[tor-commits] [tor-browser-build/master] Bug 22444: use hardening-wrapper when building gcc for the Linux build

[boklm at torproject.org]

commit 6378afdeb4e15607bedebe5270137657c7961be7
Author: Nicolas Vigier <boklm at torproject.org>
Date:   Tue May 30 14:51:46 2017 +0200

    Bug 22444: use hardening-wrapper when building gcc for the Linux build
---
 projects/gcc/build  | 11 +++++++++++
 projects/gcc/config |  2 ++
 2 files changed, 13 insertions(+)

diff --git a/projects/gcc/build b/projects/gcc/build
index e509aac..e2902ad 100644
--- a/projects/gcc/build
+++ b/projects/gcc/build
@@ -1,6 +1,17 @@
 #!/bin/sh
 [% c("var/set_default_env") -%]
 [% c("var/setarch") -%]
+[% IF c("var/linux") -%]
+  # Config options for hardening-wrapper
+  export DEB_BUILD_HARDENING=1
+  export DEB_BUILD_HARDENING_STACKPROTECTOR=1
+  export DEB_BUILD_HARDENING_FORTIFY=1
+  export DEB_BUILD_HARDENING_PIE=1
+  # We need to disable `-Werror=format-security` as GCC does not build with it
+  # anymore. It seems it got audited for those problems already:
+  # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=48817.
+  export DEB_BUILD_HARDENING_FORMAT=0
+[% END -%]
 distdir=/var/tmp/dist/[% project %]
 mkdir /var/tmp/build
 tar -C /var/tmp/build -xf [% project %]-[% c("version") %].tar.bz2
diff --git a/projects/gcc/config b/projects/gcc/config
index 3871455..d97afbf 100644
--- a/projects/gcc/config
+++ b/projects/gcc/config
@@ -47,12 +47,14 @@ targets:
     var:
       configure_opt: --enable-multilib --enable-languages=c,c++ --with-system-zlib
       arch_deps:
+        - hardening-wrapper
         - libc6-dev
         - zlib1g-dev
   linux-x86_64:
     var:
       configure_opt: --enable-multilib --enable-languages=c,c++ --with-arch_32=i686
       arch_deps:
+        - hardening-wrapper
         - libc6-dev-i386
 input_files:
   - project: container-image