From: Boris Ranto <branto@redhat.com>
Date: Thu, 4 Oct 2018 11:05:14 +0000 (+0200)
Subject: rpm: Use hardened LDFLAGS
X-Git-Tag: v14.0.1~79^2
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=ea6d7d2c9878b08528d120aa35e2fd9e18b3ba0f;p=ceph.git

rpm: Use hardened LDFLAGS

Currently, we do pass the hardened CFLAGS and CPPFLAGS when building the
code. However, we do not pass the hardened flags to the linker. This
means that the binaries are linked without the options like -Wl,-z,now.
As a result, we do not fully harden the binaries that we build.

This commit fixes this by passing the RPM_LD_FLAGS to the linker so the
builds are linked with the properly hardened flags.

Fixes: http://tracker.ceph.com/issues/36316

Signed-off-by: Boris Ranto <branto@redhat.com>
---

diff --git a/ceph.spec.in b/ceph.spec.in
index bb0dd0c07f39..952763067d9d 100644
--- a/ceph.spec.in
+++ b/ceph.spec.in
@@ -930,6 +930,7 @@ RPM_OPT_FLAGS="$RPM_OPT_FLAGS --param ggc-min-expand=20 --param ggc-min-heapsize
 export CPPFLAGS="$java_inc"
 export CFLAGS="$RPM_OPT_FLAGS"
 export CXXFLAGS="$RPM_OPT_FLAGS"
+export LDFLAGS="$RPM_LD_FLAGS"
 
 # Parallel build settings ...
 CEPH_MFLAGS_JOBS="%{?_smp_mflags}"