diff options
| author | OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com> | 2021-02-10 08:00:38 -0500 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2021-02-10 08:00:38 -0500 |
| commit | 629a9796e5be3f239928600613170e430c3e17b7 (patch) | |
| tree | eb88555f6c9161676ab1a92d5330866760b4717c | |
| parent | 055e2dda3a1888d319d542abe8735e791e736451 (diff) | |
| parent | 21deafba85b21aa76ccd464c620dfa45085fc90f (diff) | |
| download | podman-629a9796e5be3f239928600613170e430c3e17b7.tar.gz podman-629a9796e5be3f239928600613170e430c3e17b7.tar.bz2 podman-629a9796e5be3f239928600613170e430c3e17b7.zip | |
Merge pull request #9291 from lsm5/fedora-rpm-binary-hardening
hardening flags for fedora rpmbuilds
| -rw-r--r-- | contrib/spec/podman.spec.in | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/contrib/spec/podman.spec.in b/contrib/spec/podman.spec.in index db79ebede..662234f71 100644 --- a/contrib/spec/podman.spec.in +++ b/contrib/spec/podman.spec.in @@ -380,6 +380,29 @@ tar zxf %{SOURCE1} %build mkdir _build pushd _build + +# These flags should work for all rpm distros and arches +export CGO_CFLAGS="-O2 -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -ffat-lto-objects -fexceptions -fasynchronous-unwind-tables -fstack-protector-strong -fstack-clash-protection -D_GNU_SOURCE -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE" + +%if 0%{?fedora} || 0%{?rhel} +# This flag is only present on RH-family distros +export CGO_CFLAGS+=" -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1" +%endif + +%ifnarch %{ix86} +# Build fails on i686 with this flag +export CGO_CFLAGS+=" -D_FILE_OFFSET_BITS=64" +%endif + +%ifarch x86_64 +# Builds only on x86_64 with this flag +export CGO_CFLAGS+=" -m64 -mtune=generic" +%if 0%{?fedora} || 0%{?rhel} >= 8 +# Build fails on rhel7 and non-86_64 with this flag +export CGO_CFLAGS+=" -fcf-protection" +%endif +%endif + mkdir -p src/%{provider}.%{provider_tld}/%{project} ln -s ../../../../ src/%{import_path} popd |