!73 [sync] PR-69: 增加安全编译选项

From: @openeuler-sync-bot Reviewed-by: @zhuchunyi Signed-off-by: @zhuchunyi
2023-06-19 13:11:16 +00:00 · 2023-06-19 13:11:16 +00:00 · 06bdb3bd64
commit 06bdb3bd64
parent 2bd15b3841 9e7507b8ee
1 changed files with 7 additions and 3 deletions
--- a/nginx.spec
+++ b/nginx.spec
@ -17,7 +17,7 @@
 Name:              nginx
 Epoch:             1
 Version:           1.21.5
-Release:           4
+Release:           5
 Summary:           A HTTP server, reverse proxy and mail proxy server
 License:           BSD
 URL:               http://nginx.org/
@ -161,7 +161,8 @@ mv ../%{name}-%{version}-%{release}-src .

 %build
 export DESTDIR=%{buildroot}
-nginx_ldopts="$RPM_LD_FLAGS -Wl,-E"
+nginx_ldopts="$RPM_LD_FLAGS -Wl,-E -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack"
+nginx_ccopts="-fPIC -D_FORTIFY_SOURCE=2 -O2 -Wtrampolines -fsigned-char"
 if ! ./configure \
    --prefix=%{_datadir}/nginx --sbin-path=%{_sbindir}/nginx --modules-path=%{_libdir}/nginx/modules \
    --conf-path=%{_sysconfdir}/nginx/nginx.conf --error-log-path=%{_localstatedir}/log/nginx/error.log \
@ -187,7 +188,7 @@ if ! ./configure \
    --with-http_perl_module=dynamic --with-http_auth_request_module \
    --with-mail=dynamic --with-mail_ssl_module --with-pcre --with-pcre-jit --with-stream=dynamic \
    --with-stream_ssl_module --with-google_perftools_module --with-debug \
-    --with-cc-opt="%{optflags} $(pcre2-config --cflags)" --with-ld-opt="$nginx_ldopts"; then
+    --with-cc-opt="%{optflags} $(pcre2-config --cflags) $nginx_ccopts" --with-ld-opt="$nginx_ldopts"; then
  : configure failed
  cat objs/autoconf.err
  exit 1
@ -387,6 +388,9 @@ fi
 %{_mandir}/man8/nginx.8*

 %changelog
+* Wed Dec 21 2022 snoweay <snoweay@163.com> - 1:1.21.5-5
+- add safety compile options
+
 * Thu Nov 24 2022 zhouyihang <zhouyihang3@h-partners.com> - 1:1.21.5-4
 - add package mod-devel