From: Michael Tremer <michael.tremer@ipfire.org>
Date: Sat, 27 Sep 2014 10:34:36 +0000 (+0200)
Subject: pakfire: Enable more hardening
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=a56c436952b43c014e7f2e06d1787746c35e8974;p=ipfire-3.x.git

pakfire: Enable more hardening

Enables -fstack-protector-strong by default, which is supported
since GCC 4.9.
---

diff --git a/pakfire/pakfire.nm b/pakfire/pakfire.nm
index 3fb99bfa5..45a1c2505 100644
--- a/pakfire/pakfire.nm
+++ b/pakfire/pakfire.nm
@@ -5,7 +5,7 @@
 
 name       = pakfire
 version    = 0.9.26
-release    = 2
+release    = 3
 
 maintainer = Michael Tremer <michael.tremer@ipfire.org>
 groups     = System/Packaging
@@ -104,6 +104,9 @@ packages
 			systemd-devel < 38
 		end
 
+		# Requires GCC 4.9 or later for -fstack-protector-strong
+		conflicts += gcc < 4.9
+
 		configfiles
 			%{sysconfdir}/pakfire/builder.conf
 			%{sysconfdir}/pakfire/distros
diff --git a/pakfire/patches/0001-CFLAGS-Enable-more-hardening.patch b/pakfire/patches/0001-CFLAGS-Enable-more-hardening.patch
new file mode 100644
index 000000000..bab8cb516
--- /dev/null
+++ b/pakfire/patches/0001-CFLAGS-Enable-more-hardening.patch
@@ -0,0 +1,26 @@
+commit 664591620ddc73ac6838c6ed152c2b3c4233d609
+Author: Michael Tremer <michael.tremer@ipfire.org>
+Date:   Tue Sep 16 15:49:25 2014 +0200
+
+    CFLAGS: Enable more hardening
+    
+    -fstack-protector-strong is available since GCC 4.9
+    
+    -D_FORTIFY_SOURCE=2 is automatically enabled in IPFire since
+    GCC 4.9 and when optimization is enabled (e.g. -O2).
+
+diff --git a/macros/cflags.macro b/macros/cflags.macro
+index a2c583c..52a069a 100644
+--- a/macros/cflags.macro
++++ b/macros/cflags.macro
+@@ -1,7 +1,8 @@
+ 
+ # Export CFLAGS + CXXFLAGS
+-GLOBAL_CFLAGS   = -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fPIC
+-GLOBAL_CFLAGS  += -fstack-protector-all --param=ssp-buffer-size=4
++GLOBAL_CFLAGS   = -O2 -g -pipe -Wall -Werror=format-security
++GLOBAL_CFLAGS  += -fexceptions -fPIC -fstack-protector-strong --param=ssp-buffer-size=4
++GLOBAL_CFLAGS  += -grecord-gcc-switches
+ 
+ CFLAGS_i686     = -m32 -march=i686 -mtune=atom -fasynchronous-unwind-tables
+ CFLAGS_x86_64   = -m64 -mtune=generic