From b592ce68be630892b3ffc28e1a7696c144cef3e2 Mon Sep 17 00:00:00 2001 From: Atin Mukherjee Date: Wed, 3 Jun 2015 11:09:21 +0530 Subject: [PATCH 11/86] build: introduce security hardening flags in gluster This patch introduces two of the security hardening compiler flags RELRO & PIE in gluster codebase. Using _hardened_build as 1 doesn't guarantee the existance of these flags in the compilation as different versions of RHEL have different redhat-rpm-config macro. So the idea is to export these flags at spec file level. Label: DOWNSTREAM ONLY Change-Id: I0a1a56d0a8f54f110d306ba5e55e39b1b073dc84 Signed-off-by: Atin Mukherjee Reviewed-on: https://code.engineering.redhat.com/gerrit/49780 Reviewed-by: Balamurugan Arumugam Tested-by: Balamurugan Arumugam Reviewed-on: https://code.engineering.redhat.com/gerrit/60137 Tested-by: Milind Changire --- glusterfs.spec.in | 25 +++++++++++++++++++++++-- 1 files changed, 23 insertions(+), 2 deletions(-) diff --git a/glusterfs.spec.in b/glusterfs.spec.in index 54f8ecd..bc413b9 100644 --- a/glusterfs.spec.in +++ b/glusterfs.spec.in @@ -612,6 +612,24 @@ This package provides the translators needed on any GlusterFS client. CFLAGS=-DUSE_INSECURE_OPENSSL export CFLAGS %endif +# In RHEL7 few hardening flags are available by default, however the RELRO +# default behaviour is partial, convert to full +%if ( 0%{?rhel} && 0%{?rhel} >= 7 ) +LDFLAGS="$RPM_LD_FLAGS -Wl,-z,relro,-z,now" +export LDFLAGS +%else +%if ( 0%{?rhel} && 0%{?rhel} == 6 ) +CFLAGS="$RPM_OPT_FLAGS -fPIE -DPIE" +LDFLAGS="$RPM_LD_FLAGS -pie -Wl,-z,relro,-z,now" +%else +#It appears that with gcc-4.1.2 in RHEL5 there is an issue using both -fPIC and + # -fPIE that makes -z relro not work; -fPIE seems to undo what -fPIC does +CFLAGS="$CFLAGS $RPM_OPT_FLAGS" +LDFLAGS="$RPM_LD_FLAGS -Wl,-z,relro,-z,now" +%endif +export CFLAGS +export LDFLAGS +%endif ./autogen.sh && %configure \ %{?_with_cmocka} \ @@ -1802,8 +1820,11 @@ end * Fri Jun 12 2015 Aravinda VK - Added rsync as dependency to georeplication rpm (#1231205) -* Tue Jun 02 2015 Aravinda VK -- Added post hook for volume delete as part of glusterfind (#1225465) +* Thu Jun 11 2015 Atin Mukherjee +- Security hardening flags inclusion (#1200815) + +* Thu Jun 11 2015 Aravinda VK +- Added post hook for volume delete as part of glusterfind (#1225551) * Wed May 27 2015 Aravinda VK - Added stop-all-gluster-processes.sh in glusterfs-server section (#1204641) -- 1.7.1