|
|
cb8e9e |
From fb419e813d9cd707e98888cbe1c1d0bd327e72cb Mon Sep 17 00:00:00 2001
|
|
|
cb8e9e |
From: Atin Mukherjee <amukherj@redhat.com>
|
|
|
cb8e9e |
Date: Wed, 3 Jun 2015 11:09:21 +0530
|
|
|
cb8e9e |
Subject: [PATCH 51/57] build: introduce security hardening flags in gluster
|
|
|
cb8e9e |
|
|
|
cb8e9e |
This patch introduces two of the security hardening compiler flags RELRO & PIE
|
|
|
cb8e9e |
in gluster codebase. Using _hardened_build as 1 doesn't guarantee the existance
|
|
|
cb8e9e |
of these flags in the compilation as different versions of RHEL have different
|
|
|
cb8e9e |
redhat-rpm-config macro. So the idea is to export these flags at spec file
|
|
|
cb8e9e |
level.
|
|
|
cb8e9e |
|
|
|
cb8e9e |
Label: DOWNSTREAM ONLY
|
|
|
cb8e9e |
|
|
|
cb8e9e |
Change-Id: I0a1a56d0a8f54f110d306ba5e55e39b1b073dc84
|
|
|
cb8e9e |
BUG: 1200815
|
|
|
cb8e9e |
Signed-off-by: Atin Mukherjee <amukherj@redhat.com>
|
|
|
cb8e9e |
Reviewed-on: https://code.engineering.redhat.com/gerrit/49780
|
|
|
cb8e9e |
Reviewed-by: Balamurugan Arumugam <barumuga@redhat.com>
|
|
|
cb8e9e |
Tested-by: Balamurugan Arumugam <barumuga@redhat.com>
|
|
|
cb8e9e |
---
|
|
|
cb8e9e |
glusterfs.spec.in | 26 ++++++++++++++++++++++----
|
|
|
cb8e9e |
1 files changed, 22 insertions(+), 4 deletions(-)
|
|
|
cb8e9e |
|
|
|
cb8e9e |
diff --git a/glusterfs.spec.in b/glusterfs.spec.in
|
|
|
cb8e9e |
index 33d0e7e..3fcc00e 100644
|
|
|
cb8e9e |
--- a/glusterfs.spec.in
|
|
|
cb8e9e |
+++ b/glusterfs.spec.in
|
|
|
cb8e9e |
@@ -612,10 +612,25 @@ This package provides the translators needed on any GlusterFS client.
|
|
|
cb8e9e |
%setup -q -n %{name}-%{version}%{?prereltag}
|
|
|
cb8e9e |
|
|
|
cb8e9e |
%build
|
|
|
cb8e9e |
-# For whatever reason, install-sh is sometimes missing. When this gets fixed,
|
|
|
cb8e9e |
-# there is no need to run ./autogen or have a BuildRequires for automake.
|
|
|
cb8e9e |
-./autogen.sh
|
|
|
cb8e9e |
-%configure \
|
|
|
cb8e9e |
+# In RHEL7 few hardening flags are available by default, however the RELRO
|
|
|
cb8e9e |
+# default behaviour is partial, convert to full
|
|
|
cb8e9e |
+%if ( 0%{?rhel} && 0%{?rhel} >= 7 )
|
|
|
cb8e9e |
+LDFLAGS="$RPM_LD_FLAGS -Wl,-z,relro,-z,now"
|
|
|
cb8e9e |
+export LDFLAGS
|
|
|
cb8e9e |
+%else
|
|
|
cb8e9e |
+%if ( 0%{?rhel} && 0%{?rhel} == 6 )
|
|
|
cb8e9e |
+CFLAGS="$RPM_OPT_FLAGS -fPIE -DPIE"
|
|
|
cb8e9e |
+LDFLAGS="$RPM_LD_FLAGS -pie -Wl,-z,relro,-z,now"
|
|
|
cb8e9e |
+%else
|
|
|
cb8e9e |
+#It appears that with gcc-4.1.2 in RHEL5 there is an issue using both -fPIC and
|
|
|
cb8e9e |
+ # -fPIE that makes -z relro not work; -fPIE seems to undo what -fPIC does
|
|
|
cb8e9e |
+CFLAGS="$RPM_OPT_FLAGS"
|
|
|
cb8e9e |
+LDFLAGS="$RPM_LD_FLAGS -Wl,-z,relro,-z,now"
|
|
|
cb8e9e |
+%endif
|
|
|
cb8e9e |
+export CFLAGS
|
|
|
cb8e9e |
+export LDFLAGS
|
|
|
cb8e9e |
+%endif
|
|
|
cb8e9e |
+
|
|
|
cb8e9e |
./autogen.sh && %configure \
|
|
|
cb8e9e |
%{?_with_cmocka} \
|
|
|
cb8e9e |
%{?_with_tmpfilesdir} \
|
|
|
cb8e9e |
@@ -1735,6 +1750,9 @@ end
|
|
|
cb8e9e |
%endif
|
|
|
cb8e9e |
|
|
|
cb8e9e |
%changelog
|
|
|
cb8e9e |
+* Thu Jun 11 2015 Atin Mukherjee <amukherj@redhat.com>
|
|
|
cb8e9e |
+- Security hardening flags inclusion (#1200815)
|
|
|
cb8e9e |
+
|
|
|
cb8e9e |
* Wed Jun 10 2015 Niels de Vos <ndevos@redhat.com>
|
|
|
cb8e9e |
- Fix building on RHEL-5 based distributions
|
|
|
cb8e9e |
|
|
|
cb8e9e |
--
|
|
|
cb8e9e |
1.7.1
|
|
|
cb8e9e |
|