On (08/09/16 18:47), git repository hosting wrote:
This is an automated email from the git hooks/post-receive script.
simo pushed a commit to branch master
in repository gssproxy.
commit 4ac6451491e8d4dfc4e371eee4c162b297283c0a
Author: Robbie Harwood <rharwood(a)redhat.com>
Date: Tue Sep 6 22:38:57 2016 +0000
Add configure option for build hardening
Ticket:
https://fedorahosted.org/gss-proxy/ticket/147
Signed-off-by: Robbie Harwood <rharwood(a)redhat.com>
Reviewed-by: Simo Sorce <simo(a)redhat.com>
Merges #30
---
proxy/Makefile.am | 14 ++++++++++++--
proxy/conf_macros.m4 | 11 +++++++++++
proxy/configure.ac | 1 +
3 files changed, 24 insertions(+), 2 deletions(-)
diff --git a/proxy/Makefile.am b/proxy/Makefile.am
index f03f3ea..4359938 100644
--- a/proxy/Makefile.am
+++ b/proxy/Makefile.am
@@ -31,7 +31,9 @@ pkgconfigdir = $(libdir)/pkgconfig
gpstatedir = @gpstatedir@
gpclidir = @gpstatedir@/clients
+AM_CPPFLAGS =
AM_CFLAGS =
+AM_LDFLAGS =
if WANT_AUX_INFO
AM_CFLAGS += -aux-info $@.X
endif
@@ -41,7 +43,15 @@ if HAVE_GCC
AM_CFLAGS += -Wall -Wshadow -Wstrict-prototypes -Wpointer-arith \
-Wcast-qual -Wcast-align -Wwrite-strings \
-fstrict-aliasing -Wstrict-aliasing -Werror=strict-aliasing \
- -Werror-implicit-function-declaration
+ -Werror-implicit-function-declaration \
+ -Werror=format-security
+
+ AM_CPPFLAGS += -Wdate-time
May I asked why compile time warning was added into
pre-processor flags?
It make sense to add -D_FORTIFY_SOURCE=2 into AM_CPPFLAGS.
I know it works even with current version :-)
But from semantical point of view it should be part of CFLAGS.
+endif
+if BUILD_HARDENING
+ AM_CPPFLAGS += -D_FORTIFY_SOURCE=2
+ AM_CFLAGS += -fPIE -fstack-protector-strong
+ AM_LDFLAGS += -fPIE -pie -fPIC -Wl,-z,relro -Wl,-z,now
endif
IIRC the same task could be achieved in spec file
with "%global _hardened_build 1". But it owuld be better
to check with utilities from bin-utils or ask
someone more familiar with toolchain in fedora/el
LS