opensource/podman
1
0
Fork 0
mirror of https://github.com/containers/podman.git synced 2025-06-23 18:59:30 +08:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #9291 from lsm5/fedora-rpm-binary-hardening

Browse Source 
hardening flags for fedora rpmbuilds
This commit is contained in:
OpenShift Merge Robot
2021-02-10 08:00:38 -05:00
committed by GitHub
parent 055e2dda3a 21deafba85
commit 629a9796e5
1 changed files with 23 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
contrib/spec/podman.spec.in
View File

@ -380,6 +380,29 @@ tar zxf %{SOURCE1}
%build %build
mkdir _build mkdir _build
pushd _build pushd _build
# These flags should work for all rpm distros and arches
export CGO_CFLAGS="-O2 -g -grecord-gcc-switches -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -ffat-lto-objects -fexceptions -fasynchronous-unwind-tables -fstack-protector-strong -fstack-clash-protection -D_GNU_SOURCE -D_LARGEFILE_SOURCE -D_LARGEFILE64_SOURCE"
%if 0%{?fedora} || 0%{?rhel}
# This flag is only present on RH-family distros
export CGO_CFLAGS+=" -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1"
%endif
%ifnarch %{ix86}
# Build fails on i686 with this flag
export CGO_CFLAGS+=" -D_FILE_OFFSET_BITS=64"
%endif
%ifarch x86_64
# Builds only on x86_64 with this flag
export CGO_CFLAGS+=" -m64 -mtune=generic"
%if 0%{?fedora} || 0%{?rhel} >= 8
# Build fails on rhel7 and non-86_64 with this flag
export CGO_CFLAGS+=" -fcf-protection"
%endif
%endif
mkdir -p src/%{provider}.%{provider_tld}/%{project} mkdir -p src/%{provider}.%{provider_tld}/%{project}
ln -s ../../../../ src/%{import_path} ln -s ../../../../ src/%{import_path}
popd popd