Disable the upstream hardening - it overrides the default compilation flags of the distribution, but provides lower level of hardening than the default flags

This issue was originally discovered by Annocheck stack-protection test in RHEL 9 Resolves: #2044388 The -DSECURITY_HARDENED is used to force a set of compilation flags for hardening The issue is that the MariaDB upstream level of hardening is lower than expected by Red Hat We disable this option to the default compilation flags (which have higher level of hardening) will be used
2022-02-07 14:02:25 +01:00 · 2022-02-07 14:02:25 +01:00 · 5e82fd62a4
parent 119ed62f4f
commit 5e82fd62a4
1 changed files with 5 additions and 1 deletions
--- a/mariadb.spec
+++ b/mariadb.spec
@ -850,7 +850,7 @@ fi
         -DGROONGA_NORMALIZER_MYSQL_PROJECT_NAME=%{name}-server/groonga-normalizer-mysql \
         -DENABLED_LOCAL_INFILE=ON \
         -DENABLE_DTRACE=ON \
-         -DSECURITY_HARDENED=ON \
+         -DSECURITY_HARDENED=OFF \
         -DWITH_WSREP=%{?with_galera:ON}%{!?with_galera:OFF} \
         -DWITH_INNODB_DISALLOW_WRITES=%{?with_galera:ON}%{!?with_galera:OFF} \
         -DWITH_EMBEDDED_SERVER=%{?with_embedded:ON}%{!?with_embedded:OFF} \
@ -879,6 +879,10 @@ fi
         -DCONNECT_WITH_JDBC=OFF \
 %{?with_debug: -DCMAKE_BUILD_TYPE=Debug -DWITH_ASAN=OFF -DWITH_INNODB_EXTRA_DEBUG=ON -DWITH_VALGRIND=ON}

+# The -DSECURITY_HARDENED is used to force a set of compilation flags for hardening
+# The issue is that the MariaDB upstream level of hardening is lower than expected by Red Hat
+# We disable this option to the default compilation flags (which have higher level of hardening) will be used
+

 CFLAGS="$CFLAGS -D_GNU_SOURCE -D_FILE_OFFSET_BITS=64 -D_LARGEFILE_SOURCE"
 # force PIC mode so that we can build libmysqld.so