From 45b479d2d6f86db76a5270bba26757e1b3e3a56e Mon Sep 17 00:00:00 2001 From: Nick Clifton Date: Wed, 19 May 2021 12:05:01 +0100 Subject: [PATCH] Tidy up spec file --- annobin.spec | 265 ++++++++++++++++++++++++++++----------------------- 1 file changed, 144 insertions(+), 121 deletions(-) diff --git a/annobin.spec b/annobin.spec index 1ca24ac..767ee06 100644 --- a/annobin.spec +++ b/annobin.spec @@ -2,7 +2,7 @@ Name: annobin Summary: Annotate and examine compiled binary files Version: 9.72 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv3+ # Maintainer: nickc@redhat.com # Web Page: https://sourceware.org/annobin/ @@ -54,10 +54,6 @@ License: GPLv3+ %undefine _annotated_build %endif -%{!?llvm_version:%global llvm_version 11.1.0} -%{!?llvm_plugin_dir:%global llvm_plugin_dir %{_libdir}/llvm/%{llvm_version}} -%{!?clang_plugin_dir:%global clang_plugin_dir %{_libdir}/clang/%{llvm_version}} - #--------------------------------------------------------------------------------- Source: https://nickc.fedorapeople.org/annobin-%{version}.tar.xz @@ -68,6 +64,121 @@ Source: https://nickc.fedorapeople.org/annobin-%{version}.tar.xz #--------------------------------------------------------------------------------- +# Make sure that the necessary sub-packages are built. + +%if %{with gccplugin} +Requires: %{name}-plugin-gcc +%endif + +%if %{with llvmplugin} +Requires: %{name}-plugin-llvm +%endif + +%if %{with clangplugin} +Requires: %{name}-plugin-clang +%endif + +#--------------------------------------------------------------------------------- + +%description +This package contains the tools needed to annotate binary files created by +compilers, and also the tools needed to examine those annotations. + +%if %{with gccplugin} +One of the tools is a plugin for GCC that records information about the +security options that were in effect when the binary was compiled. + +Note - the plugin is automatically enabled in gcc builds via flags +provided by the redhat-rpm-macros package. +%endif + +%if %{with clangplugin} +One of the tools is a plugin for Clang that records information about the +security options that were in effect when the binary was compiled. +%endif + +%if %{with llvmplugin} +One of the tools is a plugin for LLVM that records information about the +security options that were in effect when the binary was compiled. +%endif + +%if %{with annocheck} +One of the tools is a security checker which analyses the notes present in +annotated files and reports on any missing security options. +%endif + +#--------------------------------------------------------------------------- + +# Now that we have sub-packages for all of the plugins and for annocheck, +# there are no executables left to go into the "annobin" rpm. But top-level +# packages cannot have "BuildArch: noarch" if sub-packages do have +# architecture requirements, and rpmlint generates an error if an +# architecture specific rpm does not contain any binaries. So instead all of +# the documentation has been moved into an architecture neutral sub-package, +# and there no longer is a top level annobin rpm at all. + +%package docs +Summary: Documentation and shell scripts for use with annobin +BuildArch: noarch +# annobin renamed to annobin-doc in 9.66-1 +Provides: %{name} = %{version}-%{release} +Obsoletes: %{name} < 9.66-1 +# The documentation uses pod2man... +BuildRequires: perl-interpreter perl-podlators gawk make + +%description docs +Provides the documentation files and example shell scripts for use with annobin. + +#---------------------------------------------------------------------------- +%if %{with tests} + +%package tests +Summary: Test scripts and binaries for checking the behaviour and output of the annobin plugin +Requires: %{name}-docs = %{version}-%{release} + +%description tests +Provides a means to test the generation of annotated binaries and the parsing +of the resulting files. + +BuildRequires: make + +%if %{with debuginfod} +BuildRequires: elfutils-debuginfod-client-devel +%endif + +%endif + +#---------------------------------------------------------------------------- +%if %{with annocheck} + +%package annocheck +Summary: A tool for checking the security hardening status of binaries + +BuildRequires: gcc elfutils elfutils-devel elfutils-libelf-devel rpm-devel binutils-devel make + +%if %{with debuginfod} +BuildRequires: elfutils-debuginfod-client-devel +%endif + +Requires: %{name}-docs = %{version}-%{release} + +%description annocheck +Installs the annocheck program which uses the notes generated by annobin to +check that the specified files were compiled with the correct security +hardening options. + +%endif + +#---------------------------------------------------------------------------- +%if %{with gccplugin} + +%package plugin-gcc +Summary: annobin gcc plugin + +Requires: %{name}-docs = %{version}-%{release} +Conflicts: %{name} <= 9.60-1 +BuildRequires: gcc-c++ gcc-plugin-devel + # [Stolen from gcc-python-plugin] # GCC will only load plugins that were built against exactly that build of GCC # We thus need to embed the exact GCC version as a requirement within the @@ -112,7 +223,7 @@ Source: https://nickc.fedorapeople.org/annobin-%{version}.tar.xz %global gcc_major 0 %endif -# This is a gcc plugin, hence gcc is required. +# For a gcc plugin gcc is required. %if %{with_hard_gcc_version_requirement} # BZ 1607430 - There is an exact requirement on the major version of gcc. Requires: (gcc >= %{gcc_major} with gcc < %{gcc_next}) @@ -120,114 +231,6 @@ Requires: (gcc >= %{gcc_major} with gcc < %{gcc_next}) Requires: gcc %endif -%if %{with gccplugin} -Requires: annobin-plugin-gcc -%endif - -%if %{with llvmplugin} -Requires: annobin-plugin-llvm -%endif - -%if %{with clangplugin} -Requires: annobin-plugin-clang -%endif - -# The documentation uses pod2man... -BuildRequires: gcc perl-interpreter perl-podlators gawk - -%if %{with gccplugin} -BuildRequires: gcc-c++ gcc-plugin-devel -%endif - -%if %{with clangplugin} -BuildRequires: clang clang-devel llvm llvm-devel compiler-rt -%endif - -%if %{with llvmplugin} -BuildRequires: clang clang-devel llvm llvm-devel compiler-rt -%endif - -%description -Provides a plugin for GCC that records extra information in the files -that it compiles. - -Note - the plugin is automatically enabled in gcc builds via flags -provided by the redhat-rpm-macros package. - -%if %{with clangplugin} -Also provides a plugin for Clang which performs a similar function. -%endif - -%if %{with llvmplugin} -Also provides a plugin for LLVM which performs a similar function. -%endif - -#--------------------------------------------------------------------------- - -# Now that we have sub-packages for all of the plugins and for annocheck, -# there are no executables left to go into the "annobin" rpm. But top-level -# packages cannot have "BuildArch: noarch" if sub-packages do have -# architecture requirements, and rpmlint generates an error if an -# architecture specific rpm does not contain any binaries. So instead all of -# the documentation has been moved into an architecture neutral sub-package, -# and there no longer is a top level annobin rpm at all. - -%package docs -Summary: Documentation and shell scripts for use with annobin -BuildArch: noarch -# annobin renamed to annobin-doc in 9.66-1 -Provides: %{name} = %{version}-%{release} -Obsoletes: %{name} < 9.66-1 - -%description docs -Provides the documentation files and example shell scripts for use with annobin. - -#---------------------------------------------------------------------------- -%if %{with tests} - -%package tests -Summary: Test scripts and binaries for checking the behaviour and output of the annobin plugin -Requires: %{name}-docs = %{version}-%{release} - -%description tests -Provides a means to test the generation of annotated binaries and the parsing -of the resulting files. - -%if %{with debuginfod} -BuildRequires: elfutils-debuginfod-client-devel -%endif - -%endif - -#---------------------------------------------------------------------------- -%if %{with annocheck} - -%package annocheck -Summary: A tool for checking the security hardening status of binaries - -BuildRequires: gcc elfutils elfutils-devel elfutils-libelf-devel rpm-devel binutils-devel -%if %{with debuginfod} -BuildRequires: elfutils-debuginfod-client-devel make -%endif - -Requires: %{name}-docs = %{version}-%{release} - -%description annocheck -Installs the annocheck program which uses the notes generated by annobin to -check that the specified files were compiled with the correct security -hardening options. - -%endif - -#---------------------------------------------------------------------------- -%if %{with gccplugin} - -%package plugin-gcc -Summary: annobin gcc plugin - -Requires: %{name}-docs = %{version}-%{release} -Conflicts: annobin <= 9.60-1 - %description plugin-gcc Installs an annobin plugin that can be used by gcc. @@ -240,10 +243,11 @@ Installs an annobin plugin that can be used by gcc. Summary: annobin llvm plugin Requires: %{name}-docs = %{version}-%{release} -Conflicts: annobin <= 9.60-1 +Conflicts: %{name} <= 9.60-1 +BuildRequires: clang clang-devel llvm llvm-devel compiler-rt %description plugin-llvm -Installs an annobin plugin that can be used by llvm tools. +Installs an annobin plugin that can be used by LLVM tools. %endif @@ -254,16 +258,24 @@ Installs an annobin plugin that can be used by llvm tools. Summary: annobin clang plugin Requires: %{name}-docs = %{version}-%{release} -Conflicts: annobin <= 9.60-1 +Conflicts: %{name} <= 9.60-1 +BuildRequires: clang clang-devel llvm llvm-devel compiler-rt %description plugin-clang -Installs an annobin plugin that can be used by clang. +Installs an annobin plugin that can be used by Clang. %endif + #--------------------------------------------------------------------------------- +# Decide where the plugins will live. Change if necessary. + %global ANNOBIN_GCC_PLUGIN_DIR %(gcc --print-file-name=plugin) +%{!?llvm_version:%global llvm_version 11.1.0} +%{!?llvm_plugin_dir:%global llvm_plugin_dir %{_libdir}/llvm/%{llvm_version}} +%{!?clang_plugin_dir:%global clang_plugin_dir %{_libdir}/clang/%{llvm_version}} + #--------------------------------------------------------------------------------- %prep @@ -288,7 +300,7 @@ touch doc/annobin.info %build -CONFIG_ARGS="--quiet --with-gcc-plugin-dir=%{ANNOBIN_GCC_PLUGIN_DIR}" +CONFIG_ARGS="--quiet" %if %{with debuginfod} CONFIG_ARGS="$CONFIG_ARGS --with-debuginfod" @@ -308,6 +320,8 @@ CONFIG_ARGS="$CONFIG_ARGS --with-clang" %if %{without gccplugin} CONFIG_ARGS="$CONFIG_ARGS --without-gcc-plugin" +%else +CONFIG_ARGS="$CONFIG_ARGS --with-gcc-plugin-dir=%{ANNOBIN_GCC_PLUGIN_DIR}" %endif %if %{with llvmplugin} @@ -318,10 +332,16 @@ CONFIG_ARGS="$CONFIG_ARGS --with-llvm" CONFIG_ARGS="$CONFIG_ARGS --without-test" %endif +%if %{without annocheck} +CONFIG_ARGS="$CONFIG_ARGS --without-annocheck" +%endif + %configure ${CONFIG_ARGS} || cat config.log %make_build +#--------------------------------------------------------------------------------- + %if %{with plugin_rebuild} # Rebuild the plugin(s), this time using the plugin itself! This # ensures that the plugin works, and that it contains annotations @@ -341,8 +361,8 @@ BUILD_FLAGS="-fplugin=%{_tmppath}/tmp_annobin.so" # option, despite the fact that there patently is. BUILD_FLAGS="$BUILD_FLAGS -fplugin=annobin -fplugin-arg-annobin-disable" -# If building on RHEL7, enable the next option as the .attach_to_group -# assembler pseudo op is not available in the assembler. +# If building on systems with an assembler that does not support the +# .attach_to_group pseudo op (eg RHEL-7) then enable the next line. # BUILD_FLAGS="$BUILD_FLAGS -fplugin-arg-tmp_annobin-no-attach" make -C gcc-plugin CXXFLAGS="%{optflags} $BUILD_FLAGS" @@ -433,6 +453,9 @@ fi #--------------------------------------------------------------------------------- %changelog +* Wed May 19 2021 Nick Clifton - 9.72-2 +- Tidy up spec file. + * Thu May 13 2021 Nick Clifton - 9.72-1 - annocheck: Accept 0 as a valid number for gcc minor versions and release numbers. - gcc-plugin: Add support for ARM and RISCV targets.