summaryrefslogtreecommitdiff
path: root/contrib/spec
diff options
context:
space:
mode:
authorLokesh Mandvekar <lsm5@fedoraproject.org>2021-02-09 15:46:11 -0500
committerLokesh Mandvekar <lsm5@fedoraproject.org>2021-02-09 15:48:43 -0500
commit21deafba85b21aa76ccd464c620dfa45085fc90f (patch)
tree256247b293bc1aebe758d201f62da5673b334e27 /contrib/spec
parent8600c3b8e2436d73c7c13deb0da869b7f35069ea (diff)
downloadpodman-21deafba85b21aa76ccd464c620dfa45085fc90f.tar.gz
podman-21deafba85b21aa76ccd464c620dfa45085fc90f.tar.bz2
podman-21deafba85b21aa76ccd464c620dfa45085fc90f.zip
hardening flags for fedora rpmbuilds
This commit sets the CGO_CFLAGS variable for hardening the Fedora rpm binaries. The flags used are the same as those in the official Fedora rpms. Setting the flags in upstream spec would provide early warnings for flag adjustments or other hardening issues. Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
Diffstat (limited to 'contrib/spec')
-rw-r--r--contrib/spec/podman.spec.in23
1 files changed, 23 insertions, 0 deletions
diff --git a/contrib/spec/podman.spec.in b/contrib/spec/podman.spec.in
index db79ebede..662234f71 100644
--- a/contrib/spec/podman.spec.in
+++ b/contrib/spec/podman.spec.in
@@ -380,6 +380,29 @@ tar zxf %{SOURCE1}
%build
mkdir _build
pushd _build
+
+# These flags should work for all rpm distros and arches
+export CGO_CFLAGS="-O2 -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -ffat-lto-objects -fexceptions -fasynchronous-unwind-tables -fstack-protector-strong -fstack-clash-protection -D_GNU_SOURCE -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE"
+
+%if 0%{?fedora} || 0%{?rhel}
+# This flag is only present on RH-family distros
+export CGO_CFLAGS+=" -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1"
+%endif
+
+%ifnarch %{ix86}
+# Build fails on i686 with this flag
+export CGO_CFLAGS+=" -D_FILE_OFFSET_BITS=64"
+%endif
+
+%ifarch x86_64
+# Builds only on x86_64 with this flag
+export CGO_CFLAGS+=" -m64 -mtune=generic"
+%if 0%{?fedora} || 0%{?rhel} >= 8
+# Build fails on rhel7 and non-86_64 with this flag
+export CGO_CFLAGS+=" -fcf-protection"
+%endif
+%endif
+
mkdir -p src/%{provider}.%{provider_tld}/%{project}
ln -s ../../../../ src/%{import_path}
popd