From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Mon, 10 Mar 2025 13:32:27 +0000 (+0100)
Subject: dnsdist: Disable `-fcf-protection` on arm64 EL-8, it's not supported
X-Git-Tag: dnsdist-2.0.0-alpha1~25^2~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8e18c8c134475cc80f2082637e7bd09ff0b6f002;p=thirdparty%2Fpdns.git

dnsdist: Disable `-fcf-protection` on arm64 EL-8, it's not supported
---

diff --git a/builder-support/specs/dnsdist.spec b/builder-support/specs/dnsdist.spec
index 88c8102e3b..e03110ebf6 100644
--- a/builder-support/specs/dnsdist.spec
+++ b/builder-support/specs/dnsdist.spec
@@ -75,9 +75,16 @@ export CXX=clang++
 # build-id SHA1 prevents an issue with the debug symbols ("export: `-Wl,--build-id=sha1': not a valid identifier")
 # and -ldl an issue with the dlsym not being found ("ld.lld: error: undefined symbol: dlsym eferenced by weak.rs:142 (library/std/src/sys/pal/unix/weak.rs:142) [...] in archive ./dnsdist-rust-lib/rust/libdnsdist_rust.a)
 export LDFLAGS="-fuse-ld=lld -Wl,--build-id=sha1 -ldl"
+
 %if 0%{?rhel} < 9
-export CFLAGS="-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -gdwarf-4"
-export CXXFLAGS="-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -gdwarf-4"
+# starting with EL-9 we get these hardening settings for free by just setting the right toolchain (see above)
+%ifarch aarch64
+%define cf_protection %{nil}
+%else
+%define cf_protection -fcf-protection
+%endif
+export CFLAGS="-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection %{cf_protection} -gdwarf-4"
+export CXXFLAGS="-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection %{cf_protection} -gdwarf-4"
 %endif
 
 #export AR=gcc-ar