[redhat-rpm-config] redhat-hardened-{cc1, ld}: Move some of the rewrite magic to gcc specs so we don't end up with both -
Adam Jackson
ajax at fedoraproject.org
Mon Aug 8 14:59:05 UTC 2011
commit da8d7a1e6a75a2461c33d77afd0878dcc3bb36d3
Author: Adam Jackson <ajax at redhat.com>
Date: Mon Aug 8 10:58:51 2011 -0400
redhat-hardened-{cc1,ld}: Move some of the rewrite magic to gcc specs so
we don't end up with both -fPIC and -fPIE on the command line
redhat-rpm-config-9.1.0-hardened.patch | 14 +++++++-------
redhat-rpm-config.spec | 15 ++++++++++++++-
2 files changed, 21 insertions(+), 8 deletions(-)
---
diff --git a/redhat-rpm-config-9.1.0-hardened.patch b/redhat-rpm-config-9.1.0-hardened.patch
index 710a2c3..a334b1c 100644
--- a/redhat-rpm-config-9.1.0-hardened.patch
+++ b/redhat-rpm-config-9.1.0-hardened.patch
@@ -1,18 +1,18 @@
diff -up redhat-rpm-config-9.1.0/macros.jx redhat-rpm-config-9.1.0/macros
---- redhat-rpm-config-9.1.0/macros.jx 2011-08-01 11:01:08.000000000 -0400
-+++ redhat-rpm-config-9.1.0/macros 2011-08-01 11:14:53.438448217 -0400
+--- redhat-rpm-config-9.1.0/macros.jx 2011-08-03 15:42:20.267064981 -0400
++++ redhat-rpm-config-9.1.0/macros 2011-08-03 15:44:46.581058603 -0400
@@ -184,8 +184,12 @@ unset DISPLAY\
%__find_provides /usr/lib/rpm/redhat/find-provides
%__find_requires /usr/lib/rpm/redhat/find-requires
-%__global_cflags -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4
-%__global_ldflags -Wl,-z,relro
-+#_hardened_build 0
-+%_hardened_cflags %{?_hardened_build:-fPIE}
-+%_hardened_ldflags %{?_hardened_build:-Wl,-z,now -pie}
++# define _hardened_build to non-zero to enable
++%_hardened_cflags %{?_hardened_build:-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1}
++%_hardened_ldflags %{?_hardened_build:-specs=/usr/lib/rpm/redhat/redhat-hardened-ld}
+
-+%__global_cflags -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 %{?_hardened_cflags}
-+%__global_ldflags -Wl,-z,relro %{?_hardened_ldflags}
++%__global_cflags -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 %{_hardened_cflags}
++%__global_ldflags -Wl,-z,relro %{_hardened_ldflags}
# Use these macros to differentiate between RH and other KMP implementation(s).
redhat_kernel_module_package 1
diff --git a/redhat-rpm-config.spec b/redhat-rpm-config.spec
index 6f19bac..a9ef931 100644
--- a/redhat-rpm-config.spec
+++ b/redhat-rpm-config.spec
@@ -1,12 +1,20 @@
Summary: Red Hat specific rpm configuration files
Name: redhat-rpm-config
Version: 9.1.0
-Release: 14%{?dist}
+Release: 15%{?dist}
# No version specified.
License: GPL+
Group: Development/System
URL: http://git.fedoraproject.org/git/redhat-rpm-config
Source: redhat-rpm-config-%{version}.tar.bz2
+
+# these two implement automagic {c,ld}flags mangling for additional ELF
+# hardening when _hardened_build is defined in a spec file. gcc 4.6.1-7.fc16
+# or newer is needed for these to work; prior to that *self_specs was not
+# exposed. If anything goes wrong, blame ajax@
+Source1: redhat-hardened-cc1
+Source2: redhat-hardened-ld
+
Patch0: redhat-rpm-config-9.1.0-strict-python-bytecompile.patch
Patch1: redhat-rpm-config-9.1.0-fix-requires.patch
Patch2: redhat-rpm-config-9.1.0-no-strip-note.patch
@@ -44,6 +52,7 @@ Red Hat specific rpm configuration files.
%install
make DESTDIR=${RPM_BUILD_ROOT} install
cp -p %{_datadir}/libtool/config/config.{guess,sub} ${RPM_BUILD_ROOT}/usr/lib/rpm/redhat/
+install -m 0444 %{SOURCE1} %{SOURCE2} ${RPM_BUILD_ROOT}/usr/lib/rpm/redhat
find ${RPM_BUILD_ROOT} -name \*.orig -delete
# buggy makefile in 9.1.0 leaves changelog in wrong place
find ${RPM_BUILD_ROOT} -name ChangeLog -delete
@@ -58,6 +67,10 @@ rm -rf ${RPM_BUILD_ROOT}
%{_sysconfdir}/rpm/*
%changelog
+* Wed Aug 03 2011 Adam Jackson <ajax at redhat.com> 9.1.0-15
+- redhat-hardened-{cc1,ld}: Move some of the rewrite magic to gcc specs so
+ we don't end up with both -fPIC and -fPIE on the command line
+
* Mon Aug 01 2011 Adam Jackson <ajax at redhat.com> 9.1.0-14
- redhat-rpm-config-9.1.0-hardened.patch: Add macro magic for %%_hardened_build
More information about the scm-commits
mailing list