@@ -1,9 +1,10 @@

+%global security_hardening nopie

 %define debug_package %{nil}

 %define __os_install_post %{nil}

 Summary:        Docker

 Name:           docker

 Version:        17.06.0

-Release:        1%{?dist}

+Release:        2%{?dist}

 License:        ASL 2.0

 URL:            http://docs.docker.com

 Group:          Applications/File

@@ -214,6 +215,8 @@ rm -rf %{buildroot}/*

 %{_datadir}/vim/vimfiles/syntax/dockerfile.vim

 %changelog

+*   Mon Aug 28 2017 Alexey Makhalov <amakhalov@vmware.com> 17.06.0-2

+-   Use nopie option to build

 *   Tue Jul 18 2017 Bo Gan <ganb@vmware.com> 17.06.0-1

 -   Update to 17.06.0-ce

 *   Thu May 04 2017 Kumar Kaushik <kaushikk@vmware.com> 1.13.1-4

@@ -349,7 +349,7 @@ class SpecParser(object):

         if (nrWords != 3):

             print "Error: Unable to parse line: "+line

             return False

-        if (words[2] != "none" and words[2] != "nonow") :

+        if (words[2] != "none" and words[2] != "nonow" and words[2] != "nopie") :

             print "Error: Invalid security_hardening value: " + words[2]

             return False

         self.globalSecurityHardening = words[2]

@@ -1,50 +1,109 @@

 #! /bin/bash

+# Security hardening consist of 5 compile and link time options

+# specified below:

+USE_STACK_PROTECTOR=1

+USE_FORTIFY_SOURCE=1

+USE_PIE=1

+USE_ZRELRO=1

+USE_ZNOW=1

+

 echo "Using options:" $@

-if [ $# -eq 1 -a "x$1" = "xnone" ]; then

-    rm -f `dirname $(gcc --print-libgcc-file-name)`/../specs

-    exit 0

+SPECFILE="`dirname $(gcc --print-libgcc-file-name)`/../specs"

+

+

+# Enable/disable triggers

+

+case $1 in

+none)

+  rm -f $SPECFILE

+  exit 0

+  ;;

+nopie)

+  USE_PIE=0

+  ;;

+nonow)

+  USE_ZNOW=0

+  ;;

+*)

+  ;;

+esac

+

+

+# Populate gcc spec variables in according to enabled triggers

+

+CC1_EXTRA=""

+CC1PLUS_EXTRA=""

+CPP_EXTRA=""

+LIBGCC_EXTRA=""

+STARTFILE=""

+LINK_EXTRA=""

+

+if [ $USE_STACK_PROTECTOR -eq 1 ]; then

+  CC1_EXTRA="$CC1_EXTRA %{!fno-stack-protector-strong:-fstack-protector-strong}"

+  CC1PLUS_EXTRA="$CC1PLUS_EXTRA %{!fno-stack-protector-strong:-fstack-protector-strong}"

 fi

-cat <<EOF > `dirname $(gcc --print-libgcc-file-name)`/../specs

-# add sec hardening flags for cc1.

-*cc1:

-+ %{!fno-stack-protector-strong:-fstack-protector-strong} %{fno-pie|fno-PIE|fpic|fPIC|shared:;:-fPIE -fpie}

+if [ $USE_FORTIFY_SOURCE -eq 1 ]; then

+  CPP_EXTRA="$CPP_EXTRA %{O1|O2|O3|Os|Ofast:-D_FORTIFY_SOURCE=2}"

+fi

-# add sec hardening flags for cc1.

-*cc1plus:

-+ %{!fno-stack-protector-strong:-fstack-protector-strong} %{fno-pie|fno-PIE|fpic|fPIC|shared:;:-fPIE -fpie}

+if [ $USE_PIE -eq 1 ]; then

+  CC1_EXTRA="$CC1_EXTRA %{fno-pie|fno-PIE|fpic|fPIC|shared:;:-fPIE -fpie}"

+  CC1PLUS_EXTRA="$CC1PLUS_EXTRA %{fno-pie|fno-PIE|fpic|fPIC|shared:;:-fPIE -fpie}"

+  # pie flag requires shared libgcc_s during linking.

+  LIBGCC_EXTRA="$LIBGCC_EXTRA %{!static:--as-needed -lgcc_s --no-as-needed}"

+  # replace default startfile rules to use crt that PIE code requires.

+  STARTFILE="%{!shared: %{pg|p|profile:gcrt1.o%s;:Scrt1.o%s}} crti.o%s %{static:crtbeginT.o%s;:crtbeginS.o%s}"

+  LINK_EXTRA="$LINK_EXTRA %{r|nostdlib|fno-pie|fno-PIE|fno-pic|fno-PIC|shared|static:;:-pie}"

+fi

-# add -D_FORTIFY_SOURCE=2 for preprocessor.

-*cpp:

-+ %{O1|O2|O3|Os|Ofast:-D_FORTIFY_SOURCE=2}

+if [ $USE_ZRELRO -eq 1 ]; then

+  LINK_EXTRA="$LINK_EXTRA %{!norelro:-z relro}"

+fi

-# sec hardening flags require shared libgcc_s during linking.

-*libgcc:

-+ %{!static:--as-needed -lgcc_s --no-as-needed}

+if [ $USE_ZNOW -eq 1 ]; then

+  LINK_EXTRA="$LINK_EXTRA %{!nonow:-z now}"

+fi

-# replace default startfile rules to use crt that PIE code requires.

-*startfile:

-%{!shared: %{pg|p|profile:gcrt1.o%s;:Scrt1.o%s}}    crti.o%s %{static:crtbeginT.o%s;:crtbeginS.o%s}

+# Create gcc spec file

-EOF

+echo "# Security hardening flags" > $SPECFILE

+if [ -n "$CC1_EXTRA" ]; then

+  echo >> $SPECFILE

+  echo "*cc1:" >> $SPECFILE

+  echo "+$CC1_EXTRA" >> $SPECFILE

+fi

-if [ $# -eq 1 -a "x$1" = "xnonow" ]; then

-cat <<EOF >> `dirname $(gcc --print-libgcc-file-name)`/../specs

-# add sec hardening flags for linker.

-*link:

-+ %{r|nostdlib|fno-pie|fno-PIE|fno-pic|fno-PIC|shared:;:-pie} %{!norelro:-z relro}

+if [ -n "$CC1PLUS_EXTRA" ]; then

+  echo >> $SPECFILE

+  echo "*cc1plus:" >> $SPECFILE

+  echo "+$CC1PLUS_EXTRA" >> $SPECFILE

+fi

-EOF

-else

-cat <<EOF >> `dirname $(gcc --print-libgcc-file-name)`/../specs

-# add sec hardening flags for linker.

-*link:

-+ %{r|nostdlib|fno-pie|fno-PIE|fno-pic|fno-PIC|shared|static:;:-pie} %{!norelro:-z relro} %{!nonow:-z now}

+if [ -n "$CPP_EXTRA" ]; then

+  echo >> $SPECFILE

+  echo "*cpp:" >> $SPECFILE

+  echo "+$CPP_EXTRA" >> $SPECFILE

+fi

-EOF

+if [ -n "$LIBGCC_EXTRA" ]; then

+  echo >> $SPECFILE

+  echo "*libgcc:" >> $SPECFILE

+  echo "+$LIBGCC_EXTRA" >> $SPECFILE

 fi

+if [ -n "$STARTFILE" ]; then

+  echo >> $SPECFILE

+  echo "*startfile:" >> $SPECFILE

+  # replace

+  echo "$STARTFILE" >> $SPECFILE

+fi

+if [ -n "$LINK_EXTRA" ]; then

+  echo >> $SPECFILE

+  echo "*link:" >> $SPECFILE

+  echo "+$LINK_EXTRA" >> $SPECFILE

+fi

@@ -379,11 +379,8 @@ class constants(object):

         constants.specData.addMacro("KERNEL_RELEASE",kernelrelease)

         #adding kernelsubrelease rpm macro

-        kernelversion = kernelversion.replace(".","")

-        if kernelversion.isdigit():

-            kernelversion = int(kernelversion) << 8

-        kernelsubrelease = str(kernelversion)+kernelrelease

-        kernelsubrelease = kernelsubrelease.replace(constants.dist,"")

+        a,b,c = kernelversion.split(".")

+        kernelsubrelease = '%02d%02d%03d%03d' % (int(a),int(b),int(c),int(kernelrelease.replace(constants.dist,"")))

         if kernelsubrelease:

             kernelsubrelease = "."+kernelsubrelease

             constants.specData.addMacro("kernelsubrelease",kernelsubrelease)