From 229631878208e597bd0f2b4c84f73ec82ec5d6b0 Mon Sep 17 00:00:00 2001 From: Michal Sekletar Date: Jul 11 2013 15:47:26 +0000 Subject: build-sys: fix package hardening Hardened build has been on already for some time. However, rpm macro machinery doesn't work properly for mgetty, since we neither use ld for linking targets nor we use autotools. --- diff --git a/mgetty-1.1.36-hardening.patch b/mgetty-1.1.36-hardening.patch new file mode 100644 index 0000000..6844648 --- /dev/null +++ b/mgetty-1.1.36-hardening.patch @@ -0,0 +1,66 @@ +diff -up mgetty-1.1.36/fax/Makefile.hardening mgetty-1.1.36/fax/Makefile +--- mgetty-1.1.36/fax/Makefile.hardening 2013-07-11 13:29:17.937420044 +0200 ++++ mgetty-1.1.36/fax/Makefile 2013-07-11 13:29:42.676420752 +0200 +@@ -5,7 +5,8 @@ + # + + CC=gcc +-CFLAGS=-O2 -I.. -Wall ++CFLAGS=-O2 -I.. -Wall -fPIE ++LDFLAGS=-z now -pie + + FAX_SCRIPTS=faxspool faxrunq faxq faxrm + +@@ -36,7 +37,7 @@ faxheader: faxheader.in ../sedscript + @cd .. ; $(MAKE) sedscript + + faxq-helper: faxq-helper.o +- $(CC) $(CFLAGS) -o faxq-helper faxq-helper.o ++ $(CC) $(CFLAGS) $(LDFLAGS) -o faxq-helper faxq-helper.o + + faxq-helper.o: faxq-helper.c ../sedscript + $(CC) $(CFLAGS) -DFAX_SPOOL_OUT=\"$(FAX_SPOOL_OUT)\" \ +diff -up mgetty-1.1.36/frontends/X11/viewfax/Makefile.hardening mgetty-1.1.36/frontends/X11/viewfax/Makefile +--- mgetty-1.1.36/frontends/X11/viewfax/Makefile.hardening 2013-07-11 13:28:46.498419145 +0200 ++++ mgetty-1.1.36/frontends/X11/viewfax/Makefile 2013-07-11 13:28:46.502419145 +0200 +@@ -48,8 +48,8 @@ OPT = -g -O2 -Wno-uninitialized -ansi -p + #LIBS = + # linux + CC = gcc +-CFLAGS = $(OPT) -DHELPFILE=$(HELP) +-LDFLAGS = $(OPT) -L/usr/X11R6/lib ++CFLAGS = $(OPT) -DHELPFILE=$(HELP) -fPIE ++LDFLAGS = $(OPT) -z now -pie -L/usr/X11R6/lib + LIBS = + + ####### End of configurable definitions ####### +diff -up mgetty-1.1.36/Makefile.hardening mgetty-1.1.36/Makefile +--- mgetty-1.1.36/Makefile.hardening 2013-07-11 13:28:46.498419145 +0200 ++++ mgetty-1.1.36/Makefile 2013-07-11 13:28:46.502419145 +0200 +@@ -102,7 +102,7 @@ CC=gcc + # USTAT - ustat(), no statfs etc. + # + #CFLAGS=-Wall -O2 -pipe -DSECUREWARE -DUSE_POLL +-CFLAGS=-O2 -Wall -pipe ++CFLAGS=-O2 -Wall -pipe -fPIE + #CFLAGS=-O -DSVR4 + #CFLAGS=-O -DSVR4 -DSVR42 + #CFLAGS=-O -DUSE_POLL +@@ -143,7 +143,7 @@ CFLAGS=-O2 -Wall -pipe + # "utmp.o: unresolved symbol _login" + # For Linux, add "-lutil" if the linker complains about "updwtmp". + # +-LDFLAGS= ++LDFLAGS=-z now -pie + LIBS= + #LIBS=-lprot -lsocket # SCO Unix + #LIBS=-lsocket +@@ -556,7 +556,7 @@ sendfax.config: sendfax.cfg.in sedscript + ./sedscript sendfax.config + + newslock: compat/newslock.c +- $(CC) $(CFLAGS) -o newslock compat/newslock.c ++ $(CC) $(CFLAGS) $(LDFLAGS) -o newslock compat/newslock.c + + # internal: use this to create a "clean" mgetty+sendfax tree + bindist: all doc-all sedscript diff --git a/mgetty.spec b/mgetty.spec index cedb4a6..e832ac6 100644 --- a/mgetty.spec +++ b/mgetty.spec @@ -46,6 +46,7 @@ Patch25: mgetty-1.1.36-sd.patch # thus .debug files for all binaries will be generated properly Patch26: mgetty-1.1.36-makefiles.patch Patch27: mgetty-1.1.36-lockdev.patch +Patch28: mgetty-1.1.36-hardening.patch License: GPLv2+ Group: Applications/Communications @@ -136,6 +137,7 @@ mv policy.h-dist policy.h %patch25 -p1 -b .sd %patch26 -p1 -b .makefile %patch27 -p1 -b .lockdev +%patch28 -p1 -b .hardening %build %define makeflags CFLAGS="$RPM_OPT_FLAGS -Wall -DAUTO_PPP -D_FILE_OFFSET_BITS=64 -DHAVE_LOCKDEV -fno-strict-aliasing" LIBS="-llockdev" prefix=%{_prefix} spool=%{_var}/spool BINDIR=%{_bindir} SBINDIR=%{_sbindir} LIBDIR=%{_libdir}/mgetty+sendfax HELPDIR=%{_libdir}/mgetty+sendfax CONFDIR=%{_sysconfdir}/mgetty+sendfax MANDIR=%{_mandir} MAN1DIR=%{_mandir}/man1 MAN4DIR=%{_mandir}/man4 MAN5DIR=%{_mandir}/man5 MAN8DIR=%{_mandir}/man8 INFODIR=%{_infodir} ECHO='"echo -e"' INSTALL=%{__install}