From c26115627c856f451b58878e8dcca3d7e5d4589b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jani=20V=C3=A4limaa?= Date: Tue, 5 Dec 2023 21:52:16 +0200 Subject: rpmrc: add -fcf-protection=full to x86 default flags Recommended in https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.html --- NEWS | 1 + rpmrc.in | 6 +++--- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/NEWS b/NEWS index 40cd263..fa9f773 100644 --- a/NEWS +++ b/NEWS @@ -1,4 +1,5 @@ - rpmrc: add -fstack-clash-protection to default flags for all supported arches +- rpmrc: add -fcf-protection=full to x86 default flags - rpmrc: add -mbranch-protection=standard to aarch64 default flags - rpmrc: drop arches we don't really support - rpmrc: drop arch_compat also available in /usr/lib/rpm/rpmrc diff --git a/rpmrc.in b/rpmrc.in index f0a959f..787f6c7 100644 --- a/rpmrc.in +++ b/rpmrc.in @@ -6,10 +6,10 @@ optflags: i386 %{__common_cflags_with_ssp} -fomit-frame-pointer -march=i386 -fasynchronous-unwind-tables -fstack-clash-protection optflags: i486 %{__common_cflags_with_ssp} -fomit-frame-pointer -march=i486 -fasynchronous-unwind-tables -fstack-clash-protection -optflags: i586 %{__common_cflags_with_ssp} -fomit-frame-pointer -march=i586 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -optflags: i686 %{__common_cflags_with_ssp} -fomit-frame-pointer -march=i686 -fasynchronous-unwind-tables -fstack-clash-protection +optflags: i586 %{__common_cflags_with_ssp} -fomit-frame-pointer -march=i586 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection=full +optflags: i686 %{__common_cflags_with_ssp} -fomit-frame-pointer -march=i686 -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection=full optflags: athlon %{__common_cflags_with_ssp} -fomit-frame-pointer -march=athlon -fasynchronous-unwind-tables -fstack-clash-protection -optflags: x86_64 %{__common_cflags_with_ssp} -fasynchronous-unwind-tables -fstack-clash-protection +optflags: x86_64 %{__common_cflags_with_ssp} -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection=full # Cortex A8 optflags: armv7 %{__common_cflags_with_ssp} -march=armv7-a -mtune=cortex-a8 -mfpu=neon -mfloat-abi=softfp -fstack-clash-protection -- cgit v1.2.1