Extras:
- refactor adjust-gcc-specs.sh
- change kernelsubversion from digital to human readable format
Change-Id: I478d4bb23fe5dc685a509fef533055f73c8136da
Reviewed-on: http://photon-jenkins.eng.vmware.com:8082/3648
Tested-by: gerrit-photon <photon-checkins@vmware.com>
Reviewed-by: Anish Swaminathan <anishs@vmware.com>
... | ... |
@@ -1,9 +1,10 @@ |
1 |
+%global security_hardening nopie |
|
1 | 2 |
%define debug_package %{nil} |
2 | 3 |
%define __os_install_post %{nil} |
3 | 4 |
Summary: Docker |
4 | 5 |
Name: docker |
5 | 6 |
Version: 17.06.0 |
6 |
-Release: 1%{?dist} |
|
7 |
+Release: 2%{?dist} |
|
7 | 8 |
License: ASL 2.0 |
8 | 9 |
URL: http://docs.docker.com |
9 | 10 |
Group: Applications/File |
... | ... |
@@ -214,6 +215,8 @@ rm -rf %{buildroot}/* |
214 | 214 |
%{_datadir}/vim/vimfiles/syntax/dockerfile.vim |
215 | 215 |
|
216 | 216 |
%changelog |
217 |
+* Mon Aug 28 2017 Alexey Makhalov <amakhalov@vmware.com> 17.06.0-2 |
|
218 |
+- Use nopie option to build |
|
217 | 219 |
* Tue Jul 18 2017 Bo Gan <ganb@vmware.com> 17.06.0-1 |
218 | 220 |
- Update to 17.06.0-ce |
219 | 221 |
* Thu May 04 2017 Kumar Kaushik <kaushikk@vmware.com> 1.13.1-4 |
... | ... |
@@ -349,7 +349,7 @@ class SpecParser(object): |
349 | 349 |
if (nrWords != 3): |
350 | 350 |
print "Error: Unable to parse line: "+line |
351 | 351 |
return False |
352 |
- if (words[2] != "none" and words[2] != "nonow") : |
|
352 |
+ if (words[2] != "none" and words[2] != "nonow" and words[2] != "nopie") : |
|
353 | 353 |
print "Error: Invalid security_hardening value: " + words[2] |
354 | 354 |
return False |
355 | 355 |
self.globalSecurityHardening = words[2] |
... | ... |
@@ -1,50 +1,109 @@ |
1 | 1 |
#! /bin/bash |
2 | 2 |
|
3 |
+# Security hardening consist of 5 compile and link time options |
|
4 |
+# specified below: |
|
5 |
+USE_STACK_PROTECTOR=1 |
|
6 |
+USE_FORTIFY_SOURCE=1 |
|
7 |
+USE_PIE=1 |
|
8 |
+USE_ZRELRO=1 |
|
9 |
+USE_ZNOW=1 |
|
10 |
+ |
|
3 | 11 |
echo "Using options:" $@ |
4 | 12 |
|
5 |
-if [ $# -eq 1 -a "x$1" = "xnone" ]; then |
|
6 |
- rm -f `dirname $(gcc --print-libgcc-file-name)`/../specs |
|
7 |
- exit 0 |
|
13 |
+SPECFILE="`dirname $(gcc --print-libgcc-file-name)`/../specs" |
|
14 |
+ |
|
15 |
+ |
|
16 |
+# Enable/disable triggers |
|
17 |
+ |
|
18 |
+case $1 in |
|
19 |
+none) |
|
20 |
+ rm -f $SPECFILE |
|
21 |
+ exit 0 |
|
22 |
+ ;; |
|
23 |
+nopie) |
|
24 |
+ USE_PIE=0 |
|
25 |
+ ;; |
|
26 |
+nonow) |
|
27 |
+ USE_ZNOW=0 |
|
28 |
+ ;; |
|
29 |
+*) |
|
30 |
+ ;; |
|
31 |
+esac |
|
32 |
+ |
|
33 |
+ |
|
34 |
+# Populate gcc spec variables in according to enabled triggers |
|
35 |
+ |
|
36 |
+CC1_EXTRA="" |
|
37 |
+CC1PLUS_EXTRA="" |
|
38 |
+CPP_EXTRA="" |
|
39 |
+LIBGCC_EXTRA="" |
|
40 |
+STARTFILE="" |
|
41 |
+LINK_EXTRA="" |
|
42 |
+ |
|
43 |
+if [ $USE_STACK_PROTECTOR -eq 1 ]; then |
|
44 |
+ CC1_EXTRA="$CC1_EXTRA %{!fno-stack-protector-strong:-fstack-protector-strong}" |
|
45 |
+ CC1PLUS_EXTRA="$CC1PLUS_EXTRA %{!fno-stack-protector-strong:-fstack-protector-strong}" |
|
8 | 46 |
fi |
9 | 47 |
|
10 |
-cat <<EOF > `dirname $(gcc --print-libgcc-file-name)`/../specs |
|
11 |
-# add sec hardening flags for cc1. |
|
12 |
-*cc1: |
|
13 |
-+ %{!fno-stack-protector-strong:-fstack-protector-strong} %{fno-pie|fno-PIE|fpic|fPIC|shared:;:-fPIE -fpie} |
|
48 |
+if [ $USE_FORTIFY_SOURCE -eq 1 ]; then |
|
49 |
+ CPP_EXTRA="$CPP_EXTRA %{O1|O2|O3|Os|Ofast:-D_FORTIFY_SOURCE=2}" |
|
50 |
+fi |
|
14 | 51 |
|
15 |
-# add sec hardening flags for cc1. |
|
16 |
-*cc1plus: |
|
17 |
-+ %{!fno-stack-protector-strong:-fstack-protector-strong} %{fno-pie|fno-PIE|fpic|fPIC|shared:;:-fPIE -fpie} |
|
52 |
+if [ $USE_PIE -eq 1 ]; then |
|
53 |
+ CC1_EXTRA="$CC1_EXTRA %{fno-pie|fno-PIE|fpic|fPIC|shared:;:-fPIE -fpie}" |
|
54 |
+ CC1PLUS_EXTRA="$CC1PLUS_EXTRA %{fno-pie|fno-PIE|fpic|fPIC|shared:;:-fPIE -fpie}" |
|
55 |
+ # pie flag requires shared libgcc_s during linking. |
|
56 |
+ LIBGCC_EXTRA="$LIBGCC_EXTRA %{!static:--as-needed -lgcc_s --no-as-needed}" |
|
57 |
+ # replace default startfile rules to use crt that PIE code requires. |
|
58 |
+ STARTFILE="%{!shared: %{pg|p|profile:gcrt1.o%s;:Scrt1.o%s}} crti.o%s %{static:crtbeginT.o%s;:crtbeginS.o%s}" |
|
59 |
+ LINK_EXTRA="$LINK_EXTRA %{r|nostdlib|fno-pie|fno-PIE|fno-pic|fno-PIC|shared|static:;:-pie}" |
|
60 |
+fi |
|
18 | 61 |
|
19 |
-# add -D_FORTIFY_SOURCE=2 for preprocessor. |
|
20 |
-*cpp: |
|
21 |
-+ %{O1|O2|O3|Os|Ofast:-D_FORTIFY_SOURCE=2} |
|
62 |
+if [ $USE_ZRELRO -eq 1 ]; then |
|
63 |
+ LINK_EXTRA="$LINK_EXTRA %{!norelro:-z relro}" |
|
64 |
+fi |
|
22 | 65 |
|
23 |
-# sec hardening flags require shared libgcc_s during linking. |
|
24 |
-*libgcc: |
|
25 |
-+ %{!static:--as-needed -lgcc_s --no-as-needed} |
|
66 |
+if [ $USE_ZNOW -eq 1 ]; then |
|
67 |
+ LINK_EXTRA="$LINK_EXTRA %{!nonow:-z now}" |
|
68 |
+fi |
|
26 | 69 |
|
27 |
-# replace default startfile rules to use crt that PIE code requires. |
|
28 |
-*startfile: |
|
29 |
-%{!shared: %{pg|p|profile:gcrt1.o%s;:Scrt1.o%s}} crti.o%s %{static:crtbeginT.o%s;:crtbeginS.o%s} |
|
70 |
+# Create gcc spec file |
|
30 | 71 |
|
31 |
-EOF |
|
72 |
+echo "# Security hardening flags" > $SPECFILE |
|
73 |
+if [ -n "$CC1_EXTRA" ]; then |
|
74 |
+ echo >> $SPECFILE |
|
75 |
+ echo "*cc1:" >> $SPECFILE |
|
76 |
+ echo "+$CC1_EXTRA" >> $SPECFILE |
|
77 |
+fi |
|
32 | 78 |
|
33 |
-if [ $# -eq 1 -a "x$1" = "xnonow" ]; then |
|
34 |
-cat <<EOF >> `dirname $(gcc --print-libgcc-file-name)`/../specs |
|
35 |
-# add sec hardening flags for linker. |
|
36 |
-*link: |
|
37 |
-+ %{r|nostdlib|fno-pie|fno-PIE|fno-pic|fno-PIC|shared:;:-pie} %{!norelro:-z relro} |
|
79 |
+if [ -n "$CC1PLUS_EXTRA" ]; then |
|
80 |
+ echo >> $SPECFILE |
|
81 |
+ echo "*cc1plus:" >> $SPECFILE |
|
82 |
+ echo "+$CC1PLUS_EXTRA" >> $SPECFILE |
|
83 |
+fi |
|
38 | 84 |
|
39 |
-EOF |
|
40 |
-else |
|
41 |
-cat <<EOF >> `dirname $(gcc --print-libgcc-file-name)`/../specs |
|
42 |
-# add sec hardening flags for linker. |
|
43 |
-*link: |
|
44 |
-+ %{r|nostdlib|fno-pie|fno-PIE|fno-pic|fno-PIC|shared|static:;:-pie} %{!norelro:-z relro} %{!nonow:-z now} |
|
85 |
+if [ -n "$CPP_EXTRA" ]; then |
|
86 |
+ echo >> $SPECFILE |
|
87 |
+ echo "*cpp:" >> $SPECFILE |
|
88 |
+ echo "+$CPP_EXTRA" >> $SPECFILE |
|
89 |
+fi |
|
45 | 90 |
|
46 |
-EOF |
|
91 |
+if [ -n "$LIBGCC_EXTRA" ]; then |
|
92 |
+ echo >> $SPECFILE |
|
93 |
+ echo "*libgcc:" >> $SPECFILE |
|
94 |
+ echo "+$LIBGCC_EXTRA" >> $SPECFILE |
|
47 | 95 |
fi |
48 | 96 |
|
97 |
+if [ -n "$STARTFILE" ]; then |
|
98 |
+ echo >> $SPECFILE |
|
99 |
+ echo "*startfile:" >> $SPECFILE |
|
100 |
+ # replace |
|
101 |
+ echo "$STARTFILE" >> $SPECFILE |
|
102 |
+fi |
|
49 | 103 |
|
104 |
+if [ -n "$LINK_EXTRA" ]; then |
|
105 |
+ echo >> $SPECFILE |
|
106 |
+ echo "*link:" >> $SPECFILE |
|
107 |
+ echo "+$LINK_EXTRA" >> $SPECFILE |
|
108 |
+fi |
|
50 | 109 |
|
... | ... |
@@ -379,11 +379,8 @@ class constants(object): |
379 | 379 |
constants.specData.addMacro("KERNEL_RELEASE",kernelrelease) |
380 | 380 |
|
381 | 381 |
#adding kernelsubrelease rpm macro |
382 |
- kernelversion = kernelversion.replace(".","") |
|
383 |
- if kernelversion.isdigit(): |
|
384 |
- kernelversion = int(kernelversion) << 8 |
|
385 |
- kernelsubrelease = str(kernelversion)+kernelrelease |
|
386 |
- kernelsubrelease = kernelsubrelease.replace(constants.dist,"") |
|
382 |
+ a,b,c = kernelversion.split(".") |
|
383 |
+ kernelsubrelease = '%02d%02d%03d%03d' % (int(a),int(b),int(c),int(kernelrelease.replace(constants.dist,""))) |
|
387 | 384 |
if kernelsubrelease: |
388 | 385 |
kernelsubrelease = "."+kernelsubrelease |
389 | 386 |
constants.specData.addMacro("kernelsubrelease",kernelsubrelease) |