On Thu, 2016-09-08 at 23:34 +0200, Lukas Slebodnik wrote:
On (08/09/16 18:47), git repository hosting wrote:
>This is an automated email from the git hooks/post-receive script.
>
>simo pushed a commit to branch master
>in repository gssproxy.
>
>commit 4ac6451491e8d4dfc4e371eee4c162b297283c0a
>Author: Robbie Harwood <rharwood(a)redhat.com>
>Date: Tue Sep 6 22:38:57 2016 +0000
>
> Add configure option for build hardening
>
> Ticket:
https://fedorahosted.org/gss-proxy/ticket/147
>
> Signed-off-by: Robbie Harwood <rharwood(a)redhat.com>
> Reviewed-by: Simo Sorce <simo(a)redhat.com>
> Merges #30
>---
> proxy/Makefile.am | 14 ++++++++++++--
> proxy/conf_macros.m4 | 11 +++++++++++
> proxy/configure.ac | 1 +
> 3 files changed, 24 insertions(+), 2 deletions(-)
>
>diff --git a/proxy/Makefile.am b/proxy/Makefile.am
>index f03f3ea..4359938 100644
>--- a/proxy/Makefile.am
>+++ b/proxy/Makefile.am
>@@ -31,7 +31,9 @@ pkgconfigdir = $(libdir)/pkgconfig
> gpstatedir = @gpstatedir@
> gpclidir = @gpstatedir@/clients
>
>+AM_CPPFLAGS =
> AM_CFLAGS =
>+AM_LDFLAGS =
> if WANT_AUX_INFO
> AM_CFLAGS += -aux-info $@.X
> endif
>@@ -41,7 +43,15 @@ if HAVE_GCC
> AM_CFLAGS += -Wall -Wshadow -Wstrict-prototypes -Wpointer-arith \
> -Wcast-qual -Wcast-align -Wwrite-strings \
> -fstrict-aliasing -Wstrict-aliasing -Werror=strict-aliasing \
>- -Werror-implicit-function-declaration
>+ -Werror-implicit-function-declaration \
>+ -Werror=format-security
>+
>+ AM_CPPFLAGS += -Wdate-time
May I asked why compile time warning was added into pre-processor flags?
It make sense to add -D_FORTIFY_SOURCE=2 into AM_CPPFLAGS.
I know it works even with current version :-)
But from semantical point of view it should be part of CFLAGS.
PR welcome ;)
>+endif
>+if BUILD_HARDENING
>+ AM_CPPFLAGS += -D_FORTIFY_SOURCE=2
>+ AM_CFLAGS += -fPIE -fstack-protector-strong
>+ AM_LDFLAGS += -fPIE -pie -fPIC -Wl,-z,relro -Wl,-z,now
> endif
IIRC the same task could be achieved in spec file
with "%global _hardened_build 1". But it owuld be better
to check with utilities from bin-utils or ask
someone more familiar with toolchain in fedora/el
I wanted a configure switch for people that build from source and not
through srpm.
We are not planning to use the switch on fedora, we'll let fedora
project decide what defaults it wants.
Simo.
--
Simo Sorce * Red Hat, Inc * New York