buildah-1.19.0-0.12.dev.git75ae8be

- harden cgo binaries Reported-by: Wade Mealing <wmealing@gmail.com> Signed-off-by: Lokesh Mandvekar <lsm5@fedoraproject.org>
2020-12-04 23:20:04 -05:00 · 2020-12-04 23:20:04 -05:00 · 66d964f058
commit 66d964f058
parent b2ea6398b5
1 changed files with 12 additions and 1 deletions
--- a/buildah.spec
+++ b/buildah.spec
@ -35,7 +35,7 @@

 Name: %{repo}
 Version: 1.19.0
-Release: 0.11.dev.git%{shortcommit0}%{?dist}
+Release: 0.12.dev.git%{shortcommit0}%{?dist}
 Summary: A command line tool used for creating OCI Images
 License: ASL 2.0
 URL: https://%{name}.io
@ -115,6 +115,13 @@ mv vendor src

 export GOPATH=$(pwd)/_build:$(pwd)
 export BUILDTAGS='seccomp selinux'
+export CGO_CFLAGS='-O2 -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -ffat-lto-objects -fexceptions -fasynchronous-unwind-tables -fstack-protector-strong -fstack-clash-protection -D_GNU_SOURCE -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE -D_FILE_OFFSET_BITS=64'
+%ifarch x86_64
+export CGO_CFLAGS="$CGO_CFLAGS -m64 -mtune=generic -fcf-protection"
+%endif
+# These extra flags present in %%{optflags} have been skipped for now as they break the build
+#export CGO_CFLAGS="$CGO_CFLAGS -flto=auto -Wp,D_GLIBCXX_ASSERTIONS -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1"
+
 %if 0%{?centos} >= 8
 export BUILDTAGS+=' exclude_graphdriver_btrfs'
 %endif
@ -149,6 +156,10 @@ cp bin/imgtype %{buildroot}/%{_bindir}/%{name}-imgtype
 %{_datadir}/%{name}/test

 %changelog
+* Sat Dec  5 2020 Lokesh Mandvekar <lsm5@fedoraproject.org> - 1.19.0-0.12.dev.git75ae8be
+- harden cgo binaries
+- Reported-by: Wade Mealing <wmealing@gmail.com>
+
 * Wed Dec  2 2020 RH Container Bot <rhcontainerbot@fedoraproject.org> - 1.19.0-0.11.dev.git75ae8be
 - autobuilt 75ae8be