From da8d7a1e6a75a2461c33d77afd0878dcc3bb36d3 Mon Sep 17 00:00:00 2001 From: Adam Jackson Date: Mon, 8 Aug 2011 10:58:51 -0400 Subject: [PATCH] redhat-hardened-{cc1,ld}: Move some of the rewrite magic to gcc specs so we don't end up with both -fPIC and -fPIE on the command line --- redhat-rpm-config-9.1.0-hardened.patch | 14 +++++++------- redhat-rpm-config.spec | 15 ++++++++++++++- 2 files changed, 21 insertions(+), 8 deletions(-) diff --git a/redhat-rpm-config-9.1.0-hardened.patch b/redhat-rpm-config-9.1.0-hardened.patch index 710a2c3..a334b1c 100644 --- a/redhat-rpm-config-9.1.0-hardened.patch +++ b/redhat-rpm-config-9.1.0-hardened.patch @@ -1,18 +1,18 @@ diff -up redhat-rpm-config-9.1.0/macros.jx redhat-rpm-config-9.1.0/macros ---- redhat-rpm-config-9.1.0/macros.jx 2011-08-01 11:01:08.000000000 -0400 -+++ redhat-rpm-config-9.1.0/macros 2011-08-01 11:14:53.438448217 -0400 +--- redhat-rpm-config-9.1.0/macros.jx 2011-08-03 15:42:20.267064981 -0400 ++++ redhat-rpm-config-9.1.0/macros 2011-08-03 15:44:46.581058603 -0400 @@ -184,8 +184,12 @@ unset DISPLAY\ %__find_provides /usr/lib/rpm/redhat/find-provides %__find_requires /usr/lib/rpm/redhat/find-requires -%__global_cflags -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -%__global_ldflags -Wl,-z,relro -+#_hardened_build 0 -+%_hardened_cflags %{?_hardened_build:-fPIE} -+%_hardened_ldflags %{?_hardened_build:-Wl,-z,now -pie} ++# define _hardened_build to non-zero to enable ++%_hardened_cflags %{?_hardened_build:-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1} ++%_hardened_ldflags %{?_hardened_build:-specs=/usr/lib/rpm/redhat/redhat-hardened-ld} + -+%__global_cflags -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 %{?_hardened_cflags} -+%__global_ldflags -Wl,-z,relro %{?_hardened_ldflags} ++%__global_cflags -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 %{_hardened_cflags} ++%__global_ldflags -Wl,-z,relro %{_hardened_ldflags} # Use these macros to differentiate between RH and other KMP implementation(s). redhat_kernel_module_package 1 diff --git a/redhat-rpm-config.spec b/redhat-rpm-config.spec index 6f19bac..a9ef931 100644 --- a/redhat-rpm-config.spec +++ b/redhat-rpm-config.spec @@ -1,12 +1,20 @@ Summary: Red Hat specific rpm configuration files Name: redhat-rpm-config Version: 9.1.0 -Release: 14%{?dist} +Release: 15%{?dist} # No version specified. License: GPL+ Group: Development/System URL: http://git.fedoraproject.org/git/redhat-rpm-config Source: redhat-rpm-config-%{version}.tar.bz2 + +# these two implement automagic {c,ld}flags mangling for additional ELF +# hardening when _hardened_build is defined in a spec file. gcc 4.6.1-7.fc16 +# or newer is needed for these to work; prior to that *self_specs was not +# exposed. If anything goes wrong, blame ajax@ +Source1: redhat-hardened-cc1 +Source2: redhat-hardened-ld + Patch0: redhat-rpm-config-9.1.0-strict-python-bytecompile.patch Patch1: redhat-rpm-config-9.1.0-fix-requires.patch Patch2: redhat-rpm-config-9.1.0-no-strip-note.patch @@ -44,6 +52,7 @@ Red Hat specific rpm configuration files. %install make DESTDIR=${RPM_BUILD_ROOT} install cp -p %{_datadir}/libtool/config/config.{guess,sub} ${RPM_BUILD_ROOT}/usr/lib/rpm/redhat/ +install -m 0444 %{SOURCE1} %{SOURCE2} ${RPM_BUILD_ROOT}/usr/lib/rpm/redhat find ${RPM_BUILD_ROOT} -name \*.orig -delete # buggy makefile in 9.1.0 leaves changelog in wrong place find ${RPM_BUILD_ROOT} -name ChangeLog -delete @@ -58,6 +67,10 @@ rm -rf ${RPM_BUILD_ROOT} %{_sysconfdir}/rpm/* %changelog +* Wed Aug 03 2011 Adam Jackson 9.1.0-15 +- redhat-hardened-{cc1,ld}: Move some of the rewrite magic to gcc specs so + we don't end up with both -fPIC and -fPIE on the command line + * Mon Aug 01 2011 Adam Jackson 9.1.0-14 - redhat-rpm-config-9.1.0-hardened.patch: Add macro magic for %%_hardened_build