rpms
/
annobin
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Tidy up spec file

This commit is contained in:
Nick Clifton 2021-05-19 12:05:01 +01:00
parent 81adad3f31
commit 45b479d2d6
1 changed files with 144 additions and 121 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

265
annobin.spec
View File

@ -2,7 +2,7 @@
Name: annobin
Summary: Annotate and examine compiled binary files
Version: 9.72
Release: 1%{?dist}
Release: 2%{?dist}
License: GPLv3+
# Maintainer: nickc@redhat.com
# Web Page: https://sourceware.org/annobin/
@ -54,10 +54,6 @@ License: GPLv3+
%undefine _annotated_build
%endif
%{!?llvm_version:%global llvm_version 11.1.0}
%{!?llvm_plugin_dir:%global llvm_plugin_dir %{_libdir}/llvm/%{llvm_version}}
%{!?clang_plugin_dir:%global clang_plugin_dir %{_libdir}/clang/%{llvm_version}}
#---------------------------------------------------------------------------------
Source: https://nickc.fedorapeople.org/annobin-%{version}.tar.xz
@ -68,6 +64,121 @@ Source: https://nickc.fedorapeople.org/annobin-%{version}.tar.xz
#---------------------------------------------------------------------------------
# Make sure that the necessary sub-packages are built.
%if %{with gccplugin}
Requires: %{name}-plugin-gcc
%endif
%if %{with llvmplugin}
Requires: %{name}-plugin-llvm
%endif
%if %{with clangplugin}
Requires: %{name}-plugin-clang
%endif
#---------------------------------------------------------------------------------
%description
This package contains the tools needed to annotate binary files created by
compilers, and also the tools needed to examine those annotations.
%if %{with gccplugin}
One of the tools is a plugin for GCC that records information about the
security options that were in effect when the binary was compiled.
Note - the plugin is automatically enabled in gcc builds via flags
provided by the redhat-rpm-macros package.
%endif
%if %{with clangplugin}
One of the tools is a plugin for Clang that records information about the
security options that were in effect when the binary was compiled.
%endif
%if %{with llvmplugin}
One of the tools is a plugin for LLVM that records information about the
security options that were in effect when the binary was compiled.
%endif
%if %{with annocheck}
One of the tools is a security checker which analyses the notes present in
annotated files and reports on any missing security options.
%endif
#---------------------------------------------------------------------------
# Now that we have sub-packages for all of the plugins and for annocheck,
# there are no executables left to go into the "annobin" rpm. But top-level
# packages cannot have "BuildArch: noarch" if sub-packages do have
# architecture requirements, and rpmlint generates an error if an
# architecture specific rpm does not contain any binaries. So instead all of
# the documentation has been moved into an architecture neutral sub-package,
# and there no longer is a top level annobin rpm at all.
%package docs
Summary: Documentation and shell scripts for use with annobin
BuildArch: noarch
# annobin renamed to annobin-doc in 9.66-1
Provides: %{name} = %{version}-%{release}
Obsoletes: %{name} < 9.66-1
# The documentation uses pod2man...
BuildRequires: perl-interpreter perl-podlators gawk make
%description docs
Provides the documentation files and example shell scripts for use with annobin.
#----------------------------------------------------------------------------
%if %{with tests}
%package tests
Summary: Test scripts and binaries for checking the behaviour and output of the annobin plugin
Requires: %{name}-docs = %{version}-%{release}
%description tests
Provides a means to test the generation of annotated binaries and the parsing
of the resulting files.
BuildRequires: make
%if %{with debuginfod}
BuildRequires: elfutils-debuginfod-client-devel
%endif
%endif
#----------------------------------------------------------------------------
%if %{with annocheck}
%package annocheck
Summary: A tool for checking the security hardening status of binaries
BuildRequires: gcc elfutils elfutils-devel elfutils-libelf-devel rpm-devel binutils-devel make
%if %{with debuginfod}
BuildRequires: elfutils-debuginfod-client-devel
%endif
Requires: %{name}-docs = %{version}-%{release}
%description annocheck
Installs the annocheck program which uses the notes generated by annobin to
check that the specified files were compiled with the correct security
hardening options.
%endif
#----------------------------------------------------------------------------
%if %{with gccplugin}
%package plugin-gcc
Summary: annobin gcc plugin
Requires: %{name}-docs = %{version}-%{release}
Conflicts: %{name} <= 9.60-1
BuildRequires: gcc-c++ gcc-plugin-devel
# [Stolen from gcc-python-plugin]
# GCC will only load plugins that were built against exactly that build of GCC
# We thus need to embed the exact GCC version as a requirement within the
@ -112,7 +223,7 @@ Source: https://nickc.fedorapeople.org/annobin-%{version}.tar.xz
%global gcc_major 0
%endif
# This is a gcc plugin, hence gcc is required.
# For a gcc plugin gcc is required.
%if %{with_hard_gcc_version_requirement}
# BZ 1607430 - There is an exact requirement on the major version of gcc.
Requires: (gcc >= %{gcc_major} with gcc < %{gcc_next})
@ -120,114 +231,6 @@ Requires: (gcc >= %{gcc_major} with gcc < %{gcc_next})
Requires: gcc
%endif
%if %{with gccplugin}
Requires: annobin-plugin-gcc
%endif
%if %{with llvmplugin}
Requires: annobin-plugin-llvm
%endif
%if %{with clangplugin}
Requires: annobin-plugin-clang
%endif
# The documentation uses pod2man...
BuildRequires: gcc perl-interpreter perl-podlators gawk
%if %{with gccplugin}
BuildRequires: gcc-c++ gcc-plugin-devel
%endif
%if %{with clangplugin}
BuildRequires: clang clang-devel llvm llvm-devel compiler-rt
%endif
%if %{with llvmplugin}
BuildRequires: clang clang-devel llvm llvm-devel compiler-rt
%endif
%description
Provides a plugin for GCC that records extra information in the files
that it compiles.
Note - the plugin is automatically enabled in gcc builds via flags
provided by the redhat-rpm-macros package.
%if %{with clangplugin}
Also provides a plugin for Clang which performs a similar function.
%endif
%if %{with llvmplugin}
Also provides a plugin for LLVM which performs a similar function.
%endif
#---------------------------------------------------------------------------
# Now that we have sub-packages for all of the plugins and for annocheck,
# there are no executables left to go into the "annobin" rpm. But top-level
# packages cannot have "BuildArch: noarch" if sub-packages do have
# architecture requirements, and rpmlint generates an error if an
# architecture specific rpm does not contain any binaries. So instead all of
# the documentation has been moved into an architecture neutral sub-package,
# and there no longer is a top level annobin rpm at all.
%package docs
Summary: Documentation and shell scripts for use with annobin
BuildArch: noarch
# annobin renamed to annobin-doc in 9.66-1
Provides: %{name} = %{version}-%{release}
Obsoletes: %{name} < 9.66-1
%description docs
Provides the documentation files and example shell scripts for use with annobin.
#----------------------------------------------------------------------------
%if %{with tests}
%package tests
Summary: Test scripts and binaries for checking the behaviour and output of the annobin plugin
Requires: %{name}-docs = %{version}-%{release}
%description tests
Provides a means to test the generation of annotated binaries and the parsing
of the resulting files.
%if %{with debuginfod}
BuildRequires: elfutils-debuginfod-client-devel
%endif
%endif
#----------------------------------------------------------------------------
%if %{with annocheck}
%package annocheck
Summary: A tool for checking the security hardening status of binaries
BuildRequires: gcc elfutils elfutils-devel elfutils-libelf-devel rpm-devel binutils-devel
%if %{with debuginfod}
BuildRequires: elfutils-debuginfod-client-devel make
%endif
Requires: %{name}-docs = %{version}-%{release}
%description annocheck
Installs the annocheck program which uses the notes generated by annobin to
check that the specified files were compiled with the correct security
hardening options.
%endif
#----------------------------------------------------------------------------
%if %{with gccplugin}
%package plugin-gcc
Summary: annobin gcc plugin
Requires: %{name}-docs = %{version}-%{release}
Conflicts: annobin <= 9.60-1
%description plugin-gcc
Installs an annobin plugin that can be used by gcc.
@ -240,10 +243,11 @@ Installs an annobin plugin that can be used by gcc.
Summary: annobin llvm plugin
Requires: %{name}-docs = %{version}-%{release}
Conflicts: annobin <= 9.60-1
Conflicts: %{name} <= 9.60-1
BuildRequires: clang clang-devel llvm llvm-devel compiler-rt
%description plugin-llvm
Installs an annobin plugin that can be used by llvm tools.
Installs an annobin plugin that can be used by LLVM tools.
%endif
@ -254,16 +258,24 @@ Installs an annobin plugin that can be used by llvm tools.
Summary: annobin clang plugin
Requires: %{name}-docs = %{version}-%{release}
Conflicts: annobin <= 9.60-1
Conflicts: %{name} <= 9.60-1
BuildRequires: clang clang-devel llvm llvm-devel compiler-rt
%description plugin-clang
Installs an annobin plugin that can be used by clang.
Installs an annobin plugin that can be used by Clang.
%endif
#---------------------------------------------------------------------------------
# Decide where the plugins will live. Change if necessary.
%global ANNOBIN_GCC_PLUGIN_DIR %(gcc --print-file-name=plugin)
%{!?llvm_version:%global llvm_version 11.1.0}
%{!?llvm_plugin_dir:%global llvm_plugin_dir %{_libdir}/llvm/%{llvm_version}}
%{!?clang_plugin_dir:%global clang_plugin_dir %{_libdir}/clang/%{llvm_version}}
#---------------------------------------------------------------------------------
%prep
@ -288,7 +300,7 @@ touch doc/annobin.info
%build
CONFIG_ARGS="--quiet --with-gcc-plugin-dir=%{ANNOBIN_GCC_PLUGIN_DIR}"
CONFIG_ARGS="--quiet"
%if %{with debuginfod}
CONFIG_ARGS="$CONFIG_ARGS --with-debuginfod"
@ -308,6 +320,8 @@ CONFIG_ARGS="$CONFIG_ARGS --with-clang"
%if %{without gccplugin}
CONFIG_ARGS="$CONFIG_ARGS --without-gcc-plugin"
%else
CONFIG_ARGS="$CONFIG_ARGS --with-gcc-plugin-dir=%{ANNOBIN_GCC_PLUGIN_DIR}"
%endif
%if %{with llvmplugin}
@ -318,10 +332,16 @@ CONFIG_ARGS="$CONFIG_ARGS --with-llvm"
CONFIG_ARGS="$CONFIG_ARGS --without-test"
%endif
%if %{without annocheck}
CONFIG_ARGS="$CONFIG_ARGS --without-annocheck"
%endif
%configure ${CONFIG_ARGS} || cat config.log
%make_build
#---------------------------------------------------------------------------------
%if %{with plugin_rebuild}
# Rebuild the plugin(s), this time using the plugin itself! This
# ensures that the plugin works, and that it contains annotations
@ -341,8 +361,8 @@ BUILD_FLAGS="-fplugin=%{_tmppath}/tmp_annobin.so"
# option, despite the fact that there patently is.
BUILD_FLAGS="$BUILD_FLAGS -fplugin=annobin -fplugin-arg-annobin-disable"
# If building on RHEL7, enable the next option as the .attach_to_group
# assembler pseudo op is not available in the assembler.
# If building on systems with an assembler that does not support the
# .attach_to_group pseudo op (eg RHEL-7) then enable the next line.
# BUILD_FLAGS="$BUILD_FLAGS -fplugin-arg-tmp_annobin-no-attach"
make -C gcc-plugin CXXFLAGS="%{optflags} $BUILD_FLAGS"
@ -433,6 +453,9 @@ fi
#---------------------------------------------------------------------------------
%changelog
* Wed May 19 2021 Nick Clifton <nickc@redhat.com> - 9.72-2
- Tidy up spec file.
* Thu May 13 2021 Nick Clifton <nickc@redhat.com> - 9.72-1
- annocheck: Accept 0 as a valid number for gcc minor versions and release numbers.
- gcc-plugin: Add support for ARM and RISCV targets.