Add safety compile options

Becaues of the foolish usage of gcc_secure, those safety options was added by OBS with gcc_secure, without our knowing it. Especially, gcc_secure does this by change gcc to a shell script, and hide the true gcc. This makes a huge amount of confusion for developers and users. So we add these options '-fPIC -D_FORTIFY_SOURCE=2 -O2 -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -Wtrampolines -fsigned-char' directly to nginx.spec. After this, we can confirm the compile options' consistency with or without gcc_secure. Signed-off-by: snoweay <snoweay@163.com> (cherry picked from commit bb0a157ddfef4c1f5f1baa276392f0aae46feddb)
2022-12-21 02:56:13 +00:00 · 2022-12-21 02:56:13 +00:00 · 9e7507b8ee
commit 9e7507b8ee
parent 2bd15b3841
1 changed files with 7 additions and 3 deletions
--- a/nginx.spec
+++ b/nginx.spec
@ -17,7 +17,7 @@
 Name:              nginx
 Epoch:             1
 Version:           1.21.5
-Release:           4
+Release:           5
 Summary:           A HTTP server, reverse proxy and mail proxy server
 License:           BSD
 URL:               http://nginx.org/
@ -161,7 +161,8 @@ mv ../%{name}-%{version}-%{release}-src .

 %build
 export DESTDIR=%{buildroot}
-nginx_ldopts="$RPM_LD_FLAGS -Wl,-E"
+nginx_ldopts="$RPM_LD_FLAGS -Wl,-E -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack"
+nginx_ccopts="-fPIC -D_FORTIFY_SOURCE=2 -O2 -Wtrampolines -fsigned-char"
 if ! ./configure \
    --prefix=%{_datadir}/nginx --sbin-path=%{_sbindir}/nginx --modules-path=%{_libdir}/nginx/modules \
    --conf-path=%{_sysconfdir}/nginx/nginx.conf --error-log-path=%{_localstatedir}/log/nginx/error.log \
@ -187,7 +188,7 @@ if ! ./configure \
    --with-http_perl_module=dynamic --with-http_auth_request_module \
    --with-mail=dynamic --with-mail_ssl_module --with-pcre --with-pcre-jit --with-stream=dynamic \
    --with-stream_ssl_module --with-google_perftools_module --with-debug \
-    --with-cc-opt="%{optflags} $(pcre2-config --cflags)" --with-ld-opt="$nginx_ldopts"; then
+    --with-cc-opt="%{optflags} $(pcre2-config --cflags) $nginx_ccopts" --with-ld-opt="$nginx_ldopts"; then
  : configure failed
  cat objs/autoconf.err
  exit 1
@ -387,6 +388,9 @@ fi
 %{_mandir}/man8/nginx.8*

 %changelog
+* Wed Dec 21 2022 snoweay <snoweay@163.com> - 1:1.21.5-5
+- add safety compile options
+
 * Thu Nov 24 2022 zhouyihang <zhouyihang3@h-partners.com> - 1:1.21.5-4
 - add package mod-devel