From 0609eef4e2dd628e7dc7fe4ade3ec04a11f89204 Mon Sep 17 00:00:00 2001
From: Todd Zullinger <tmz@pobox.com>
Date: Fri, 23 Feb 2018 23:00:28 -0500
Subject: [PATCH] Improve hardening flags for EL-6 & EL-7

Ensure all binaries are hardened when building on EL-6 & EL-7.  On EL-7
use the %{_hardened_build} macro.  On EL-6 update %{optflags} and set
%{__global_ldflags}.

For EL-7 this could also be put in the existing Fedora and EL >= 7
condition, e.g.: %{!?_hardened_build: %global _hardened_build 1}.  I
think this is a bit uglier than needed and is better in an %if condition
which only applied to EL-7.
---
 git.spec | 15 ++++++++++++---
 1 file changed, 12 insertions(+), 3 deletions(-)

diff --git a/git.spec b/git.spec
index 017f48a..0586bfb 100644
--- a/git.spec
+++ b/git.spec
@@ -30,9 +30,15 @@
 %{!?_pkgdocdir: %global _pkgdocdir %{_docdir}/%{name}-%{version}}
 %endif
 
-# Settings for EL <= 7
-%if 0%{?rhel} && 0%{?rhel} <= 7
-%{!?__global_ldflags: %global __global_ldflags -Wl,-z,relro}
+# Hardening flags for EL-7
+%if 0%{?rhel} == 7
+%global _hardened_build     1
+%endif
+
+# Hardening flags for EL-6
+%if 0%{?rhel} == 6
+%global optflags            %{optflags} -fPIC -pie
+%global __global_ldflags    -Wl,-z,relro -Wl,-z,now
 %endif
 
 # Test links in HTML documentation on Fedora (linkchecker is not in EL)
@@ -786,6 +792,9 @@ make test || ./print-failed-test-output
 %{?with_docs:%{_pkgdocdir}/*svn*.html}
 
 %changelog
+* Fri Feb 23 2018 Todd Zullinger <tmz@pobox.com>
+- Improve hardening flags for EL-6 & EL-7
+
 * Fri Feb 16 2018 Todd Zullinger <tmz@pobox.com> - 2.16.2-1
 - Update to 2.16.2
 - Add gawk, gcc, make, and sed BuildRequires