[mgetty] build-sys: fix package hardening

Thu Jul 11 15:50:20 UTC 2013

commit 229631878208e597bd0f2b4c84f73ec82ec5d6b0
Author: Michal Sekletar <msekleta at redhat.com>
Date:   Thu Jul 11 09:57:23 2013 +0200

    build-sys: fix package hardening
    
    Hardened build has been on already for some time. However, rpm macro
    machinery doesn't work properly for mgetty, since we neither use ld for
    linking targets nor we use autotools.

 mgetty-1.1.36-hardening.patch |   66 +++++++++++++++++++++++++++++++++++++++++
 mgetty.spec                   |    2 +
 2 files changed, 68 insertions(+), 0 deletions(-)
---

diff --git a/mgetty-1.1.36-hardening.patch b/mgetty-1.1.36-hardening.patch
new file mode 100644
index 0000000..6844648
--- /dev/null
+++ b/mgetty-1.1.36-hardening.patch
@@ -0,0 +1,66 @@
+diff -up mgetty-1.1.36/fax/Makefile.hardening mgetty-1.1.36/fax/Makefile
+--- mgetty-1.1.36/fax/Makefile.hardening	2013-07-11 13:29:17.937420044 +0200
++++ mgetty-1.1.36/fax/Makefile	2013-07-11 13:29:42.676420752 +0200
+@@ -5,7 +5,8 @@
+ #
+ 
+ CC=gcc
+-CFLAGS=-O2 -I.. -Wall
++CFLAGS=-O2 -I.. -Wall -fPIE
++LDFLAGS=-z now -pie
+ 
+ FAX_SCRIPTS=faxspool faxrunq faxq faxrm 
+ 
+@@ -36,7 +37,7 @@ faxheader: faxheader.in ../sedscript
+ 	@cd .. ; $(MAKE) sedscript
+ 
+ faxq-helper: faxq-helper.o 
+-	$(CC) $(CFLAGS) -o faxq-helper faxq-helper.o
++	$(CC) $(CFLAGS) $(LDFLAGS) -o faxq-helper faxq-helper.o
+ 
+ faxq-helper.o: faxq-helper.c ../sedscript
+ 	$(CC) $(CFLAGS) -DFAX_SPOOL_OUT=\"$(FAX_SPOOL_OUT)\" \
+diff -up mgetty-1.1.36/frontends/X11/viewfax/Makefile.hardening mgetty-1.1.36/frontends/X11/viewfax/Makefile
+--- mgetty-1.1.36/frontends/X11/viewfax/Makefile.hardening	2013-07-11 13:28:46.498419145 +0200
++++ mgetty-1.1.36/frontends/X11/viewfax/Makefile	2013-07-11 13:28:46.502419145 +0200
+@@ -48,8 +48,8 @@ OPT = -g -O2 -Wno-uninitialized -ansi -p
+ #LIBS =
+ # linux
+ CC = gcc
+-CFLAGS = $(OPT) -DHELPFILE=$(HELP)
+-LDFLAGS = $(OPT) -L/usr/X11R6/lib
++CFLAGS = $(OPT) -DHELPFILE=$(HELP) -fPIE
++LDFLAGS = $(OPT) -z now -pie -L/usr/X11R6/lib
+ LIBS =
+ 
+ ####### End of configurable definitions #######
+diff -up mgetty-1.1.36/Makefile.hardening mgetty-1.1.36/Makefile
+--- mgetty-1.1.36/Makefile.hardening	2013-07-11 13:28:46.498419145 +0200
++++ mgetty-1.1.36/Makefile	2013-07-11 13:28:46.502419145 +0200
+@@ -102,7 +102,7 @@ CC=gcc
+ #	    USTAT	  - ustat(), no statfs etc.
+ #
+ #CFLAGS=-Wall -O2 -pipe -DSECUREWARE -DUSE_POLL
+-CFLAGS=-O2 -Wall -pipe
++CFLAGS=-O2 -Wall -pipe -fPIE
+ #CFLAGS=-O -DSVR4
+ #CFLAGS=-O -DSVR4 -DSVR42
+ #CFLAGS=-O -DUSE_POLL
+@@ -143,7 +143,7 @@ CFLAGS=-O2 -Wall -pipe
+ # 	"utmp.o: unresolved symbol _login"
+ # For Linux, add "-lutil" if the linker complains about "updwtmp".
+ #
+-LDFLAGS=
++LDFLAGS=-z now -pie
+ LIBS=
+ #LIBS=-lprot -lsocket				# SCO Unix
+ #LIBS=-lsocket
+@@ -556,7 +556,7 @@ sendfax.config: sendfax.cfg.in sedscript
+ 	./sedscript <sendfax.cfg.in >sendfax.config
+ 
+ newslock: compat/newslock.c
+-	$(CC) $(CFLAGS) -o newslock compat/newslock.c
++	$(CC) $(CFLAGS) $(LDFLAGS) -o newslock compat/newslock.c
+ 
+ # internal: use this to create a "clean" mgetty+sendfax tree
+ bindist: all doc-all sedscript
diff --git a/mgetty.spec b/mgetty.spec
index cedb4a6..e832ac6 100644
--- a/mgetty.spec
+++ b/mgetty.spec
@@ -46,6 +46,7 @@ Patch25: mgetty-1.1.36-sd.patch
 # thus .debug files for all binaries will be generated properly
 Patch26: mgetty-1.1.36-makefiles.patch
 Patch27: mgetty-1.1.36-lockdev.patch
+Patch28: mgetty-1.1.36-hardening.patch
 
 License: GPLv2+
 Group: Applications/Communications
@@ -136,6 +137,7 @@ mv policy.h-dist policy.h
 %patch25 -p1 -b .sd
 %patch26 -p1 -b .makefile
 %patch27 -p1 -b .lockdev
+%patch28 -p1 -b .hardening
 
 %build
 %define makeflags CFLAGS="$RPM_OPT_FLAGS -Wall -DAUTO_PPP -D_FILE_OFFSET_BITS=64 -DHAVE_LOCKDEV -fno-strict-aliasing" LIBS="-llockdev" prefix=%{_prefix} spool=%{_var}/spool BINDIR=%{_bindir} SBINDIR=%{_sbindir} LIBDIR=%{_libdir}/mgetty+sendfax HELPDIR=%{_libdir}/mgetty+sendfax CONFDIR=%{_sysconfdir}/mgetty+sendfax MANDIR=%{_mandir} MAN1DIR=%{_mandir}/man1 MAN4DIR=%{_mandir}/man4 MAN5DIR=%{_mandir}/man5 MAN8DIR=%{_mandir}/man8 INFODIR=%{_infodir} ECHO='"echo -e"' INSTALL=%{__install}
