redhat-hardened-{cc1,ld}: Move some of the rewrite magic to gcc specs so
we don't end up with both -fPIC and -fPIE on the command line
This commit is contained in:
parent
796b80f2f4
commit
da8d7a1e6a
|
@ -1,18 +1,18 @@
|
||||||
diff -up redhat-rpm-config-9.1.0/macros.jx redhat-rpm-config-9.1.0/macros
|
diff -up redhat-rpm-config-9.1.0/macros.jx redhat-rpm-config-9.1.0/macros
|
||||||
--- redhat-rpm-config-9.1.0/macros.jx 2011-08-01 11:01:08.000000000 -0400
|
--- redhat-rpm-config-9.1.0/macros.jx 2011-08-03 15:42:20.267064981 -0400
|
||||||
+++ redhat-rpm-config-9.1.0/macros 2011-08-01 11:14:53.438448217 -0400
|
+++ redhat-rpm-config-9.1.0/macros 2011-08-03 15:44:46.581058603 -0400
|
||||||
@@ -184,8 +184,12 @@ unset DISPLAY\
|
@@ -184,8 +184,12 @@ unset DISPLAY\
|
||||||
%__find_provides /usr/lib/rpm/redhat/find-provides
|
%__find_provides /usr/lib/rpm/redhat/find-provides
|
||||||
%__find_requires /usr/lib/rpm/redhat/find-requires
|
%__find_requires /usr/lib/rpm/redhat/find-requires
|
||||||
|
|
||||||
-%__global_cflags -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4
|
-%__global_cflags -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4
|
||||||
-%__global_ldflags -Wl,-z,relro
|
-%__global_ldflags -Wl,-z,relro
|
||||||
+#_hardened_build 0
|
+# define _hardened_build to non-zero to enable
|
||||||
+%_hardened_cflags %{?_hardened_build:-fPIE}
|
+%_hardened_cflags %{?_hardened_build:-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1}
|
||||||
+%_hardened_ldflags %{?_hardened_build:-Wl,-z,now -pie}
|
+%_hardened_ldflags %{?_hardened_build:-specs=/usr/lib/rpm/redhat/redhat-hardened-ld}
|
||||||
+
|
+
|
||||||
+%__global_cflags -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 %{?_hardened_cflags}
|
+%__global_cflags -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 %{_hardened_cflags}
|
||||||
+%__global_ldflags -Wl,-z,relro %{?_hardened_ldflags}
|
+%__global_ldflags -Wl,-z,relro %{_hardened_ldflags}
|
||||||
|
|
||||||
# Use these macros to differentiate between RH and other KMP implementation(s).
|
# Use these macros to differentiate between RH and other KMP implementation(s).
|
||||||
redhat_kernel_module_package 1
|
redhat_kernel_module_package 1
|
||||||
|
|
|
@ -1,12 +1,20 @@
|
||||||
Summary: Red Hat specific rpm configuration files
|
Summary: Red Hat specific rpm configuration files
|
||||||
Name: redhat-rpm-config
|
Name: redhat-rpm-config
|
||||||
Version: 9.1.0
|
Version: 9.1.0
|
||||||
Release: 14%{?dist}
|
Release: 15%{?dist}
|
||||||
# No version specified.
|
# No version specified.
|
||||||
License: GPL+
|
License: GPL+
|
||||||
Group: Development/System
|
Group: Development/System
|
||||||
URL: http://git.fedoraproject.org/git/redhat-rpm-config
|
URL: http://git.fedoraproject.org/git/redhat-rpm-config
|
||||||
Source: redhat-rpm-config-%{version}.tar.bz2
|
Source: redhat-rpm-config-%{version}.tar.bz2
|
||||||
|
|
||||||
|
# these two implement automagic {c,ld}flags mangling for additional ELF
|
||||||
|
# hardening when _hardened_build is defined in a spec file. gcc 4.6.1-7.fc16
|
||||||
|
# or newer is needed for these to work; prior to that *self_specs was not
|
||||||
|
# exposed. If anything goes wrong, blame ajax@
|
||||||
|
Source1: redhat-hardened-cc1
|
||||||
|
Source2: redhat-hardened-ld
|
||||||
|
|
||||||
Patch0: redhat-rpm-config-9.1.0-strict-python-bytecompile.patch
|
Patch0: redhat-rpm-config-9.1.0-strict-python-bytecompile.patch
|
||||||
Patch1: redhat-rpm-config-9.1.0-fix-requires.patch
|
Patch1: redhat-rpm-config-9.1.0-fix-requires.patch
|
||||||
Patch2: redhat-rpm-config-9.1.0-no-strip-note.patch
|
Patch2: redhat-rpm-config-9.1.0-no-strip-note.patch
|
||||||
|
@ -44,6 +52,7 @@ Red Hat specific rpm configuration files.
|
||||||
%install
|
%install
|
||||||
make DESTDIR=${RPM_BUILD_ROOT} install
|
make DESTDIR=${RPM_BUILD_ROOT} install
|
||||||
cp -p %{_datadir}/libtool/config/config.{guess,sub} ${RPM_BUILD_ROOT}/usr/lib/rpm/redhat/
|
cp -p %{_datadir}/libtool/config/config.{guess,sub} ${RPM_BUILD_ROOT}/usr/lib/rpm/redhat/
|
||||||
|
install -m 0444 %{SOURCE1} %{SOURCE2} ${RPM_BUILD_ROOT}/usr/lib/rpm/redhat
|
||||||
find ${RPM_BUILD_ROOT} -name \*.orig -delete
|
find ${RPM_BUILD_ROOT} -name \*.orig -delete
|
||||||
# buggy makefile in 9.1.0 leaves changelog in wrong place
|
# buggy makefile in 9.1.0 leaves changelog in wrong place
|
||||||
find ${RPM_BUILD_ROOT} -name ChangeLog -delete
|
find ${RPM_BUILD_ROOT} -name ChangeLog -delete
|
||||||
|
@ -58,6 +67,10 @@ rm -rf ${RPM_BUILD_ROOT}
|
||||||
%{_sysconfdir}/rpm/*
|
%{_sysconfdir}/rpm/*
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Wed Aug 03 2011 Adam Jackson <ajax@redhat.com> 9.1.0-15
|
||||||
|
- redhat-hardened-{cc1,ld}: Move some of the rewrite magic to gcc specs so
|
||||||
|
we don't end up with both -fPIC and -fPIE on the command line
|
||||||
|
|
||||||
* Mon Aug 01 2011 Adam Jackson <ajax@redhat.com> 9.1.0-14
|
* Mon Aug 01 2011 Adam Jackson <ajax@redhat.com> 9.1.0-14
|
||||||
- redhat-rpm-config-9.1.0-hardened.patch: Add macro magic for %%_hardened_build
|
- redhat-rpm-config-9.1.0-hardened.patch: Add macro magic for %%_hardened_build
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue