Improve hardening flags for EL-6 & EL-7

Ensure all binaries are hardened when building on EL-6 & EL-7. On EL-7 use the %{_hardened_build} macro. On EL-6 update %{optflags} and set %{__global_ldflags}. For EL-7 this could also be put in the existing Fedora and EL >= 7 condition, e.g.: %{!?_hardened_build: %global _hardened_build 1}. I think this is a bit uglier than needed and is better in an %if condition which only applied to EL-7.
2018-02-23 23:00:28 -05:00 · 2018-02-23 23:00:28 -05:00 · 0609eef4e2
commit 0609eef4e2
parent 04982344f3
1 changed files with 12 additions and 3 deletions
--- a/git.spec
+++ b/git.spec
@ -30,9 +30,15 @@
 %{!?_pkgdocdir: %global _pkgdocdir %{_docdir}/%{name}-%{version}}
 %endif

-# Settings for EL <= 7
-%if 0%{?rhel} && 0%{?rhel} <= 7
-%{!?__global_ldflags: %global __global_ldflags -Wl,-z,relro}
+# Hardening flags for EL-7
+%if 0%{?rhel} == 7
+%global _hardened_build     1
+%endif
+
+# Hardening flags for EL-6
+%if 0%{?rhel} == 6
+%global optflags            %{optflags} -fPIC -pie
+%global __global_ldflags    -Wl,-z,relro -Wl,-z,now
 %endif

 # Test links in HTML documentation on Fedora (linkchecker is not in EL)
@ -786,6 +792,9 @@ make test || ./print-failed-test-output
 %{?with_docs:%{_pkgdocdir}/*svn*.html}

 %changelog
+* Fri Feb 23 2018 Todd Zullinger <tmz@pobox.com>
+- Improve hardening flags for EL-6 & EL-7
+
 * Fri Feb 16 2018 Todd Zullinger <tmz@pobox.com> - 2.16.2-1
 - Update to 2.16.2
 - Add gawk, gcc, make, and sed BuildRequires