rpms/mariadb10.11
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Remove hardening if-clauses. Do the hardening always.

Browse Source 
Use upstream -DSECURITY_HARDENED=ON which will eanable -pie and -Wl,-z,relro,-z,now, but also -fstack-protector and -D_FORTIFY_SOURCE=2
This commit is contained in:
Michal Schorm 2018-02-25 02:39:07 +01:00
parent c34f161783
commit 76677bb0ec
1 changed files with 2 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
mariadb.spec
View File

@ -12,10 +12,6 @@
%global _pkgdocdirname %{pkg_name}%{!?_pkgdocdir:-%{version}} %global _pkgdocdirname %{pkg_name}%{!?_pkgdocdir:-%{version}}
%{!?_pkgdocdir: %global _pkgdocdir %{_docdir}/%{pkg_name}-%{version}} %{!?_pkgdocdir: %global _pkgdocdir %{_docdir}/%{pkg_name}-%{version}}
# Use Full RELRO for all binaries (RHBZ#1092548)
# Deafult since F23 https://fedoraproject.org/wiki/Changes/Harden_All_Packages
%global _hardened_build 1
# By default, patch(1) creates backup files when chunks apply with offsets. # By default, patch(1) creates backup files when chunks apply with offsets.
# Turn that off to ensure such files don't get included in RPMs (cf bz#884755). # Turn that off to ensure such files don't get included in RPMs (cf bz#884755).
%global _default_patch_flags --no-backup-if-mismatch %global _default_patch_flags --no-backup-if-mismatch
@ -31,9 +27,6 @@
# https://mariadb.com/kb/en/library/myrocks-supported-platforms/ # https://mariadb.com/kb/en/library/myrocks-supported-platforms/
# RocksB engine is available only for x86_64 # RocksB engine is available only for x86_64
%ifarch x86_64 %ifarch x86_64
# Disable TokuDB since 10.1.12 on F>=28
# It will either "freeze" the testsuite (probabbly stuck in some loop) or ~500 TokuDB tests will fail
# This issue is probabbly caused by updates in Fedora Rwahide (F28) KOJI - like a new GCC and many build tools updates
%bcond_without tokudb %bcond_without tokudb
%bcond_without mroonga %bcond_without mroonga
%bcond_without rocksdb %bcond_without rocksdb
@ -806,13 +799,6 @@ CFLAGS=`echo $CFLAGS| sed -e "s|-O2|-O3|g" `
CXXFLAGS="$CFLAGS" CXXFLAGS="$CFLAGS"
export CFLAGS CXXFLAGS export CFLAGS CXXFLAGS
%if 0%{?_hardened_build}
# building with PIE
LDFLAGS="$LDFLAGS -pie -Wl,-z,relro,-z,now"
export LDFLAGS
# Simmilar flags provides MariaDB itself: -DSECURITY_HARDENED=ON
# will elanble -pie and -Wl,-z,relro,-z,now, but also -fstack-protector and -D_FORTIFY_SOURCE=2
%endif
# The INSTALL_xxx macros have to be specified relative to CMAKE_INSTALL_PREFIX # The INSTALL_xxx macros have to be specified relative to CMAKE_INSTALL_PREFIX
# so we can't use %%{_datadir} and so forth here. # so we can't use %%{_datadir} and so forth here.
@ -847,7 +833,7 @@ export LDFLAGS
-DTMPDIR=/var/tmp \ -DTMPDIR=/var/tmp \
-DENABLED_LOCAL_INFILE=ON \ -DENABLED_LOCAL_INFILE=ON \
-DENABLE_DTRACE=ON \ -DENABLE_DTRACE=ON \
-DSECURITY_HARDENED=%{?hardened_build:ON}%{!?hardened_build:OFF} \ -DSECURITY_HARDENED=ON \
-DWITH_EMBEDDED_SERVER=%{?with_embedded:ON}%{!?with_embedded:OFF} \ -DWITH_EMBEDDED_SERVER=%{?with_embedded:ON}%{!?with_embedded:OFF} \
-DWITH_MARIABACKUP=%{?with_backup:ON}%{!?with_backup:NO} \ -DWITH_MARIABACKUP=%{?with_backup:ON}%{!?with_backup:NO} \
-DWITH_UNIT_TESTS=%{?with_test:ON}%{!?with_test:NO} \ -DWITH_UNIT_TESTS=%{?with_test:ON}%{!?with_test:NO} \
@ -864,8 +850,7 @@ export LDFLAGS
-DPLUGIN_CONNECT=%{?with_connect:DYNAMIC}%{!?with_connect:NO} \ -DPLUGIN_CONNECT=%{?with_connect:DYNAMIC}%{!?with_connect:NO} \
-DCONNECT_WITH_MONGO=OFF \ -DCONNECT_WITH_MONGO=OFF \
-DCONNECT_WITH_JDBC=OFF \ -DCONNECT_WITH_JDBC=OFF \
%{?with_debug: -DCMAKE_BUILD_TYPE=Debug -DWITH_ASAN=OFF -DWITH_INNODB_EXTRA_DEBUG=ON -DWITH_VALGRIND=ON} \ %{?with_debug: -DCMAKE_BUILD_TYPE=Debug -DWITH_ASAN=OFF -DWITH_INNODB_EXTRA_DEBUG=ON -DWITH_VALGRIND=ON}
%{?_hardened_build: -DWITH_MYSQLD_LDFLAGS="-pie -Wl,-z,relro,-z,now"}
# Print all Cmake options values # Print all Cmake options values
cmake -L cmake -L