Enable building with hardening flags

Backport the patches required to make the hardening build flags work with
kexec-tools and makedumpfile, and enabld hardening flags in spec file.
This will make the pacakge pass all warnings for kexec and makedumpfile
reported by annocheck.

Didn't find any issue with basic tests with kexec and makedumpfile.

Signed-off-by: Kairui Song <kasong@redhat.com>
Acked-by: Dave Young <dyoung@redhat.com>
This commit is contained in:
Kairui Song 2019-02-11 11:20:28 +08:00
parent 159307d057
commit 2fc7312546
3 changed files with 80 additions and 2 deletions

View File

@ -0,0 +1,41 @@
From 2f007b48c581a81d7e95678b6bcb77cfbe177135 Mon Sep 17 00:00:00 2001
From: Kairui Song <kasong@redhat.com>
Date: Tue, 29 Jan 2019 11:14:15 +0800
Subject: [PATCH] [PATCH v2] honor the CFLAGS from environment variables
This makes it possible to pass in extra cflags, for example, hardening
flags could be passed in with environment variable when building a
hardened package.
Also introduce a CFLAGS_BASE to hold common CFLAGS, which simplify the
CFLAGS definition.
Suggested-by: Kazuhito Hagio <k-hagio@ab.jp.nec.com>
Signed-off-by: Kairui Song <kasong@redhat.com>
---
Makefile | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/Makefile b/Makefile
index ea3c47d..bd681d2 100644
--- a/makedumpfile-1.6.5/Makefile
+++ b/makedumpfile-1.6.5/Makefile
@@ -8,11 +8,10 @@ ifeq ($(strip $CC),)
CC = gcc
endif
-CFLAGS = -g -O2 -Wall -D_FILE_OFFSET_BITS=64 \
- -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE \
- -DVERSION='"$(VERSION)"' -DRELEASE_DATE='"$(DATE)"'
-CFLAGS_ARCH = -g -O2 -Wall -D_FILE_OFFSET_BITS=64 \
- -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE
+CFLAGS_BASE := $(CFLAGS) -g -O2 -Wall -D_FILE_OFFSET_BITS=64 \
+ -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE
+CFLAGS := $(CFLAGS_BASE) -DVERSION='"$(VERSION)"' -DRELEASE_DATE='"$(DATE)"'
+CFLAGS_ARCH := $(CFLAGS_BASE)
# LDFLAGS = -L/usr/local/lib -I/usr/local/include
HOST_ARCH := $(shell uname -m)
--
2.20.1

View File

@ -0,0 +1,34 @@
From c493af72ac796e8ab3f3f4299205bd402dcee861 Mon Sep 17 00:00:00 2001
From: Kairui Song <kasong@redhat.com>
Date: Mon, 28 Jan 2019 18:50:40 +0800
Subject: [PATCH] purgatory: Use standalond CFLAGS
There has been a lot of workarounds for purgatory disabling many
specified CFLAGS that will break purgatory. It will be better to not
let the CFLAGS used to compile purgatory honor the CFLAGS from
environment variables. So we will have stable CFLAGS for purgatory.
If anyone still wants to change purgatory CFLAGS, PURGATORY_EXTRA_CFLAGS
is still honored.
Signed-off-by: Simon Horman <horms@verge.net.au>
---
purgatory/Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/purgatory/Makefile b/purgatory/Makefile
index 49ce80a..2dd6c47 100644
--- a/purgatory/Makefile
+++ b/purgatory/Makefile
@@ -45,7 +45,7 @@ purgatory/sha256.o: $(srcdir)/util_lib/sha256.c
$(COMPILE.c) -o $@ $^
$(PURGATORY): CC=$(TARGET_CC)
-$(PURGATORY): CFLAGS+=$(PURGATORY_EXTRA_CFLAGS) \
+$(PURGATORY): CFLAGS=$(PURGATORY_EXTRA_CFLAGS) \
$($(ARCH)_PURGATORY_EXTRA_CFLAGS) \
-Os -fno-builtin -ffreestanding \
-fno-zero-initialized-in-bss \
--
2.20.1

View File

@ -61,8 +61,6 @@ BuildRequires: automake autoconf libtool
Obsoletes: diskdumputils netdump kexec-tools-eppic Obsoletes: diskdumputils netdump kexec-tools-eppic
%endif %endif
%undefine _hardened_build
#START INSERT #START INSERT
# #
@ -87,6 +85,8 @@ Obsoletes: diskdumputils netdump kexec-tools-eppic
# #
# Patches 601 onward are generic patches # Patches 601 onward are generic patches
# #
Patch601: kexec-tools-2.0.18-purgatory-Use-standalond-CFLAGS.patch
Patch602: kexec-tools-2.0.18-makedumpfiles-honor-the-CFLAGS-from-environment.patch
%description %description
kexec-tools provides /sbin/kexec binary that facilitates a new kexec-tools provides /sbin/kexec binary that facilitates a new
@ -102,6 +102,9 @@ mkdir -p -m755 kcp
tar -z -x -v -f %{SOURCE9} tar -z -x -v -f %{SOURCE9}
tar -z -x -v -f %{SOURCE19} tar -z -x -v -f %{SOURCE19}
%patch601 -p1
%patch602 -p1
%ifarch ppc %ifarch ppc
%define archdef ARCH=ppc %define archdef ARCH=ppc
%endif %endif