Add redhat-hardened-clang-ld.cfg

To pass -pie when linking with clang.

Resolves: RHEL-39076
This commit is contained in:
Timm Bäder 2024-03-26 11:37:34 +01:00 committed by Tulio Magno Quites Machado Filho
parent 0bdf6e07e8
commit fda90b0a42
4 changed files with 20 additions and 5 deletions

6
macros
View File

@ -324,7 +324,7 @@ for k,_ in pairs(stripped_flags) do print(k .. " ") end
# from RPM spec files. # from RPM spec files.
%_hardening_gcc_cflags -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 %_hardening_gcc_cflags -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1
%_hardening_clang_cflags --config /usr/lib/rpm/redhat/redhat-hardened-clang.cfg %_hardening_clang_cflags --config=/usr/lib/rpm/redhat/redhat-hardened-clang.cfg
%_hardening_cflags %{expand:%%{_hardening_%{toolchain}_cflags}} -fstack-protector-strong %_hardening_cflags %{expand:%%{_hardening_%{toolchain}_cflags}} -fstack-protector-strong
# Have the linker generate errors instead of warnings for binaries that # Have the linker generate errors instead of warnings for binaries that
@ -334,7 +334,9 @@ for k,_ in pairs(stripped_flags) do print(k .. " ") end
%_hardened_linker_errors 1 %_hardened_linker_errors 1
# we don't escape symbols '~', '"', etc. so be careful when changing this # we don't escape symbols '~', '"', etc. so be careful when changing this
%_hardening_ldflags -Wl,-z,now %{?_hardened_linker_errors:%{_hardening_linker_errors}} %[ "%{toolchain}" == "gcc" ? "-specs=/usr/lib/rpm/redhat/redhat-hardened-ld" : "" ] %_hardening_gcc_ldflags -specs=/usr/lib/rpm/redhat/redhat-hardened-ld
%_hardening_clang_ldflags --config=/usr/lib/rpm/redhat/redhat-hardened-clang-ld.cfg
%_hardening_ldflags -Wl,-z,now %{expand:%%{_hardening_%{toolchain}_ldflags}}
# Harden packages by default for Fedora 23+: # Harden packages by default for Fedora 23+:
# https://fedorahosted.org/fesco/ticket/1384 (accepted on 2014-02-11) # https://fedorahosted.org/fesco/ticket/1384 (accepted on 2014-02-11)

View File

@ -0,0 +1 @@
-pie

View File

@ -4,7 +4,7 @@
# 2) When making changes, increment the version (in baserelease) by 1. # 2) When making changes, increment the version (in baserelease) by 1.
# rpmdev-bumpspec and other tools update the macro below, which is used # rpmdev-bumpspec and other tools update the macro below, which is used
# in Version: to get the desired effect. # in Version: to get the desired effect.
%global baserelease 283 %global baserelease 284
Summary: Red Hat specific rpm configuration files Summary: Red Hat specific rpm configuration files
Name: redhat-rpm-config Name: redhat-rpm-config
@ -21,8 +21,10 @@ Source1: rpmrc
# gcc specs files for hardened builds # gcc specs files for hardened builds
Source50: redhat-hardened-cc1 Source50: redhat-hardened-cc1
Source51: redhat-hardened-ld Source51: redhat-hardened-ld
Source52: redhat-hardened-clang.cfg Source52: redhat-hardened-ld-errors
Source53: redhat-hardened-ld-errors # clang config spec files
Source53: redhat-hardened-clang.cfg
Source54: redhat-hardened-clang-ld.cfg
# gcc specs files for annobin builds # gcc specs files for annobin builds
Source60: redhat-annobin-cc1 Source60: redhat-annobin-cc1
@ -257,6 +259,11 @@ install -p -m 644 -t %{buildroot}%{_rpmluadir}/fedora common.lua
%doc buildflags.md %doc buildflags.md
%changelog %changelog
* Tue Jun 18 2024 Tulio Magno Quites Machado Filho <tuliom@redhat.com> - 284-1
- Use --config=xxx for clang configs instead of two separate arguments to work
around a bug in meson
- Add clang link config file
* Mon Jun 17 2024 Florian Weimer <fweimer@redhat.com> - 283-1 * Mon Jun 17 2024 Florian Weimer <fweimer@redhat.com> - 283-1
- Switch back to traditional Version: management (RHEL-42436) - Switch back to traditional Version: management (RHEL-42436)

View File

@ -12,5 +12,10 @@ discover:
url: https://src.fedoraproject.org/rpms/clang.git url: https://src.fedoraproject.org/rpms/clang.git
ref: rawhide ref: rawhide
test: fedora-flags test: fedora-flags
- name: clang-fedora-pie-rpm
how: fmf
url: https://src.fedoraproject.org/tests/clang.git
ref: main
test: pie-rpm
execute: execute:
how: tmt how: tmt