|
 |
a3470f |
From ada27d07526acb0ef09f37de7f364fa3dcea0b36 Mon Sep 17 00:00:00 2001
|
|
|
a3470f |
From: Atin Mukherjee <amukherj@redhat.com>
|
|
|
a3470f |
Date: Wed, 3 Jun 2015 11:09:21 +0530
|
|
|
a3470f |
Subject: [PATCH 11/74] build: introduce security hardening flags in gluster
|
|
|
a3470f |
|
|
|
a3470f |
This patch introduces two of the security hardening compiler flags RELRO & PIE
|
|
|
a3470f |
in gluster codebase. Using _hardened_build as 1 doesn't guarantee the existance
|
|
|
a3470f |
of these flags in the compilation as different versions of RHEL have different
|
|
|
a3470f |
redhat-rpm-config macro. So the idea is to export these flags at spec file
|
|
|
a3470f |
level.
|
|
|
a3470f |
|
|
|
a3470f |
Label: DOWNSTREAM ONLY
|
|
|
a3470f |
|
|
|
a3470f |
Change-Id: I0a1a56d0a8f54f110d306ba5e55e39b1b073dc84
|
|
|
a3470f |
Signed-off-by: Atin Mukherjee <amukherj@redhat.com>
|
|
|
a3470f |
Reviewed-on: https://code.engineering.redhat.com/gerrit/49780
|
|
|
a3470f |
Reviewed-by: Balamurugan Arumugam <barumuga@redhat.com>
|
|
|
a3470f |
Tested-by: Balamurugan Arumugam <barumuga@redhat.com>
|
|
|
a3470f |
Reviewed-on: https://code.engineering.redhat.com/gerrit/60137
|
|
|
a3470f |
Tested-by: Milind Changire <mchangir@redhat.com>
|
|
|
a3470f |
---
|
|
|
a3470f |
glusterfs.spec.in | 25 +++++++++++++++++++++++--
|
|
|
a3470f |
1 file changed, 23 insertions(+), 2 deletions(-)
|
|
|
a3470f |
|
|
|
a3470f |
diff --git a/glusterfs.spec.in b/glusterfs.spec.in
|
|
|
a3470f |
index dbdb818..458b8bc 100644
|
|
|
a3470f |
--- a/glusterfs.spec.in
|
|
|
a3470f |
+++ b/glusterfs.spec.in
|
|
|
a3470f |
@@ -709,6 +709,24 @@ GlusterFS Events
|
|
|
a3470f |
CFLAGS=-DUSE_INSECURE_OPENSSL
|
|
|
a3470f |
export CFLAGS
|
|
|
a3470f |
%endif
|
|
|
a3470f |
+# In RHEL7 few hardening flags are available by default, however the RELRO
|
|
|
a3470f |
+# default behaviour is partial, convert to full
|
|
|
a3470f |
+%if ( 0%{?rhel} && 0%{?rhel} >= 7 )
|
|
|
a3470f |
+LDFLAGS="$RPM_LD_FLAGS -Wl,-z,relro,-z,now"
|
|
|
a3470f |
+export LDFLAGS
|
|
|
a3470f |
+%else
|
|
|
a3470f |
+%if ( 0%{?rhel} && 0%{?rhel} == 6 )
|
|
|
a3470f |
+CFLAGS="$RPM_OPT_FLAGS -fPIE -DPIE"
|
|
|
a3470f |
+LDFLAGS="$RPM_LD_FLAGS -pie -Wl,-z,relro,-z,now"
|
|
|
a3470f |
+%else
|
|
|
a3470f |
+#It appears that with gcc-4.1.2 in RHEL5 there is an issue using both -fPIC and
|
|
|
a3470f |
+ # -fPIE that makes -z relro not work; -fPIE seems to undo what -fPIC does
|
|
|
a3470f |
+CFLAGS="$CFLAGS $RPM_OPT_FLAGS"
|
|
|
a3470f |
+LDFLAGS="$RPM_LD_FLAGS -Wl,-z,relro,-z,now"
|
|
|
a3470f |
+%endif
|
|
|
a3470f |
+export CFLAGS
|
|
|
a3470f |
+export LDFLAGS
|
|
|
a3470f |
+%endif
|
|
|
a3470f |
|
|
|
a3470f |
./autogen.sh && %configure \
|
|
|
a3470f |
%{?_with_cmocka} \
|
|
|
a3470f |
@@ -2110,8 +2128,11 @@ end
|
|
|
a3470f |
* Fri Jun 12 2015 Aravinda VK <avishwan@redhat.com>
|
|
|
a3470f |
- Added rsync as dependency to georeplication rpm (#1231205)
|
|
|
a3470f |
|
|
|
a3470f |
-* Tue Jun 02 2015 Aravinda VK <avishwan@redhat.com>
|
|
|
a3470f |
-- Added post hook for volume delete as part of glusterfind (#1225465)
|
|
|
a3470f |
+* Thu Jun 11 2015 Atin Mukherjee <amukherj@redhat.com>
|
|
|
a3470f |
+- Security hardening flags inclusion (#1200815)
|
|
|
a3470f |
+
|
|
|
a3470f |
+* Thu Jun 11 2015 Aravinda VK <avishwan@redhat.com>
|
|
|
a3470f |
+- Added post hook for volume delete as part of glusterfind (#1225551)
|
|
|
a3470f |
|
|
|
a3470f |
* Wed May 27 2015 Aravinda VK <avishwan@redhat.com>
|
|
|
a3470f |
- Added stop-all-gluster-processes.sh in glusterfs-server section (#1204641)
|
|
|
a3470f |
--
|
|
|
a3470f |
1.8.3.1
|
|
|
a3470f |
|