* Thu May 13 2021 Christine Caulfield <ccaulfie@redhat.com> - 1.21-2

- add -fstack-clash-protection to the build. For the CI Resolves: rhbz#1954551
2021-05-13 11:17:54 +01:00 · 2021-05-13 11:17:54 +01:00 · 1260265d62
commit 1260265d62
parent c2a470a6c3
2 changed files with 66 additions and 1 deletions
--- a/bz1954551-enable-stack-clash-protection.patch
+++ b/bz1954551-enable-stack-clash-protection.patch
@ -0,0 +1,58 @@
+commit e13b7c74634c511d44603a203a328f4d67920321
+Author: Christine Caulfield <ccaulfie@redhat.com>
+Date:   Mon May 10 13:00:58 2021 +0100
+
+    [build] Add -fstack-clash-protection to release builds
+    
+    CentOS Stream CI insists on this but it's generally a 'good thing'
+
+diff --git a/configure.ac b/configure.ac
+index e429dcc..020cbe1 100644
+--- a/configure.ac
+++ b/configure.ac
+@@ -173,6 +173,23 @@ AC_ARG_ENABLE([libnozzle],
+ 
+ AM_CONDITIONAL([BUILD_LIBNOZZLE], [test x$enable_libnozzle = xyes])
+ 
+## local helper functions
+# this function checks if CC support options passed as
+# args. Global CPPFLAGS are ignored during this test.
+cc_supports_flag() {
+	saveCPPFLAGS="$CPPFLAGS"
+	CPPFLAGS="$@"
+	if echo $CC | grep -q clang; then
+		CPPFLAGS="-Werror $CPPFLAGS"
+	fi
+	AC_MSG_CHECKING([whether $CC supports "$@"])
+	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])],
+			  [RC=0; AC_MSG_RESULT([yes])],
+			  [RC=1; AC_MSG_RESULT([no])])
+	CPPFLAGS="$saveCPPFLAGS"
+	return $RC
+}
+
+ # Checks for libraries.
+ AX_PTHREAD(,[AC_MSG_ERROR([POSIX threads support is required])])
+ saved_LIBS="$LIBS"
+@@ -297,12 +314,20 @@ AC_ARG_WITH([testdir],
+ 
+ AC_SUBST([TESTDIR])
+ 
+# Check for availablility of hardening options
+HARDENING_FLAGS="-fstack-clash-protection"
+for j in $HARDENING_FLAGS; do
+    if cc_supports_flag $j; then
+       EXTRA_HARDENING_FLAGS="$EXTRA_HARDENING_FLAGS $j";
+    fi
+done
+
+ # debug build stuff
+ if test "x${enable_debug}" = xyes; then
+ 	AC_DEFINE_UNQUOTED([DEBUG], [1], [Compiling Debugging code])
+ 	OPT_CFLAGS="-O0"
+ else
+-	OPT_CFLAGS="-O3"
+	OPT_CFLAGS="-O3 $EXTRA_HARDENING_FLAGS"
+ fi
+ 
+ # gdb flags
--- a/kronosnet.spec
+++ b/kronosnet.spec
@ -37,11 +37,13 @@
 Name: kronosnet
 Summary: Multipoint-to-Multipoint VPN daemon
 Version: 1.21
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPLv2+ and LGPLv2+
 URL: https://kronosnet.org
 Source0: https://kronosnet.org/releases/%{name}-%{version}.tar.xz

+Patch0: bz1954551-enable-stack-clash-protection.patch
+
 # Build dependencies
 BuildRequires: make
 BuildRequires: gcc libqb-devel
@ -85,6 +87,7 @@ BuildRequires: autoconf automake libtool

 %prep
 %setup -q -n %{name}-%{version}
+%patch0 -p1 -b .bz1954551-enable-stack-clash-protection

 %build
 %if %{with runautogen}
@ -436,6 +439,10 @@ Requires: libknet1%{_isa} = %{version}-%{release}
 %endif

 %changelog
+* Thu May 13 2021 Christine Caulfield <ccaulfie@redhat.com> - 1.21-2
+- add -fstack-clash-protection to the build. For the CI
+  Resolves: rhbz#1954551
+
 * Wed Apr 28 2021 Christine Caulfield <ccaulfie@redhat.com> - 1.21-1
 - Rebase to 1.21 to incorporate fixes for CI complaints & openssl3
  Resolves: rhbz#1954551