Enable building with hardening flags
Backport the patches required to make the hardening build flags work with kexec-tools and makedumpfile, and enabld hardening flags in spec file. This will make the pacakge pass all warnings for kexec and makedumpfile reported by annocheck. Didn't find any issue with basic tests with kexec and makedumpfile. Signed-off-by: Kairui Song <kasong@redhat.com> Acked-by: Dave Young <dyoung@redhat.com>
This commit is contained in:
parent
159307d057
commit
2fc7312546
@ -0,0 +1,41 @@
|
|||||||
|
From 2f007b48c581a81d7e95678b6bcb77cfbe177135 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Kairui Song <kasong@redhat.com>
|
||||||
|
Date: Tue, 29 Jan 2019 11:14:15 +0800
|
||||||
|
Subject: [PATCH] [PATCH v2] honor the CFLAGS from environment variables
|
||||||
|
|
||||||
|
This makes it possible to pass in extra cflags, for example, hardening
|
||||||
|
flags could be passed in with environment variable when building a
|
||||||
|
hardened package.
|
||||||
|
|
||||||
|
Also introduce a CFLAGS_BASE to hold common CFLAGS, which simplify the
|
||||||
|
CFLAGS definition.
|
||||||
|
|
||||||
|
Suggested-by: Kazuhito Hagio <k-hagio@ab.jp.nec.com>
|
||||||
|
Signed-off-by: Kairui Song <kasong@redhat.com>
|
||||||
|
---
|
||||||
|
Makefile | 9 ++++-----
|
||||||
|
1 file changed, 4 insertions(+), 5 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/Makefile b/Makefile
|
||||||
|
index ea3c47d..bd681d2 100644
|
||||||
|
--- a/makedumpfile-1.6.5/Makefile
|
||||||
|
+++ b/makedumpfile-1.6.5/Makefile
|
||||||
|
@@ -8,11 +8,10 @@ ifeq ($(strip $CC),)
|
||||||
|
CC = gcc
|
||||||
|
endif
|
||||||
|
|
||||||
|
-CFLAGS = -g -O2 -Wall -D_FILE_OFFSET_BITS=64 \
|
||||||
|
- -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE \
|
||||||
|
- -DVERSION='"$(VERSION)"' -DRELEASE_DATE='"$(DATE)"'
|
||||||
|
-CFLAGS_ARCH = -g -O2 -Wall -D_FILE_OFFSET_BITS=64 \
|
||||||
|
- -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE
|
||||||
|
+CFLAGS_BASE := $(CFLAGS) -g -O2 -Wall -D_FILE_OFFSET_BITS=64 \
|
||||||
|
+ -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE
|
||||||
|
+CFLAGS := $(CFLAGS_BASE) -DVERSION='"$(VERSION)"' -DRELEASE_DATE='"$(DATE)"'
|
||||||
|
+CFLAGS_ARCH := $(CFLAGS_BASE)
|
||||||
|
# LDFLAGS = -L/usr/local/lib -I/usr/local/include
|
||||||
|
|
||||||
|
HOST_ARCH := $(shell uname -m)
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
34
kexec-tools-2.0.18-purgatory-Use-standalond-CFLAGS.patch
Normal file
34
kexec-tools-2.0.18-purgatory-Use-standalond-CFLAGS.patch
Normal file
@ -0,0 +1,34 @@
|
|||||||
|
From c493af72ac796e8ab3f3f4299205bd402dcee861 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Kairui Song <kasong@redhat.com>
|
||||||
|
Date: Mon, 28 Jan 2019 18:50:40 +0800
|
||||||
|
Subject: [PATCH] purgatory: Use standalond CFLAGS
|
||||||
|
|
||||||
|
There has been a lot of workarounds for purgatory disabling many
|
||||||
|
specified CFLAGS that will break purgatory. It will be better to not
|
||||||
|
let the CFLAGS used to compile purgatory honor the CFLAGS from
|
||||||
|
environment variables. So we will have stable CFLAGS for purgatory.
|
||||||
|
|
||||||
|
If anyone still wants to change purgatory CFLAGS, PURGATORY_EXTRA_CFLAGS
|
||||||
|
is still honored.
|
||||||
|
|
||||||
|
Signed-off-by: Simon Horman <horms@verge.net.au>
|
||||||
|
---
|
||||||
|
purgatory/Makefile | 2 +-
|
||||||
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||||
|
|
||||||
|
diff --git a/purgatory/Makefile b/purgatory/Makefile
|
||||||
|
index 49ce80a..2dd6c47 100644
|
||||||
|
--- a/purgatory/Makefile
|
||||||
|
+++ b/purgatory/Makefile
|
||||||
|
@@ -45,7 +45,7 @@ purgatory/sha256.o: $(srcdir)/util_lib/sha256.c
|
||||||
|
$(COMPILE.c) -o $@ $^
|
||||||
|
|
||||||
|
$(PURGATORY): CC=$(TARGET_CC)
|
||||||
|
-$(PURGATORY): CFLAGS+=$(PURGATORY_EXTRA_CFLAGS) \
|
||||||
|
+$(PURGATORY): CFLAGS=$(PURGATORY_EXTRA_CFLAGS) \
|
||||||
|
$($(ARCH)_PURGATORY_EXTRA_CFLAGS) \
|
||||||
|
-Os -fno-builtin -ffreestanding \
|
||||||
|
-fno-zero-initialized-in-bss \
|
||||||
|
--
|
||||||
|
2.20.1
|
||||||
|
|
@ -61,8 +61,6 @@ BuildRequires: automake autoconf libtool
|
|||||||
Obsoletes: diskdumputils netdump kexec-tools-eppic
|
Obsoletes: diskdumputils netdump kexec-tools-eppic
|
||||||
%endif
|
%endif
|
||||||
|
|
||||||
%undefine _hardened_build
|
|
||||||
|
|
||||||
#START INSERT
|
#START INSERT
|
||||||
|
|
||||||
#
|
#
|
||||||
@ -87,6 +85,8 @@ Obsoletes: diskdumputils netdump kexec-tools-eppic
|
|||||||
#
|
#
|
||||||
# Patches 601 onward are generic patches
|
# Patches 601 onward are generic patches
|
||||||
#
|
#
|
||||||
|
Patch601: kexec-tools-2.0.18-purgatory-Use-standalond-CFLAGS.patch
|
||||||
|
Patch602: kexec-tools-2.0.18-makedumpfiles-honor-the-CFLAGS-from-environment.patch
|
||||||
|
|
||||||
%description
|
%description
|
||||||
kexec-tools provides /sbin/kexec binary that facilitates a new
|
kexec-tools provides /sbin/kexec binary that facilitates a new
|
||||||
@ -102,6 +102,9 @@ mkdir -p -m755 kcp
|
|||||||
tar -z -x -v -f %{SOURCE9}
|
tar -z -x -v -f %{SOURCE9}
|
||||||
tar -z -x -v -f %{SOURCE19}
|
tar -z -x -v -f %{SOURCE19}
|
||||||
|
|
||||||
|
%patch601 -p1
|
||||||
|
%patch602 -p1
|
||||||
|
|
||||||
%ifarch ppc
|
%ifarch ppc
|
||||||
%define archdef ARCH=ppc
|
%define archdef ARCH=ppc
|
||||||
%endif
|
%endif
|
||||||
|
Loading…
Reference in New Issue
Block a user