Add -Wl,--build-id=sha1 to the default LDFLAGS

This is already the default for ld.bfd, so this is effectively a no-op
for most packages.  However, lld defaults different build-id algorithm
that the RPM build process does not support, so it needs this flag.

This flag can be overriden by setting the %_build_id_flags macro,
which packages could do if they wanted to use a more secure build-id
algorithm.
This commit is contained in:
Tom Stellard 2021-11-13 00:44:22 +00:00
parent faf5c36887
commit 95f28bd10b
3 changed files with 16 additions and 2 deletions

View File

@ -195,6 +195,13 @@ For example, this can be required if shared objects are used for their
side effects in ELF constructors, or for making them available to side effects in ELF constructors, or for making them available to
dynamically loaded plugins. dynamically loaded plugins.
### Specifying the build-id algorithm
If you want to specify a different build-id algorithm for your builds, you
can use the %_build_id_flags macro:
%_build_id_flags -Wl,--build-id=sha1
### Strict symbol checks in the link editor (ld) ### Strict symbol checks in the link editor (ld)
Optionally, the link editor will refuse to link shared objects which Optionally, the link editor will refuse to link shared objects which

6
macros
View File

@ -72,7 +72,7 @@
# When clang is used as a linker driver, it does not auto-detect the LTO # When clang is used as a linker driver, it does not auto-detect the LTO
# bytecode and neither does bfd, so we need to explicitly pass the -flto # bytecode and neither does bfd, so we need to explicitly pass the -flto
# flag when linking. # flag when linking.
%build_ldflags -Wl,-z,relro %{_ld_as_needed_flags} %{_ld_symbols_flags} %{_hardened_ldflags} %{_annotation_ldflags} %[ "%{toolchain}" == "clang" ? "%{?_lto_cflags}" : "" ] %build_ldflags -Wl,-z,relro %{_ld_as_needed_flags} %{_ld_symbols_flags} %{_hardened_ldflags} %{_annotation_ldflags} %[ "%{toolchain}" == "clang" ? "%{?_lto_cflags}" : "" ] %{_build_id_flags}
# Expands to shell code to set the compiler/linker environment # Expands to shell code to set the compiler/linker environment
# variables CFLAGS, CXXFLAGS, FFLAGS, FCFLAGS, LDFLAGS if they have # variables CFLAGS, CXXFLAGS, FFLAGS, FCFLAGS, LDFLAGS if they have
@ -325,6 +325,10 @@ print(result)
%_clang_lto_cflags -flto %_clang_lto_cflags -flto
%_lto_cflags %{expand:%%{_%{toolchain}_lto_cflags}} %_lto_cflags %{expand:%%{_%{toolchain}_lto_cflags}}
# Some linkers default to a build-id algoritim that is not supported by rpmbuild,
# so we need to specify the right algorithm to use.
%_build_id_flags -Wl,--build-id=sha1
%_general_options -O2 %{?_lto_cflags} -fexceptions -g -grecord-gcc-switches -pipe %_general_options -O2 %{?_lto_cflags} -fexceptions -g -grecord-gcc-switches -pipe
%_warning_options -Wall -Werror=format-security %_warning_options -Wall -Werror=format-security
%_preprocessor_defines -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS %_preprocessor_defines -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS

View File

@ -6,7 +6,7 @@
Summary: Red Hat specific rpm configuration files Summary: Red Hat specific rpm configuration files
Name: redhat-rpm-config Name: redhat-rpm-config
Version: 206 Version: 207
Release: 1%{?dist} Release: 1%{?dist}
# No version specified. # No version specified.
License: GPL+ License: GPL+
@ -190,6 +190,9 @@ install -p -m 644 -t %{buildroot}%{_rpmluadir}/fedora/srpm forge.lua
%doc buildflags.md %doc buildflags.md
%changelog %changelog
* Tue Dec 14 2021 Tom Stellard <tstellar@redhat.com> - 207-1
- Add -Wl,--build-id=sha1 to the default LDFLAGS
* Tue Dec 07 2021 Miro Hrončok <mhroncok@redhat.com> - 206-1 * Tue Dec 07 2021 Miro Hrončok <mhroncok@redhat.com> - 206-1
- brp-mangle-shebangs: also mangle shebangs of JavaScript executables - brp-mangle-shebangs: also mangle shebangs of JavaScript executables
- Fixes: rhbz#1998924 - Fixes: rhbz#1998924