|
 |
12a457 |
From 1f7f3808abd42e5f1572114ace2a63a47609ecf9 Mon Sep 17 00:00:00 2001
|
|
|
cb8e9e |
From: Atin Mukherjee <amukherj@redhat.com>
|
|
|
cb8e9e |
Date: Wed, 3 Jun 2015 11:09:21 +0530
|
|
|
12a457 |
Subject: [PATCH 19/26] build: introduce security hardening flags in gluster
|
|
|
cb8e9e |
|
|
|
cb8e9e |
This patch introduces two of the security hardening compiler flags RELRO & PIE
|
|
|
cb8e9e |
in gluster codebase. Using _hardened_build as 1 doesn't guarantee the existance
|
|
|
cb8e9e |
of these flags in the compilation as different versions of RHEL have different
|
|
|
cb8e9e |
redhat-rpm-config macro. So the idea is to export these flags at spec file
|
|
|
cb8e9e |
level.
|
|
|
cb8e9e |
|
|
|
cb8e9e |
Label: DOWNSTREAM ONLY
|
|
|
cb8e9e |
|
|
|
cb8e9e |
Change-Id: I0a1a56d0a8f54f110d306ba5e55e39b1b073dc84
|
|
|
cb8e9e |
Signed-off-by: Atin Mukherjee <amukherj@redhat.com>
|
|
|
cb8e9e |
Reviewed-on: https://code.engineering.redhat.com/gerrit/49780
|
|
|
cb8e9e |
Reviewed-by: Balamurugan Arumugam <barumuga@redhat.com>
|
|
|
cb8e9e |
Tested-by: Balamurugan Arumugam <barumuga@redhat.com>
|
|
|
12a457 |
Reviewed-on: https://code.engineering.redhat.com/gerrit/60137
|
|
|
12a457 |
Tested-by: Milind Changire <mchangir@redhat.com>
|
|
|
cb8e9e |
---
|
|
|
12a457 |
glusterfs.spec.in | 22 ++++++++++++++++++++++
|
|
|
12a457 |
1 files changed, 22 insertions(+), 0 deletions(-)
|
|
|
cb8e9e |
|
|
|
cb8e9e |
diff --git a/glusterfs.spec.in b/glusterfs.spec.in
|
|
|
12a457 |
index f807d50..6b4e11c 100644
|
|
|
cb8e9e |
--- a/glusterfs.spec.in
|
|
|
cb8e9e |
+++ b/glusterfs.spec.in
|
|
|
12a457 |
@@ -620,6 +620,25 @@ This package provides the translators needed on any GlusterFS client.
|
|
|
12a457 |
CFLAGS=-DUSE_INSECURE_OPENSSL
|
|
|
12a457 |
export CFLAGS
|
|
|
12a457 |
%endif
|
|
|
cb8e9e |
+# In RHEL7 few hardening flags are available by default, however the RELRO
|
|
|
cb8e9e |
+# default behaviour is partial, convert to full
|
|
|
cb8e9e |
+%if ( 0%{?rhel} && 0%{?rhel} >= 7 )
|
|
|
cb8e9e |
+LDFLAGS="$RPM_LD_FLAGS -Wl,-z,relro,-z,now"
|
|
|
cb8e9e |
+export LDFLAGS
|
|
|
cb8e9e |
+%else
|
|
|
cb8e9e |
+%if ( 0%{?rhel} && 0%{?rhel} == 6 )
|
|
|
cb8e9e |
+CFLAGS="$RPM_OPT_FLAGS -fPIE -DPIE"
|
|
|
cb8e9e |
+LDFLAGS="$RPM_LD_FLAGS -pie -Wl,-z,relro,-z,now"
|
|
|
cb8e9e |
+%else
|
|
|
cb8e9e |
+#It appears that with gcc-4.1.2 in RHEL5 there is an issue using both -fPIC and
|
|
|
cb8e9e |
+ # -fPIE that makes -z relro not work; -fPIE seems to undo what -fPIC does
|
|
|
12a457 |
+CFLAGS="$CFLAGS $RPM_OPT_FLAGS"
|
|
|
cb8e9e |
+LDFLAGS="$RPM_LD_FLAGS -Wl,-z,relro,-z,now"
|
|
|
cb8e9e |
+%endif
|
|
|
cb8e9e |
+export CFLAGS
|
|
|
cb8e9e |
+export LDFLAGS
|
|
|
cb8e9e |
+%endif
|
|
|
cb8e9e |
+
|
|
|
cb8e9e |
./autogen.sh && %configure \
|
|
|
cb8e9e |
%{?_with_cmocka} \
|
|
|
cb8e9e |
%{?_with_tmpfilesdir} \
|
|
|
12a457 |
@@ -1777,6 +1796,9 @@ end
|
|
|
12a457 |
* Fri Jun 12 2015 Aravinda VK <avishwan@redhat.com>
|
|
|
12a457 |
- Added rsync as dependency to georeplication rpm (#1231213)
|
|
|
cb8e9e |
|
|
|
cb8e9e |
+* Thu Jun 11 2015 Atin Mukherjee <amukherj@redhat.com>
|
|
|
cb8e9e |
+- Security hardening flags inclusion (#1200815)
|
|
|
cb8e9e |
+
|
|
|
12a457 |
* Thu Jun 11 2015 Aravinda VK <avishwan@redhat.com>
|
|
|
12a457 |
- Added post hook for volume delete as part of glusterfind (#1225551)
|
|
|
cb8e9e |
|
|
|
cb8e9e |
--
|
|
|
cb8e9e |
1.7.1
|
|
|
cb8e9e |
|