diff --git a/bz1954551-enable-stack-clash-protection.patch b/bz1954551-enable-stack-clash-protection.patch new file mode 100644 index 0000000..d63c718 --- /dev/null +++ b/bz1954551-enable-stack-clash-protection.patch @@ -0,0 +1,58 @@ +commit e13b7c74634c511d44603a203a328f4d67920321 +Author: Christine Caulfield +Date: Mon May 10 13:00:58 2021 +0100 + + [build] Add -fstack-clash-protection to release builds + + CentOS Stream CI insists on this but it's generally a 'good thing' + +diff --git a/configure.ac b/configure.ac +index e429dcc..020cbe1 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -173,6 +173,23 @@ AC_ARG_ENABLE([libnozzle], + + AM_CONDITIONAL([BUILD_LIBNOZZLE], [test x$enable_libnozzle = xyes]) + ++## local helper functions ++# this function checks if CC support options passed as ++# args. Global CPPFLAGS are ignored during this test. ++cc_supports_flag() { ++ saveCPPFLAGS="$CPPFLAGS" ++ CPPFLAGS="$@" ++ if echo $CC | grep -q clang; then ++ CPPFLAGS="-Werror $CPPFLAGS" ++ fi ++ AC_MSG_CHECKING([whether $CC supports "$@"]) ++ AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])], ++ [RC=0; AC_MSG_RESULT([yes])], ++ [RC=1; AC_MSG_RESULT([no])]) ++ CPPFLAGS="$saveCPPFLAGS" ++ return $RC ++} ++ + # Checks for libraries. + AX_PTHREAD(,[AC_MSG_ERROR([POSIX threads support is required])]) + saved_LIBS="$LIBS" +@@ -297,12 +314,20 @@ AC_ARG_WITH([testdir], + + AC_SUBST([TESTDIR]) + ++# Check for availablility of hardening options ++HARDENING_FLAGS="-fstack-clash-protection" ++for j in $HARDENING_FLAGS; do ++ if cc_supports_flag $j; then ++ EXTRA_HARDENING_FLAGS="$EXTRA_HARDENING_FLAGS $j"; ++ fi ++done ++ + # debug build stuff + if test "x${enable_debug}" = xyes; then + AC_DEFINE_UNQUOTED([DEBUG], [1], [Compiling Debugging code]) + OPT_CFLAGS="-O0" + else +- OPT_CFLAGS="-O3" ++ OPT_CFLAGS="-O3 $EXTRA_HARDENING_FLAGS" + fi + + # gdb flags diff --git a/kronosnet.spec b/kronosnet.spec index 7dd5965..d28db27 100644 --- a/kronosnet.spec +++ b/kronosnet.spec @@ -37,11 +37,13 @@ Name: kronosnet Summary: Multipoint-to-Multipoint VPN daemon Version: 1.21 -Release: 1%{?dist} +Release: 2%{?dist} License: GPLv2+ and LGPLv2+ URL: https://kronosnet.org Source0: https://kronosnet.org/releases/%{name}-%{version}.tar.xz +Patch0: bz1954551-enable-stack-clash-protection.patch + # Build dependencies BuildRequires: make BuildRequires: gcc libqb-devel @@ -85,6 +87,7 @@ BuildRequires: autoconf automake libtool %prep %setup -q -n %{name}-%{version} +%patch0 -p1 -b .bz1954551-enable-stack-clash-protection %build %if %{with runautogen} @@ -436,6 +439,10 @@ Requires: libknet1%{_isa} = %{version}-%{release} %endif %changelog +* Thu May 13 2021 Christine Caulfield - 1.21-2 +- add -fstack-clash-protection to the build. For the CI + Resolves: rhbz#1954551 + * Wed Apr 28 2021 Christine Caulfield - 1.21-1 - Rebase to 1.21 to incorporate fixes for CI complaints & openssl3 Resolves: rhbz#1954551