diff options
| -rw-r--r-- | Makefile.am | 8 | ||||
| -rw-r--r-- | NEWS | 2 | ||||
| -rw-r--r-- | macros.in | 23 | ||||
| -rw-r--r-- | redhat-hardened-cc1 | 5 | ||||
| -rw-r--r-- | redhat-hardened-clang.cfg | 1 | ||||
| -rw-r--r-- | redhat-hardened-ld | 2 |
6 files changed, 39 insertions, 2 deletions
diff --git a/Makefile.am b/Makefile.am index 2f7673b..5b57ce0 100644 --- a/Makefile.am +++ b/Makefile.am @@ -50,6 +50,11 @@ pkg_attr_defs = \ redhat_scripts = \ brp-mangle-shebangs +redhat_hardened = \ + redhat-hardened-cc1 \ + redhat-hardened-clang.cfg \ + redhat-hardened-ld + BUILT_SOURCES = macros-perarch make_arch_macrosfiles.sh rpmgenplatform foobar_pkglibdir = @RPMVENDORDIR@ @@ -129,6 +134,9 @@ endif for i in $(redhat_scripts); do \ $(install_sh_SCRIPT) $${i} $(DESTDIR)$(RPMLIBDIR)/redhat/$${i}; \ done + for i in $(redhat_hardened); do \ + $(install_sh_DATA) $${i} $(DESTDIR)$(RPMLIBDIR)/redhat/$${i}; \ + done if RPMPLATFORM for i in $(pkg_gconfig); do \ $(install_sh_DATA) $${i} $(DESTDIR)$(RPMSYSCONFDIR)/$${i}; \ @@ -1,3 +1,5 @@ +- macros: add %_hardened_build (from Fedora) to build pkgs with position-independent code by default + Version 2.78 - 10 April 2024, by Jani Välimaa - macros: use -D_FORTIFY_SOURCE=3 by default (mga#30920) @@ -218,6 +218,17 @@ GCONF_CONFIG_SOURCE=`%{_gconftool_bin} --get-default-source` %{_gconftool_bin} - #============================================================================== # ---- compiler flags. +%_hardening_gcc_cflags -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 +%_hardening_clang_cflags --config /usr/lib/rpm/redhat/redhat-hardened-clang.cfg +%_hardening_cflags %{expand:%%{_hardening_%{toolchain}_cflags}} + +%_hardening_ldflags %[ "%{toolchain}" == "gcc" ? "-specs=/usr/lib/rpm/redhat/redhat-hardened-ld" : "" ] + +# Use "%undefine _hardened_build" to disable. +%_hardened_build 1 +%_hardened_cflags %{?_hardened_build:%{_hardening_cflags}} +%_hardened_ldflags %{?_hardened_build:%{_hardening_ldflags}} + # C compiler flags. This is traditionally called CFLAGS in makefiles. # Historically also available as %%{optflags}, and %%build sets the # environment variable RPM_OPT_FLAGS to this value. @@ -242,7 +253,15 @@ GCONF_CONFIG_SOURCE=`%{_gconftool_bin} --get-default-source` %{_gconftool_bin} - # the flags, while intended for ld, are still passed through the gcc # compiler driver. At the beginning of %%build, the environment # variable RPM_LD_FLAGS to this value. -%build_ldflags %{?!_disable_ld_as_needed: -Wl,--as-needed}%{?!_disable_ld_no_undefined: -Wl,--no-undefined}%{?!_disable_ld_relro: -Wl,-z,relro%{?!_disable_ld_now: -Wl,-z,now}}%{?!_disable_ld_O1: -Wl,-O1}%{?!_disable_ld_build_id: %_build_id_flags}%{?!_disable_ld_enable_new_dtags: -Wl,--enable-new-dtags} +%build_ldflags %{shrink: \ + %{?!_disable_ld_as_needed: -Wl,--as-needed} \ + %{?!_disable_ld_no_undefined: -Wl,--no-undefined} \ + %{?!_disable_ld_relro: -Wl,-z,relro} \ + %{?!_disable_ld_now: -Wl,-z,now} \ + %{?!_disable_ld_O1: -Wl,-O1} \ + %{?!_disable_ld_build_id: %_build_id_flags} \ + %{?!_disable_ld_enable_new_dtags: -Wl,--enable-new-dtags} \ + %{_hardened_ldflags}} # For compatibility %ldflags %build_ldflags @@ -278,7 +297,7 @@ GCONF_CONFIG_SOURCE=`%{_gconftool_bin} --get-default-source` %{_gconftool_bin} - %Werror_cflags -Wformat -Werror=format-security %_ssp_cflags -fstack-protector-strong -%__common_cflags -O2 %{debugcflags} -pipe %{Werror_cflags} %{?_fortify_cflags}%{?_legacy_common_support: -fcommon} +%__common_cflags -O2 %{debugcflags} -pipe %{Werror_cflags} %{?_fortify_cflags}%{?_legacy_common_support: -fcommon} %{_hardened_cflags} %__common_cflags_with_ssp %{__common_cflags} %{?_ssp_cflags} # Servers opt flags. diff --git a/redhat-hardened-cc1 b/redhat-hardened-cc1 new file mode 100644 index 0000000..a369517 --- /dev/null +++ b/redhat-hardened-cc1 @@ -0,0 +1,5 @@ +*cc1_options: ++ %{!r:%{!fpie:%{!fPIE:%{!fpic:%{!fPIC:%{!fno-pic:-fPIE}}}}}} + +*cpp_options: ++ %{!r:%{!fpie:%{!fPIE:%{!fpic:%{!fPIC:%{!fno-pic:-fPIE}}}}}} diff --git a/redhat-hardened-clang.cfg b/redhat-hardened-clang.cfg new file mode 100644 index 0000000..b570eb5 --- /dev/null +++ b/redhat-hardened-clang.cfg @@ -0,0 +1 @@ +-fPIE diff --git a/redhat-hardened-ld b/redhat-hardened-ld new file mode 100644 index 0000000..bd6b907 --- /dev/null +++ b/redhat-hardened-ld @@ -0,0 +1,2 @@ +*self_spec: ++ %{!static:%{!shared:%{!r:-pie}}} |