diff --git a/macros b/macros index 47926b51a0e13f753c019014b85974c34a06d953..7e393a4b2185d8033976fe7cd1c3de70f7c65178 100644 --- a/macros +++ b/macros @@ -362,9 +362,18 @@ for k,_ in pairs(stripped_flags) do print(k .. " ") end %_clang_lto_cflags -flto=thin %_lto_cflags %{expand:%%{_%{toolchain}_lto_cflags}} +# Default fortification level. +# "%define _fortify_level 1" to downgrade and +# "%define _fortify_level 0" or "%undefine _fortify_level" to disable +# +# We use a single -Wp here to enforce order so that ccache does not ever +# reorder them. +%_fortify_level 2 +%_fortify_level_flags %[ 0%{?_fortify_level} > 0 ? "-Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=%{_fortify_level}" : "" ] + %_general_options -O2 %{?_lto_cflags} -g -grecord-gcc-switches -pipe -fstack-protector-strong %[ "%{toolchain}" == "clang" ? "-fgcc-compatible" : "" ] %_warning_options -Wall -Werror=format-security -%_preprocessor_defines -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS +%_preprocessor_defines %{_fortify_level_flags} -Wp,-D_GLIBCXX_ASSERTIONS %__global_compiler_flags %{_general_options} %{_warning_options} %{_preprocessor_defines} %{_hardened_cflags} diff --git a/openEuler-rpm-config.spec b/openEuler-rpm-config.spec index a36338fd873241d4fe0181b780c056a869b2f02b..3d22bc95c6ce54e6a4c79d475eea569976a49c8f 100644 --- a/openEuler-rpm-config.spec +++ b/openEuler-rpm-config.spec @@ -3,7 +3,7 @@ Name: %{vendor}-rpm-config Version: 31 -Release: 12 +Release: 13 License: GPL+ Summary: specific rpm configuration files URL: https://gitee.com/src-openeuler/openEuler-rpm-config @@ -186,6 +186,9 @@ sed -i "s/@VENDOR@/%{vendor}/g" `grep "@VENDOR@" -rl %{buildroot}%{_rpmconfigdir %{rpmvdir}/find-requires.ksyms %changelog +* Fri Jan 17 2025 Funda Wang - 31-13 +- split out fortify level definition for supporting build with FORTIFY_SOURCE=3 in the future + * Wed Jan 15 2025 luhuaxin - 31-12 - ima: keep the process of OBS signing same as previous version