTFLAGS:-%{build_rustflags}}" ; export RUSTFLAGS ; \ LDFLAGS="${LDFLAGS:-%{build_ldflags}}" ; export LDFLAGS ; \ - LT_SYS_LIBRARY_PATH="${LT_SYS_LIBRARY_PATH:-%_libdir:}" ; export LT_SYS_LIBRARY_PATH + LT_SYS_LIBRARY_PATH="${LT_SYS_LIBRARY_PATH:-%_libdir:}" ; export LT_SYS_LIBRARY_PATH \ + CC="${CC:-%{__cc}}" ; export CC ; \ + CXX="${CXX:-%{__cxx}}" ; export CXX # For compatibility %setup_compile_flags \ @@ -246,14 +290,14 @@ GCONF_CONFIG_SOURCE=`%{_gconftool_bin} --get-default-source` %{_gconftool_bin} - %debugcflags %{?_enable_debug_packages:-g} -%_fortify_level 2 +%_fortify_level 3 %_fortify_cflags %[ 0%{?_fortify_level} > 0 ? "-Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=%{_fortify_level}" : "" ] # cf http://wiki.mandriva.com/en/Development/Packaging/Problems#format_not_a_string_literal_and_no_format_arguments %Werror_cflags -Wformat -Werror=format-security %_ssp_cflags -fstack-protector-strong -%__common_cflags -O2 %{debugcflags} -pipe %{Werror_cflags} %{?_fortify_cflags}%{?_legacy_common_support: -fcommon} +%__common_cflags -O2 %{debugcflags} -pipe %{Werror_cflags} %{?_fortify_cflags}%{?_legacy_common_support: -fcommon} %{_hardened_cflags} %__common_cflags_with_ssp %{__common_cflags} %{?_ssp_cflags} # Servers opt flags. diff --git a/redhat-hardened-cc1 b/redhat-hardened-cc1 new file mode 100644 index 0000000..a369517 --- /dev/null +++ b/redhat-hardened-cc1 @@ -0,0 +1,5 @@ +*cc1_options: ++ %{!r:%{!fpie:%{!fPIE:%{!fpic:%{!fPIC:%{!fno-pic:-fPIE}}}}}} + +*cpp_options: ++ %{!r:%{!fpie:%{!fPIE:%{!fpic:%{!fPIC:%{!fno-pic:-fPIE}}}}}} diff --git a/redhat-hardened-clang.cfg b/redhat-hardened-clang.cfg new file mode 100644 index 0000000..b570eb5 --- /dev/null +++ b/redhat-hardened-clang.cfg @@ -0,0 +1 @@ +-fPIE diff --git a/redhat-hardened-ld b/redhat-hardened-ld new file mode 100644 index 0000000..bd6b907 --- /dev/null +++ b/redhat-hardened-ld @@ -0,0 +1,2 @@ +*self_spec: ++ %{!static:%{!shared:%{!r:-pie}}} @@ -18,7 +18,7 @@ optflags: armv7l %{__common_cflags_with_ssp} -march=armv7-a -mfpu=neon -mtune=co optflags: armv7hl %{__common_cflags_with_ssp} -march=armv7-a -mfpu=vfpv3-d16 -mtune=generic-armv7-a -mabi=aapcs-linux -mfloat-abi=hard optflags: armv7hnl %{__common_cflags_with_ssp} -march=armv7-a -mfpu=neon -mabi=aapcs-linux -mfloat-abi=hard -optflags: aarch64 %{__common_cflags_with_ssp} -mbranch-protection=standard -fasynchronous-unwind-tables -fstack-clash-protection +optflags: aarch64 %{__common_cflags_with_ssp} -mbranch-protection=standard -fasynchronous-unwind-tables %[ "%{toolchain}" == "gcc" ? "-fstack-clash-protection" : "" ] ############################################################# # Canonical arch names and numbers |