PR#437: Fix hardened build check - FedoraReview

FedoraReview

#437 Fix hardened build check

Merged 2 years ago by ngompa. Opened 2 years ago by oturpe.

oturpe/FedoraReview fix-hardened-build-check into master

Otto Urpelainen • 2 years ago

e0a3790

plugins/generic.py

file modified

+4 -4

		`@@ -288,11 +288,11 @@`

		`if not extra:`
		`self.set_passed(self.NA)`
		`- elif self.spec.find_re(r"[^# ]*%global\s+_hardened_build\s+1"):`
		`- self.set_passed(self.PASS, extra)`
		`- else:`
		`- extra += " and not %global _hardened_build"`
		`+ elif self.spec.find_re(r"[^# ]*%undefine\s+_hardened_build"):`
		`+ extra += " and %undefine _hardened_build"`
		`self.set_passed(self.FAIL, extra)`
		`+ else:`
		`+ self.set_passed(self.PASS, extra)`


		`class CheckDefattr(GenericCheckBase):`

test/test_misc/disabled.spec

file modified

		`@@ -1,6 +1,8 @@`
		`# sitelib for noarch packages, sitearch for others (remove the unneeded one)`
		`%{!?python_sitelib: %global python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print(get_python_lib())")}`

		`+ %undefine _hardened_build`
		`+`
		`Name: disabled`
		`Version: 1.0`
		`Release: 1%{?dist}`

oturpe commented 2 years ago

CheckDaemonCompileFlags checked that %global _hardened_build appears
when certain vulnerable conditions were met.
For a long time already, the hardened build is the default.
Correspondingly, the packaging guidelines have changed
so that disabling hardened build is forbidden in certain conditions.
Updated the check to look for %undefine _hardened_build instead
and pass or fail the test accordingly.

Resolves #436