Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Pass security flags and check gcc version #525

Open
wants to merge 2 commits into
base: all-citus
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions citus.spec
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,11 @@ if [ "$(printf '%s\n' "$requiredgccver" "$currentgccver" | sort -V | tail -n1)"
fi
fi

gccgte8=$(expr `gcc -dumpversion | cut -f1 -d.` \>= 8)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd prefer if this used the same type of check as the one above for consistency, i.e. using sort -V (version sort).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually thinking about that a bit, we would enter that if it the version is equal to "4.8.2" but we don't want to, isn't that if check wrong in this case?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I guess you are right, maybe a better way would be to use head -n1 and check against currentgccver

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if currentgccver and requiredgccver are the same, then what is the difference between head -n1 or tail -n1, or checking against currentgccver or requiredgccver. I would say that we can switch to gte structure here

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if ! [ "$(printf '%s\n' "$requiredgccver" "$currentgccver" | sort -V | head -n1)" = "$requiredgccver" ]; then
      echo WARNING: Using slower security flags because of outdated compiler
fi

or something like the above maybe

Copy link
Contributor

@JelteF JelteF Oct 21, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes that seems good, but maybe use != instead of ! [ ... = ... ]

And then use

if [ "$(printf '%s\n' "8.0.0" "$currentgccver" | sort -V | head -n1)" = "8.0.0" ]; then
      # add extra security flag
fi

ifeq "$(gccgte8)" "1"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

isn't ifeq a Makefile thing? I believe this spec file is (ba)sh.

SECURITY_CFLAGS += -fstack-clash-protection
endif

%build
%configure PG_CONFIG=%{pginstdir}/bin/pg_config --with-extra-version="%{?conf_extra_version}" CC=$(command -v gcc) CFLAGS="$SECURITY_CFLAGS"
make %{?_smp_mflags}
Expand Down
12 changes: 10 additions & 2 deletions debian/rules
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,17 @@

include /usr/share/postgresql-common/pgxs_debian_control.mk

# Flags taken from: https://liquid.microsoft.com/Web/Object/Read/ms.security/Requirements/Microsoft.Security.SystemsADM.10203#guide
SECURITY_CFLAGS=-fstack-protector-strong -D_FORTIFY_SOURCE=2 -O2 -z noexecstack -fpic -Wl,-z,relro -Wl,-z,now -Wformat -Wformat-security -Werror=format-security

GCCVERSIONGTE8=$(shell expr `gcc -dumpversion | cut -f1 -d.` \>= 8)
ifeq "$(GCCVERSIONGTE8)" "1"
# if gcc version is greater than or equal to 8 we should also use this flag
SECURITY_CFLAGS += -fstack-clash-protection
endif

override_dh_auto_build:
# Flags taken from: https://liquid.microsoft.com/Web/Object/Read/ms.security/Requirements/Microsoft.Security.SystemsADM.10203#guide
+pg_buildext build build-%v '$(CFLAGS) -fstack-protector-strong -D_FORTIFY_SOURCE=2 -O2 -z noexecstack -fpic -Wl,-z,relro -Wl,-z,now -Wformat -Wformat-security -Werror=format-security'
+pg_buildext build build-%v '$(CFLAGS) $(SECURITY_CFLAGS)'

override_dh_auto_clean:
+pg_buildext clean build-%v
Expand Down