Add -Wl,--build-id=sha1 to the default LDFLAGS

This is already the default for ld.bfd, so this is effectively a no-op
for most packages.  However, lld defaults different build-id algorithm
that the RPM build process does not support, so it needs this flag.

This flag can be overriden by setting the %_build_id_flags macro,
which packages could do if they wanted to use a more secure build-id
algorithm.
This commit is contained in:
Tom Stellard 2021-11-13 00:44:22 +00:00
parent faf5c36887
commit 95f28bd10b
3 changed files with 16 additions and 2 deletions

View File

@ -195,6 +195,13 @@ For example, this can be required if shared objects are used for their
side effects in ELF constructors, or for making them available to
dynamically loaded plugins.
### Specifying the build-id algorithm
If you want to specify a different build-id algorithm for your builds, you
can use the %_build_id_flags macro:
%_build_id_flags -Wl,--build-id=sha1
### Strict symbol checks in the link editor (ld)
Optionally, the link editor will refuse to link shared objects which

6
macros
View File

@ -72,7 +72,7 @@
# When clang is used as a linker driver, it does not auto-detect the LTO
# bytecode and neither does bfd, so we need to explicitly pass the -flto
# flag when linking.
%build_ldflags -Wl,-z,relro %{_ld_as_needed_flags} %{_ld_symbols_flags} %{_hardened_ldflags} %{_annotation_ldflags} %[ "%{toolchain}" == "clang" ? "%{?_lto_cflags}" : "" ]
%build_ldflags -Wl,-z,relro %{_ld_as_needed_flags} %{_ld_symbols_flags} %{_hardened_ldflags} %{_annotation_ldflags} %[ "%{toolchain}" == "clang" ? "%{?_lto_cflags}" : "" ] %{_build_id_flags}
# Expands to shell code to set the compiler/linker environment
# variables CFLAGS, CXXFLAGS, FFLAGS, FCFLAGS, LDFLAGS if they have
@ -325,6 +325,10 @@ print(result)
%_clang_lto_cflags -flto
%_lto_cflags %{expand:%%{_%{toolchain}_lto_cflags}}
# Some linkers default to a build-id algoritim that is not supported by rpmbuild,
# so we need to specify the right algorithm to use.
%_build_id_flags -Wl,--build-id=sha1
%_general_options -O2 %{?_lto_cflags} -fexceptions -g -grecord-gcc-switches -pipe
%_warning_options -Wall -Werror=format-security
%_preprocessor_defines -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS

View File

@ -6,7 +6,7 @@
Summary: Red Hat specific rpm configuration files
Name: redhat-rpm-config
Version: 206
Version: 207
Release: 1%{?dist}
# No version specified.
License: GPL+
@ -190,6 +190,9 @@ install -p -m 644 -t %{buildroot}%{_rpmluadir}/fedora/srpm forge.lua
%doc buildflags.md
%changelog
* Tue Dec 14 2021 Tom Stellard <tstellar@redhat.com> - 207-1
- Add -Wl,--build-id=sha1 to the default LDFLAGS
* Tue Dec 07 2021 Miro Hrončok <mhroncok@redhat.com> - 206-1
- brp-mangle-shebangs: also mangle shebangs of JavaScript executables
- Fixes: rhbz#1998924