rpm: Use hardened LDFLAGS

Currently, we do pass the hardened CFLAGS and CPPFLAGS when building the
code. However, we do not pass the hardened flags to the linker. This
means that the binaries are linked without the options like -Wl,-z,now.
As a result, we do not fully harden the binaries that we build.

This commit fixes this by passing the RPM_LD_FLAGS to the linker so the
builds are linked with the properly hardened flags.

Fixes: http://tracker.ceph.com/issues/36316
Signed-off-by: Boris Ranto <branto@redhat.com>

diff --git a/ceph.spec.in b/ceph.spec.in
index bb0dd0c07f3920d447e63421292ac2e2086c5261..952763067d9dacce78f68490e4fdd4f84dc3ce86 100644 (file)
--- a/ceph.spec.in
+++ b/ceph.spec.in
@@ -930,6 +930,7 @@ RPM_OPT_FLAGS="$RPM_OPT_FLAGS --param ggc-min-expand=20 --param ggc-min-heapsize
 export CPPFLAGS="$java_inc"
 export CFLAGS="$RPM_OPT_FLAGS"
 export CXXFLAGS="$RPM_OPT_FLAGS"
+export LDFLAGS="$RPM_LD_FLAGS"
 
 # Parallel build settings ...
 CEPH_MFLAGS_JOBS="%{?_smp_mflags}"