From c03396b6f30984fc5d63ed921eedf2d82100e1db Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jani=20V=C3=A4limaa?= Date: Sun, 21 Apr 2024 09:28:07 +0300 Subject: macros: add %_hardened_build (from Fedora) to build pkgs with position-independent code by default --- macros.in | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) (limited to 'macros.in') diff --git a/macros.in b/macros.in index 039f4d3..8e5c738 100644 --- a/macros.in +++ b/macros.in @@ -218,6 +218,17 @@ GCONF_CONFIG_SOURCE=`%{_gconftool_bin} --get-default-source` %{_gconftool_bin} - #============================================================================== # ---- compiler flags. +%_hardening_gcc_cflags -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 +%_hardening_clang_cflags --config /usr/lib/rpm/redhat/redhat-hardened-clang.cfg +%_hardening_cflags %{expand:%%{_hardening_%{toolchain}_cflags}} + +%_hardening_ldflags %[ "%{toolchain}" == "gcc" ? "-specs=/usr/lib/rpm/redhat/redhat-hardened-ld" : "" ] + +# Use "%undefine _hardened_build" to disable. +%_hardened_build 1 +%_hardened_cflags %{?_hardened_build:%{_hardening_cflags}} +%_hardened_ldflags %{?_hardened_build:%{_hardening_ldflags}} + # C compiler flags. This is traditionally called CFLAGS in makefiles. # Historically also available as %%{optflags}, and %%build sets the # environment variable RPM_OPT_FLAGS to this value. @@ -242,7 +253,15 @@ GCONF_CONFIG_SOURCE=`%{_gconftool_bin} --get-default-source` %{_gconftool_bin} - # the flags, while intended for ld, are still passed through the gcc # compiler driver. At the beginning of %%build, the environment # variable RPM_LD_FLAGS to this value. -%build_ldflags %{?!_disable_ld_as_needed: -Wl,--as-needed}%{?!_disable_ld_no_undefined: -Wl,--no-undefined}%{?!_disable_ld_relro: -Wl,-z,relro%{?!_disable_ld_now: -Wl,-z,now}}%{?!_disable_ld_O1: -Wl,-O1}%{?!_disable_ld_build_id: %_build_id_flags}%{?!_disable_ld_enable_new_dtags: -Wl,--enable-new-dtags} +%build_ldflags %{shrink: \ + %{?!_disable_ld_as_needed: -Wl,--as-needed} \ + %{?!_disable_ld_no_undefined: -Wl,--no-undefined} \ + %{?!_disable_ld_relro: -Wl,-z,relro} \ + %{?!_disable_ld_now: -Wl,-z,now} \ + %{?!_disable_ld_O1: -Wl,-O1} \ + %{?!_disable_ld_build_id: %_build_id_flags} \ + %{?!_disable_ld_enable_new_dtags: -Wl,--enable-new-dtags} \ + %{_hardened_ldflags}} # For compatibility %ldflags %build_ldflags @@ -278,7 +297,7 @@ GCONF_CONFIG_SOURCE=`%{_gconftool_bin} --get-default-source` %{_gconftool_bin} - %Werror_cflags -Wformat -Werror=format-security %_ssp_cflags -fstack-protector-strong -%__common_cflags -O2 %{debugcflags} -pipe %{Werror_cflags} %{?_fortify_cflags}%{?_legacy_common_support: -fcommon} +%__common_cflags -O2 %{debugcflags} -pipe %{Werror_cflags} %{?_fortify_cflags}%{?_legacy_common_support: -fcommon} %{_hardened_cflags} %__common_cflags_with_ssp %{__common_cflags} %{?_ssp_cflags} # Servers opt flags. -- cgit v1.2.1