Djam/rpm
1
0
Fork 0
mirror of https://abf.rosa.ru/djam/rpm.git synced 2025-02-23 10:23:04 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Added hardening macros

Browse source
This commit is contained in:
Denis Silakov 2014-05-22 15:14:27 +04:00
parent 0bb402fd3e
commit e545c82e76
3 changed files with 56 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

36
rpm-5.4.10-cpu-os-macros-hardening.patch Normal file
View file

@ -0,0 +1,36 @@
diff -Naur cpu-os-macros.orig/i586-linux/macros cpu-os-macros/i586-linux/macros
--- cpu-os-macros.orig/i586-linux/macros 2014-05-22 13:49:34.309259552 +0400
+++ cpu-os-macros/i586-linux/macros 2014-05-22 14:41:56.000000000 +0400
@@ -6,7 +6,7 @@
%_arch i386
%_os linux
%_gnu -gnu
-%optflags %{?__common_cflags_with_ssp:%{__common_cflags_with_ssp} -fomit-frame-pointer -mtune=generic}%{!?__common_cflags_with_ssp:-O2 -g -m32} -march=i586 -fasynchronous-unwind-tables
+%optflags %{?__common_cflags_with_ssp:%{__common_cflags_with_ssp} -fPIE -pie -fpie -Wformat-security -fomit-frame-pointer -mtune=generic}%{!?__common_cflags_with_ssp:-O2 -g -m32} -march=i586 -fasynchronous-unwind-tables
#==============================================================================
# ---- configure macros.
diff -Naur cpu-os-macros.orig/i686-linux/macros cpu-os-macros/i686-linux/macros
--- cpu-os-macros.orig/i686-linux/macros 2014-05-22 13:49:34.309259552 +0400
+++ cpu-os-macros/i686-linux/macros 2014-05-22 14:41:48.000000000 +0400
@@ -6,7 +6,7 @@
%_arch i386
%_os linux
%_gnu -gnu
-%optflags %{?__common_cflags_with_ssp:%{__common_cflags_with_ssp} -fomit-frame-pointer}%{!?__common_cflags_with_ssp:-O2 -g -m32 -mtune=generic} -march=i686 -fasynchronous-unwind-tables
+%optflags %{?__common_cflags_with_ssp:%{__common_cflags_with_ssp} -fomit-frame-pointer -fPIE -pie -fpie -Wformat-security}%{!?__common_cflags_with_ssp:-O2 -g -m32 -mtune=generic} -march=i686 -fasynchronous-unwind-tables
#==============================================================================
# ---- configure macros.
diff -Naur cpu-os-macros.orig/x86_64-linux/macros cpu-os-macros/x86_64-linux/macros
--- cpu-os-macros.orig/x86_64-linux/macros 2014-05-22 13:49:34.310259552 +0400
+++ cpu-os-macros/x86_64-linux/macros 2014-05-22 14:44:09.314521435 +0400
@@ -6,7 +6,7 @@
%_arch x86_64
%_os linux
%_gnu -gnu
-%optflags %{?__common_cflags_with_ssp:%{__common_cflags_with_ssp} -fPIC}%{!?__common_cflags_with_ssp:-O2 -g -m64 -mtune=generic}
+%optflags %{?__common_cflags_with_ssp:%{__common_cflags_with_ssp} -fPIE -pie -fpie -Wformat-security -fPIC}%{!?__common_cflags_with_ssp:-O2 -g -m64 -mtune=generic}
#==============================================================================
# ---- configure macros.

12
rpm-5.4.10-hardening.patch Normal file
View file

@ -0,0 +1,12 @@
diff -Naur rpm-5.4.10.orig/macros/mandriva.in rpm-5.4.10/macros/mandriva.in
--- rpm-5.4.10.orig/macros/mandriva.in 2014-05-22 14:47:17.000000000 +0400
+++ rpm-5.4.10/macros/mandriva.in 2014-05-22 15:03:31.704614385 +0400
@@ -352,7 +352,7 @@
%__libtoolize_configure %{?__libtoolize:(cd $CONFIGURE_TOP; [ ! -f configure.in -a ! -f configure.ac ] || %{__libtoolize} --copy --force)}
-%ldflags %{?!_disable_ld_as_needed: -Wl,--as-needed}%{?!_disable_ld_no_undefined: -Wl,--no-undefined}%{?!_disable_ld_relro: -Wl,-z,relro}%{?!_disable_ld_O1: -Wl,-O1}%{?!_disable_ld_build_id: -Wl,--build-id}%{?!_disable_ld_enable_new_dtags: -Wl,--enable-new-dtags}%{?!_disable_hash_style_gnu: -Wl,--hash-style=gnu}%{?_hardened_flags: %_hardened_flags}
+%ldflags %{?!_disable_ld_as_needed: -Wl,--as-needed}%{?!_disable_ld_no_undefined: -Wl,--no-undefined}%{?!_disable_ld_now: -Wl,-z,now}%{?!_disable_ld_relro: -Wl,-z,relro}%{?!_disable_ld_O1: -Wl,-O1}%{?!_disable_ld_build_id: -Wl,--build-id}%{?!_disable_ld_enable_new_dtags: -Wl,--enable-new-dtags}%{?!_disable_hash_style_gnu: -Wl,--hash-style=gnu}%{?_hardened_flags: %_hardened_flags}
%setup_compile_flags \
CFLAGS="${CFLAGS:-%optflags}" ; export CFLAGS ; \

9
rpm.spec
View file

@ -59,7 +59,7 @@ Summary: The RPM package management system
Name: rpm Name: rpm
Epoch: 1 Epoch: 1
Version: %{libver}.%{minorver} Version: %{libver}.%{minorver}
Release: %{?prereldate:0.%{prereldate}.}28 Release: %{?prereldate:0.%{prereldate}.}29
License: LGPLv2.1+ License: LGPLv2.1+
Group: System/Configuration/Packaging Group: System/Configuration/Packaging
URL: http://rpm5.org/ URL: http://rpm5.org/
@ -476,6 +476,10 @@ Patch505: rpm-5.4.10-turn-back-urlgetfile.patch
# (see jbj mails in mailing lists) # (see jbj mails in mailing lists)
Patch506: rpm-5.4.10-nodejs-dependency-generator.patch Patch506: rpm-5.4.10-nodejs-dependency-generator.patch
# Use -fPIE and other hardening flags in builds by default
Patch507: rpm-5.4.10-cpu-os-macros-hardening.patch
Patch508: rpm-5.4.10-hardening.patch
BuildRequires: autoconf >= 2.57 BuildRequires: autoconf >= 2.57
BuildRequires: bzip2-devel BuildRequires: bzip2-devel
BuildRequires: automake >= 1.8 BuildRequires: automake >= 1.8
@ -883,6 +887,8 @@ This package contains the RPM API documentation generated in HTML format.
%patch504 -p1 -b .postpone_errors~ %patch504 -p1 -b .postpone_errors~
%patch505 -p1 -b .urlgetfile~ %patch505 -p1 -b .urlgetfile~
%patch506 -p1 -b .nodejs~ %patch506 -p1 -b .nodejs~
%patch508 -p1 -b .hardening~
#required by P55, P80, P81, P94.. #required by P55, P80, P81, P94..
./autogen.sh ./autogen.sh
@ -890,6 +896,7 @@ This package contains the RPM API documentation generated in HTML format.
mkdir -p cpu-os-macros mkdir -p cpu-os-macros
tar -zxf %{SOURCE3} -C cpu-os-macros tar -zxf %{SOURCE3} -C cpu-os-macros
%patch145 -p1 %patch145 -p1
%patch507 -p0 -b .hardening_cpu_os_macros~
%build %build
%configure2_5x --enable-nls \ %configure2_5x --enable-nls \