Add redhat-hardened-clang-ld.cfg

To pass -pie when linking with clang. Resolves: RHEL-39076
2024-03-26 11:37:34 +01:00 · 2024-03-26 11:37:34 +01:00 · fda90b0a42
commit fda90b0a42
parent 0bdf6e07e8
4 changed files with 20 additions and 5 deletions
--- a/6
+++ b/6
@ -324,7 +324,7 @@ for k,_ in pairs(stripped_flags) do print(k .. " ") end
 # from RPM spec files.

 %_hardening_gcc_cflags   -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1
-%_hardening_clang_cflags --config /usr/lib/rpm/redhat/redhat-hardened-clang.cfg
+%_hardening_clang_cflags --config=/usr/lib/rpm/redhat/redhat-hardened-clang.cfg
 %_hardening_cflags	 %{expand:%%{_hardening_%{toolchain}_cflags}} -fstack-protector-strong

 # Have the linker generate errors instead of warnings for binaries that
@ -334,7 +334,9 @@ for k,_ in pairs(stripped_flags) do print(k .. " ") end
 %_hardened_linker_errors   1

 # we don't escape symbols '~', '"', etc. so be careful when changing this
-%_hardening_ldflags	 -Wl,-z,now %{?_hardened_linker_errors:%{_hardening_linker_errors}} %[ "%{toolchain}" == "gcc" ? "-specs=/usr/lib/rpm/redhat/redhat-hardened-ld" : "" ]
+%_hardening_gcc_ldflags   -specs=/usr/lib/rpm/redhat/redhat-hardened-ld
+%_hardening_clang_ldflags --config=/usr/lib/rpm/redhat/redhat-hardened-clang-ld.cfg
+%_hardening_ldflags	   -Wl,-z,now %{expand:%%{_hardening_%{toolchain}_ldflags}}

 # Harden packages by default for Fedora 23+:
 # https://fedorahosted.org/fesco/ticket/1384 (accepted on 2014-02-11)
--- a/redhat-hardened-clang-ld.cfg
+++ b/redhat-hardened-clang-ld.cfg
@ -0,0 +1 @@
+-pie
--- a/redhat-rpm-config.spec
+++ b/redhat-rpm-config.spec
@ -4,7 +4,7 @@
 # 2) When making changes, increment the version (in baserelease) by 1.
 #    rpmdev-bumpspec and other tools update the macro below, which is used
 #    in Version: to get the desired effect.
-%global baserelease 283
+%global baserelease 284

 Summary: Red Hat specific rpm configuration files
 Name: redhat-rpm-config
@ -21,8 +21,10 @@ Source1: rpmrc
 # gcc specs files for hardened builds
 Source50: redhat-hardened-cc1
 Source51: redhat-hardened-ld
-Source52: redhat-hardened-clang.cfg
-Source53: redhat-hardened-ld-errors
+Source52: redhat-hardened-ld-errors
+# clang config spec files
+Source53: redhat-hardened-clang.cfg
+Source54: redhat-hardened-clang-ld.cfg

 # gcc specs files for annobin builds
 Source60: redhat-annobin-cc1
@ -257,6 +259,11 @@ install -p -m 644 -t %{buildroot}%{_rpmluadir}/fedora common.lua
 %doc buildflags.md

 %changelog
+* Tue Jun 18 2024 Tulio Magno Quites Machado Filho <tuliom@redhat.com> - 284-1
+- Use --config=xxx for clang configs instead of two separate arguments to work
+  around a bug in meson
+- Add clang link config file
+
 * Mon Jun 17 2024 Florian Weimer <fweimer@redhat.com> - 283-1
 - Switch back to traditional Version: management (RHEL-42436)

--- a/tests/build-gating.fmf
+++ b/tests/build-gating.fmf
@ -12,5 +12,10 @@ discover:
    url: https://src.fedoraproject.org/rpms/clang.git
    ref: rawhide
    test: fedora-flags
+  - name: clang-fedora-pie-rpm
+    how: fmf
+    url: https://src.fedoraproject.org/tests/clang.git
+    ref: main
+    test: pie-rpm
 execute:
  how: tmt