commit
29edb329c7
@ -0,0 +1,20 @@
|
|||||||
|
#! /bin/bash -f
|
||||||
|
|
||||||
|
## A counterpart of brp-kmod-set-exec-bits that restores original kmod
|
||||||
|
## file permissions
|
||||||
|
|
||||||
|
# If using normal root, avoid changing anything.
|
||||||
|
[ -n "$RPM_BUILD_ROOT" -a "$RPM_BUILD_ROOT" != "/" ] || exit 0
|
||||||
|
|
||||||
|
# Checking for required programs
|
||||||
|
which chmod >/dev/null || exit 0
|
||||||
|
|
||||||
|
[ -r "$RPM_BUILD_ROOT/kmod-permissions.list" ] || exit 0
|
||||||
|
|
||||||
|
while read perm path; do
|
||||||
|
[ -n "$perm" ] || continue
|
||||||
|
|
||||||
|
chmod "$perm" "$RPM_BUILD_ROOT/$path"
|
||||||
|
done < "$RPM_BUILD_ROOT/kmod-permissions.list"
|
||||||
|
|
||||||
|
rm -f "$RPM_BUILD_ROOT/kmod-permissions.list"
|
@ -0,0 +1,14 @@
|
|||||||
|
#! /bin/bash -fx
|
||||||
|
|
||||||
|
## A hack for making brp-strip taking into account kmod files
|
||||||
|
|
||||||
|
# If using normal root, avoid changing anything.
|
||||||
|
[ -n "$RPM_BUILD_ROOT" -a "$RPM_BUILD_ROOT" != "/" ] || exit 0
|
||||||
|
|
||||||
|
# Checking for required programs
|
||||||
|
which find chmod >/dev/null || exit 0
|
||||||
|
|
||||||
|
find "$RPM_BUILD_ROOT" \
|
||||||
|
-name '*.ko' \
|
||||||
|
-printf '%#m %P\n' \
|
||||||
|
-exec chmod u+x '{}' \; > "$RPM_BUILD_ROOT/kmod-permissions.list"
|
@ -0,0 +1,10 @@
|
|||||||
|
#!/bin/sh -f
|
||||||
|
# Force creating of DSO symlinks.
|
||||||
|
|
||||||
|
# If using normal root, avoid changing anything.
|
||||||
|
if [ -z "$RPM_BUILD_ROOT" -o "$RPM_BUILD_ROOT" = "/" ]; then
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
/sbin/ldconfig -N -r "$RPM_BUILD_ROOT"
|
||||||
|
# TODO: warn if it created new symlinks and guide people.
|
@ -0,0 +1,167 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# If using normal root, avoid changing anything.
|
||||||
|
if [ -z "$RPM_BUILD_ROOT" -o "$RPM_BUILD_ROOT" = "/" ]; then
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
exclude_files=""
|
||||||
|
exclude_files_from=""
|
||||||
|
exclude_shebangs=""
|
||||||
|
exclude_shebangs_from=""
|
||||||
|
|
||||||
|
usage() {
|
||||||
|
local verbose=$1 && shift
|
||||||
|
local outfile=$1 && shift
|
||||||
|
local status=$1 && shift
|
||||||
|
|
||||||
|
(
|
||||||
|
echo 'usage: brp-mangle-shebangs [--files <regexp>] [--files-from <file>] [--shebangs <regexp>] [--shebangs-from <file>]'
|
||||||
|
if [ "${verbose}" == "yes" ]; then
|
||||||
|
echo ' --files: extended regexp of files to ignore'
|
||||||
|
echo ' --files-from: file containing a list of extended regexps of files to ignore'
|
||||||
|
echo ' --shebangs: extended regexp of shebangs to ignore'
|
||||||
|
echo ' --shebangs-from: file containing a list of extended regexps of shebangs to ignore'
|
||||||
|
fi
|
||||||
|
) >>${outfile}
|
||||||
|
exit ${status}
|
||||||
|
}
|
||||||
|
|
||||||
|
while [ $# -gt 0 ] ; do
|
||||||
|
case "$1" in
|
||||||
|
--files)
|
||||||
|
exclude_files="${2}"
|
||||||
|
shift
|
||||||
|
;;
|
||||||
|
--files=*)
|
||||||
|
exclude_files="${1##--files=}"
|
||||||
|
;;
|
||||||
|
--files-from)
|
||||||
|
exclude_files_from="${2}"
|
||||||
|
shift
|
||||||
|
;;
|
||||||
|
--files-from=*)
|
||||||
|
exclude_files_from="${1##--files-from=}"
|
||||||
|
;;
|
||||||
|
--shebangs)
|
||||||
|
exclude_shebangs="${2}"
|
||||||
|
shift
|
||||||
|
;;
|
||||||
|
--shebangs=*)
|
||||||
|
exclude_shebangs="${1##--shebangs=}"
|
||||||
|
;;
|
||||||
|
--shebangs-from)
|
||||||
|
exclude_shebangs_from="${2}"
|
||||||
|
shift
|
||||||
|
;;
|
||||||
|
--shebangs-from=*)
|
||||||
|
exclude_shebangs_from="${1##--shebangs-from=}"
|
||||||
|
;;
|
||||||
|
--help|--usage|"-?"|-h)
|
||||||
|
usage yes /dev/stdout 0
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
echo "Unknown option \"${1}\"" 1>&2
|
||||||
|
usage no /dev/stderr 1
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
shift
|
||||||
|
done
|
||||||
|
|
||||||
|
cd "$RPM_BUILD_ROOT"
|
||||||
|
|
||||||
|
# Large packages such as kernel can have thousands of executable files.
|
||||||
|
# We take care to not fork/exec thousands of "file"s and "grep"s,
|
||||||
|
# but run just two of them.
|
||||||
|
# (Take care to exclude filenames which would mangle "file" output).
|
||||||
|
find -executable -type f ! -path '*:*' ! -path $'*\n*' \
|
||||||
|
| file -N --mime-type -f - \
|
||||||
|
| grep -P ".+(?=: text/)" \
|
||||||
|
| {
|
||||||
|
fail=0
|
||||||
|
while IFS= read -r line; do
|
||||||
|
f=${line%%:*}
|
||||||
|
|
||||||
|
# Remove the dot
|
||||||
|
path="${f#.}"
|
||||||
|
|
||||||
|
if [ -n "$exclude_files" ]; then
|
||||||
|
echo "$path" | grep -q -E "$exclude_files" && continue
|
||||||
|
fi
|
||||||
|
if [ -n "$exclude_files_from" ]; then
|
||||||
|
echo "$path" | grep -q -E -f "$exclude_files_from" && continue
|
||||||
|
fi
|
||||||
|
|
||||||
|
|
||||||
|
if ! read shebang_line < "$f"; then
|
||||||
|
echo >&2 "*** WARNING: Cannot read the first line from $f, removing executable bit"
|
||||||
|
ts=$(stat -c %y "$f")
|
||||||
|
chmod -x "$f"
|
||||||
|
touch -d "$ts" "$f"
|
||||||
|
continue
|
||||||
|
fi
|
||||||
|
|
||||||
|
orig_shebang="${shebang_line#\#!}"
|
||||||
|
if [ "$orig_shebang" = "$shebang_line" ]; then
|
||||||
|
echo >&2 "*** WARNING: $f is executable but has no shebang, removing executable bit"
|
||||||
|
ts=$(stat -c %y "$f")
|
||||||
|
chmod -x "$f"
|
||||||
|
touch -d "$ts" "$f"
|
||||||
|
continue
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Trim spaces
|
||||||
|
while shebang="${orig_shebang// / }"; [ "$shebang" != "$orig_shebang" ]; do
|
||||||
|
orig_shebang="$shebang"
|
||||||
|
done
|
||||||
|
# Treat "#! /path/to " as "#!/path/to"
|
||||||
|
orig_shebang="${orig_shebang# }"
|
||||||
|
|
||||||
|
shebang="$orig_shebang"
|
||||||
|
|
||||||
|
if [ -z "$shebang" ]; then
|
||||||
|
echo >&2 "*** WARNING: $f is executable but has empty shebang, removing executable bit"
|
||||||
|
ts=$(stat -c %y "$f")
|
||||||
|
chmod -x "$f"
|
||||||
|
touch -d "$ts" "$f"
|
||||||
|
continue
|
||||||
|
fi
|
||||||
|
if [ -n "${shebang##/*}" ]; then
|
||||||
|
echo >&2 "*** ERROR: $f has shebang which doesn't start with '/' ($shebang)"
|
||||||
|
fail=1
|
||||||
|
continue
|
||||||
|
fi
|
||||||
|
|
||||||
|
if ! { echo "$shebang" | grep -q -P "^/(?:usr/)?(?:bin|sbin)/"; }; then
|
||||||
|
continue
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Replace "special" env shebang:
|
||||||
|
# /whatsoever/env /whatever/foo → /whatever/foo
|
||||||
|
shebang=$(echo "$shebang" | sed -r -e 's@^(.+)/env /(.+)$@/\2@')
|
||||||
|
# /whatsoever/env foo → /whatsoever/foo
|
||||||
|
shebang=$(echo "$shebang" | sed -r -e 's@^(.+/)env (.+)$@\1\2@')
|
||||||
|
|
||||||
|
# Replace python3 with the desired Python 3 shebang,
|
||||||
|
# if passed as an non-empty environment variable PYTHON3
|
||||||
|
if [ -n "${PYTHON3:+x}" ]; then
|
||||||
|
shebang=$(echo "$shebang" | sed -r -e "s@/usr/bin/python3(\s|$)@${PYTHON3}\1@")
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Replace ambiguous python with python2
|
||||||
|
py_shebang=$(echo "$shebang" | sed -r -e 's@/usr/bin/python(\s|$)@/usr/bin/python2\1@')
|
||||||
|
|
||||||
|
if [ "$shebang" != "$py_shebang" ]; then
|
||||||
|
echo >&2 "*** ERROR: ambiguous python shebang in $path: #!$orig_shebang. Change it to python3 (or python2) explicitly."
|
||||||
|
fail=1
|
||||||
|
elif [ "#!$shebang" != "#!$orig_shebang" ]; then
|
||||||
|
echo "mangling shebang in $path from $orig_shebang to #!$shebang"
|
||||||
|
ts=$(stat -c %y "$f")
|
||||||
|
sed -i -e "1c #!$shebang" "$f"
|
||||||
|
touch -d "$ts" "$f"
|
||||||
|
fi
|
||||||
|
|
||||||
|
done
|
||||||
|
|
||||||
|
exit $fail
|
||||||
|
}
|
@ -0,0 +1,442 @@
|
|||||||
|
This document contains documentation of the individual compiler flags
|
||||||
|
and how to use them.
|
||||||
|
|
||||||
|
[TOC]
|
||||||
|
|
||||||
|
# Using RPM build flags
|
||||||
|
|
||||||
|
For packages which use autoconf to set up the build environment, use
|
||||||
|
the `%configure` macro to obtain the full complement of flags, like
|
||||||
|
this:
|
||||||
|
|
||||||
|
%configure
|
||||||
|
|
||||||
|
This will invoke the `./configure` with arguments (such as
|
||||||
|
`--prefix=/usr`) to adjust the paths to the packaging defaults.
|
||||||
|
Prior to that, some common problems in autotools scripts are
|
||||||
|
automatically patched across the source tree.
|
||||||
|
|
||||||
|
As a side effect, this will set the environment variables `CFLAGS`,
|
||||||
|
`CXXFLAGS`, `FFLAGS`, `FCFLAGS`, and `LDFLAGS`, so they can be used by
|
||||||
|
makefiles and other build tools. (However, existing values for this
|
||||||
|
variables are not overwritten.)
|
||||||
|
|
||||||
|
If your package does not use autoconf, you can still set the same
|
||||||
|
environment variables using
|
||||||
|
|
||||||
|
%set_build_flags
|
||||||
|
|
||||||
|
early in the `%build` section. (Again, existing environment variables
|
||||||
|
are not overwritten.) `%set_build_flags` does not perform autotools
|
||||||
|
script rewriting, unlike `%configure`.
|
||||||
|
|
||||||
|
Individual build flags are also available through RPM macros:
|
||||||
|
|
||||||
|
* `%{build_cflags}` for the C compiler flags (also known as the
|
||||||
|
`CFLAGS` variable). Also historically available as `%{optflags}`.
|
||||||
|
Furthermore, at the start of the `%build` section, the environment
|
||||||
|
variable `RPM_OPT_FLAGS` is set to this value.
|
||||||
|
* `%{build_cxxflags}` for the C++ compiler flags (usually assigned to
|
||||||
|
the `CXXFLAGS` shell variable).
|
||||||
|
* `%{build_fflags} for `FFLAGS` (the Fortran compiler flags, also
|
||||||
|
known as the `FCFLAGS` variable).
|
||||||
|
* `%{build_ldflags}` for the link editor (ld) flags, usually known as
|
||||||
|
`LDFLAGS`. Note that the contents quotes linker arguments using
|
||||||
|
`-Wl`, so this variable is intended for use with the `gcc` compiler
|
||||||
|
driver. At the start of the `%build` section, the environment
|
||||||
|
variable `RPM_LD_FLAGS` is set to this value.
|
||||||
|
|
||||||
|
These RPM macros do not alter shell environment variables.
|
||||||
|
|
||||||
|
For some other build tools separate mechanisms exist:
|
||||||
|
|
||||||
|
* CMake builds use the the `%cmake` macro from the `cmake-rpm-macros`
|
||||||
|
package.
|
||||||
|
|
||||||
|
Care must be taking not to compile the current selection of compiler
|
||||||
|
flags into any RPM package besides `redhat-rpm-config`, so that flag
|
||||||
|
changes are picked up automatically once `redhat-rpm-config` is
|
||||||
|
updated.
|
||||||
|
|
||||||
|
# Flag selection for the build type
|
||||||
|
|
||||||
|
The default flags are suitable for building applications.
|
||||||
|
|
||||||
|
For building shared objects, you must compile with `-fPIC` in
|
||||||
|
(`CFLAGS` or `CXXFLAGS`) and link with `-shared` (in `LDFLAGS`).
|
||||||
|
|
||||||
|
For other considerations involving shared objects, see:
|
||||||
|
|
||||||
|
* [Fedora Packaging Guidelines: Shared Libraries](https://fedoraproject.org/wiki/Packaging:Guidelines#Shared_Libraries)
|
||||||
|
|
||||||
|
# Customizing compiler and other build flags
|
||||||
|
|
||||||
|
It is possible to set RPM macros to change some aspects of the
|
||||||
|
compiler flags. Changing these flags should be used as a last
|
||||||
|
recourse if other workarounds are not available.
|
||||||
|
|
||||||
|
### Disable autotools compatibility patching
|
||||||
|
|
||||||
|
By default, the invocation of the `%configure` macro replaces
|
||||||
|
`config.guess` files in the source tree with the system version. To
|
||||||
|
disable that, define this macro:
|
||||||
|
|
||||||
|
%global _configure_gnuconfig_hack 0
|
||||||
|
|
||||||
|
`%configure` also patches `ltmain.sh` scripts, so that linker flags
|
||||||
|
are set as well during libtool-. This can be switched off using:
|
||||||
|
|
||||||
|
%global _configure_libtool_hardening_hack 0
|
||||||
|
|
||||||
|
### Lazy binding
|
||||||
|
|
||||||
|
If your package depends on the semantics of lazy binding (e.g., it has
|
||||||
|
plugins which load additional plugins to complete their dependencies,
|
||||||
|
before which some referenced functions are undefined), you should put
|
||||||
|
`-Wl,-z,lazy` at the end of the `LDFLAGS` setting when linking objects
|
||||||
|
which have such requirements. Under these circumstances, it is
|
||||||
|
unnecessary to disable hardened builds (and thus lose full ASLR for
|
||||||
|
executables), or link everything without `-Wl,z,now` (non-lazy
|
||||||
|
binding).
|
||||||
|
|
||||||
|
### Hardened builds
|
||||||
|
|
||||||
|
By default, the build flags enable fully hardened builds. To change
|
||||||
|
this, include this in the RPM spec file:
|
||||||
|
|
||||||
|
%undefine _hardened_build
|
||||||
|
|
||||||
|
This turns off certain hardening features, as described in detail
|
||||||
|
below. The main difference is that executables will be
|
||||||
|
position-dependent (no full ASLR) and use lazy binding.
|
||||||
|
|
||||||
|
### Annotated builds/watermarking
|
||||||
|
|
||||||
|
By default, the build flags cause a special output section to be
|
||||||
|
included in ELF files which describes certain aspects of the build.
|
||||||
|
To change this for all compiler invocations, include this in the RPM
|
||||||
|
spec file:
|
||||||
|
|
||||||
|
%undefine _annotated_build
|
||||||
|
|
||||||
|
Be warned that this turns off watermarking, making it impossible to do
|
||||||
|
full hardening coverage analysis for any binaries produced.
|
||||||
|
|
||||||
|
It is possible to disable annotations for individual compiler
|
||||||
|
invocations, using the `-fplugin-arg-annobin-disable` flag. However,
|
||||||
|
the annobin plugin must still be loaded for this flag to be
|
||||||
|
recognized, so it has to come after the hardening flags on the command
|
||||||
|
line (it has to be added at the end of `CFLAGS`, or specified after
|
||||||
|
the `CFLAGS` variable contents).
|
||||||
|
|
||||||
|
### Strict symbol checks in the link editor (ld)
|
||||||
|
|
||||||
|
Optionally, the link editor will refuse to link shared objects which
|
||||||
|
contain undefined symbols. Such symbols lack symbol versioning
|
||||||
|
information and can be bound to the wrong (compatibility) symbol
|
||||||
|
version at run time, and not the actual (default) symbol version which
|
||||||
|
would have been used if the symbol definition had been available at
|
||||||
|
static link time. Furthermore, at run time, the dynamic linker will
|
||||||
|
not have complete dependency information (in the form of DT_NEEDED
|
||||||
|
entries), which can lead to errors (crashes) if IFUNC resolvers are
|
||||||
|
executed before the shared object containing them is fully relocated.
|
||||||
|
|
||||||
|
To switch on these checks, define this macro in the RPM spec file:
|
||||||
|
|
||||||
|
%define _strict_symbol_defs_build 1
|
||||||
|
|
||||||
|
If this RPM spec option is active, link failures will occur if the
|
||||||
|
linker command line does not list all shared objects which are needed.
|
||||||
|
In this case, you need to add the missing DSOs (with linker arguments
|
||||||
|
such as `-lm`). As a result, the link editor will also generated the
|
||||||
|
necessary DT_NEEDED entries.
|
||||||
|
|
||||||
|
In some cases (such as when a DSO is loaded as a plugin and is
|
||||||
|
expected to bind to symbols in the main executable), undefined symbols
|
||||||
|
are expected. In this case, you can add
|
||||||
|
|
||||||
|
%undefine _strict_symbol_defs_build
|
||||||
|
|
||||||
|
to the RPM spec file to disable these strict checks. Alternatively,
|
||||||
|
you can pass `-z undefs` to ld (written as `-Wl,-z,undefs` on the gcc
|
||||||
|
command line). The latter needs binutils 2.29.1-12.fc28 or later.
|
||||||
|
|
||||||
|
### Post-build ELF object processing
|
||||||
|
|
||||||
|
By default, DWARF debugging information is separated from installed
|
||||||
|
ELF objects and put into `-debuginfo` subpackages. To disable most
|
||||||
|
debuginfo processing (and thus the generation of these subpackages),
|
||||||
|
define `_enable_debug_packages` as `0`.
|
||||||
|
|
||||||
|
Processing of debugging information is controlled using the
|
||||||
|
`find-debuginfo` tool from the `debugedit` package. Several aspects
|
||||||
|
of its operation can be controlled at the RPM level.
|
||||||
|
|
||||||
|
* Creation of `-debuginfo` subpackages is enabled by default.
|
||||||
|
To disable, undefine `_debuginfo_subpackages`.
|
||||||
|
* Likewise, `-debugsource` subpackages are automatically created.
|
||||||
|
To disable, undefine `_debugsource_subpackages`.
|
||||||
|
See [Separate Subpackage and Source Debuginfo](https://fedoraproject.org/wiki/Changes/SubpackageAndSourceDebuginfo)
|
||||||
|
for background information.
|
||||||
|
* `_build_id_links`, `_unique_build_ids`, `_unique_debug_names`,
|
||||||
|
`_unique_debug_srcs` control how debugging information and
|
||||||
|
corresponding source files are represented on disk.
|
||||||
|
See `/usr/lib/rpm/macros` for details. The defaults
|
||||||
|
enable parallel installation of `-debuginfo` packages for
|
||||||
|
different package versions, as described in
|
||||||
|
[Parallel Installable Debuginfo](https://fedoraproject.org/wiki/Changes/ParallelInstallableDebuginfo).
|
||||||
|
* By default, a compressed symbol table is preserved in the
|
||||||
|
`.gnu_debugdata` section. To disable that, undefine
|
||||||
|
`_include_minidebuginfo`.
|
||||||
|
* To speed up debuggers, a `.gdb_index` section is created. It can be
|
||||||
|
disabled by undefining `_include_gdb_index`.
|
||||||
|
* Missing build IDs result in a build failure. To ignore such
|
||||||
|
problems, undefine `_missing_build_ids_terminate_build`.
|
||||||
|
* During processing, build IDs are recomputed to match the binary
|
||||||
|
content. To skip this step, define `_no_recompute_build_ids` as `1`.
|
||||||
|
* By default, the options in `_find_debuginfo_dwz_opts` turn on `dwz`
|
||||||
|
(DWARF compression) processing. Undefine this macro to disable this
|
||||||
|
step.
|
||||||
|
* Additional options can be passed by defining the
|
||||||
|
`_find_debuginfo_opts` macro.
|
||||||
|
|
||||||
|
After separation of debugging information, additional transformations
|
||||||
|
are applied, most of them also related to debugging information.
|
||||||
|
These steps can be skipped by undefining the corresponding macros:
|
||||||
|
|
||||||
|
* `__brp_strip`: Removal of leftover debugging information. The tool
|
||||||
|
specified by the `__strip` macro is invoked with the `-g` option on
|
||||||
|
ELF object (`.o`) files.
|
||||||
|
* `__brp_strip_static_archive`: This is similar to `__brp_strip`, but
|
||||||
|
processes static `.a` archives instead.
|
||||||
|
* `__brp_strip_comment_note`: This step removes unallocated `.note`
|
||||||
|
sections, and `.comment` sections from ELF files.
|
||||||
|
* `__brp_ldconfig`: For each shared object on the library search path
|
||||||
|
whose soname does not match its file name, a symbolic link from the
|
||||||
|
soname to the file name is created. This way, these shared objects
|
||||||
|
are loadable immediately after installation, even if they are not yet
|
||||||
|
listed in the `/etc/ld.so.cache` file (because `ldconfig` has not been
|
||||||
|
invoked yet).
|
||||||
|
|
||||||
|
# Individual compiler flags
|
||||||
|
|
||||||
|
Compiler flags end up in the environment variables `CFLAGS`,
|
||||||
|
`CXXFLAGS`, `FFLAGS`, and `FCFLAGS`.
|
||||||
|
|
||||||
|
The general (architecture-independent) build flags are:
|
||||||
|
|
||||||
|
* `-O2`: Turn on various GCC optimizations. See the [GCC manual](https://gcc.gnu.org/onlinedocs/gcc/Optimize-Options.html#index-O2).
|
||||||
|
Optimization improves performance, the accuracy of warnings, and the
|
||||||
|
reach of toolchain-based hardening, but it makes debugging harder.
|
||||||
|
* `-g`: Generate debugging information (DWARF). In Fedora, this data
|
||||||
|
is separated into `-debuginfo` RPM packages whose installation is
|
||||||
|
optional, so debuging information does not increase the size of
|
||||||
|
installed binaries by default.
|
||||||
|
* `-pipe`: Run compiler and assembler in parallel and do not use a
|
||||||
|
temporary file for the assembler input. This can improve
|
||||||
|
compilation performance. (This does not affect code generation.)
|
||||||
|
* `-Wall`: Turn on various GCC warnings.
|
||||||
|
See the [GCC manual](https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html#index-Wall).
|
||||||
|
* `-Werror=format-security`: Turn on format string warnings and treat
|
||||||
|
them as errors.
|
||||||
|
See the [GCC manual](https://gcc.gnu.org/onlinedocs/gcc/Warning-Options.html#index-Wformat-security).
|
||||||
|
This can occasionally result in compilation errors. In this case,
|
||||||
|
the best option is to rewrite the source code so that only constant
|
||||||
|
format strings (string literals) are used.
|
||||||
|
* `-Wp,-D_FORTIFY_SOURCE=2`: Source fortification activates various
|
||||||
|
hardening features in glibc:
|
||||||
|
* String functions such as `memcpy` attempt to detect buffer lengths
|
||||||
|
and terminate the process if a buffer overflow is detected.
|
||||||
|
* `printf` format strings may only contain the `%n` format specifier
|
||||||
|
if the format string resides in read-only memory.
|
||||||
|
* `open` and `openat` flags are checked for consistency with the
|
||||||
|
presence of a *mode* argument.
|
||||||
|
* Plus other minor hardening changes.
|
||||||
|
(These changes can occasionally break valid programs.)
|
||||||
|
* `-fexceptions`: Provide exception unwinding support for C programs.
|
||||||
|
See the [`-fexceptions` option in the GCC
|
||||||
|
manual](https://gcc.gnu.org/onlinedocs/gcc/Code-Gen-Options.html#index-fexceptions)
|
||||||
|
and the [`cleanup` variable
|
||||||
|
attribute](https://gcc.gnu.org/onlinedocs/gcc/Common-Variable-Attributes.html#index-cleanup-variable-attribute).
|
||||||
|
This also hardens cancellation handling in C programs because
|
||||||
|
it is not required to use an on-stack jump buffer to install
|
||||||
|
a cancellation handler with `pthread_cleanup_push`. It also makes
|
||||||
|
it possible to unwind the stack (using C++ `throw` or Rust panics)
|
||||||
|
from C callback functions if a C library supports non-local exits
|
||||||
|
from them (e.g., via `longjmp`).
|
||||||
|
* `-Wp,-D_GLIBCXX_ASSERTIONS`: Enable lightweight assertions in the
|
||||||
|
C++ standard library, such as bounds checking for the subscription
|
||||||
|
operator on vectors. (This flag is added to both `CFLAGS` and
|
||||||
|
`CXXFLAGS`; C compilations will simply ignore it.)
|
||||||
|
* `-fstack-protector-strong`: Instrument functions to detect
|
||||||
|
stack-based buffer overflows before jumping to the return address on
|
||||||
|
the stack. The *strong* variant only performs the instrumentation
|
||||||
|
for functions whose stack frame contains addressable local
|
||||||
|
variables. (If the address of a variable is never taken, it is not
|
||||||
|
possible that a buffer overflow is caused by incorrect pointer
|
||||||
|
arithmetic involving a pointer to that variable.)
|
||||||
|
* `-fstack-clash-protection`: Turn on instrumentation to avoid
|
||||||
|
skipping the guard page in large stack frames. (Without this flag,
|
||||||
|
vulnerabilities can result where the stack overlaps with the heap,
|
||||||
|
or thread stacks spill into other regions of memory.) This flag is
|
||||||
|
fully ABI-compatible and has adds very little run-time overhead.
|
||||||
|
* `-grecord-gcc-switches`: Include select GCC command line switches in
|
||||||
|
the DWARF debugging information. This is useful for detecting the
|
||||||
|
presence of certain build flags and general hardening coverage.
|
||||||
|
|
||||||
|
For hardened builds (which are enabled by default, see above for how
|
||||||
|
to disable them), the flag
|
||||||
|
`-specs=/usr/lib/rpm/redhat/redhat-hardened-cc1` is added to the
|
||||||
|
command line. It adds the following flag to the command line:
|
||||||
|
|
||||||
|
* `-fPIE`: Compile for a position-independent executable (PIE),
|
||||||
|
enabling full address space layout randomization (ASLR). This is
|
||||||
|
similar to `-fPIC`, but avoids run-time indirections on certain
|
||||||
|
architectures, resulting in improved performance and slightly
|
||||||
|
smaller executables. However, compared to position-dependent code
|
||||||
|
(the default generated by GCC), there is still a measurable
|
||||||
|
performance impact.
|
||||||
|
|
||||||
|
If the command line also contains `-r` (producing a relocatable
|
||||||
|
object file), `-fpic` or `-fPIC`, this flag is automatically
|
||||||
|
dropped. (`-fPIE` can only be used for code which is linked into
|
||||||
|
the main program.) Code which goes into static libraries should be
|
||||||
|
compiled with `-fPIE`, except when this code is expected to be
|
||||||
|
linked into DSOs, when `-fPIC` must be used.
|
||||||
|
|
||||||
|
To be effective, `-fPIE` must be used with the `-pie` linker flag
|
||||||
|
when producing an executable, see below.
|
||||||
|
|
||||||
|
To support [binary watermarks for ELF
|
||||||
|
objects](https://fedoraproject.org/wiki/Toolchain/Watermark) using
|
||||||
|
annobin, the `-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1` flag is
|
||||||
|
added by default. This can be switched off by undefining the
|
||||||
|
`%_annotated_build` RPM macro (see above).
|
||||||
|
|
||||||
|
### Architecture-specific compiler flags
|
||||||
|
|
||||||
|
These compiler flags are enabled for all builds (hardened/annotated or
|
||||||
|
not), but their selection depends on the architecture:
|
||||||
|
|
||||||
|
* `-fcf-protection`: Instrument binaries to guard against
|
||||||
|
ROP/JOP attacks. Used on i686 and x86_64.
|
||||||
|
* `-m64` and `-m32`: Some GCC builds support both 32-bit and 64-bit in
|
||||||
|
the same compilation. For such architectures, the RPM build process
|
||||||
|
explicitly selects the architecture variant by passing this compiler
|
||||||
|
flag.
|
||||||
|
* `-fasynchronous-unwind-tables`: Generate full unwind information
|
||||||
|
covering all program points. This is required for support of
|
||||||
|
asynchronous cancellation and proper unwinding from signal
|
||||||
|
handlers. It also makes performance and debugging tools more
|
||||||
|
useful because unwind information is available without having to
|
||||||
|
install (and load) debugging ienformation.
|
||||||
|
Asynchronous unwind tables are enabled for aarch64, i686, s390x,
|
||||||
|
and x86_64. They are not needed on ppc64le due
|
||||||
|
to architectural differences in stack management. On these
|
||||||
|
architectures, `-fexceptions` (see above) still enables regular
|
||||||
|
unwind tables (or they are enabled by default even without this
|
||||||
|
option).
|
||||||
|
* `-funwind-tables`: A subset of the unwind information restricted
|
||||||
|
to actual call sites. Used on ppc64le. Also implied by
|
||||||
|
`-fexceptions`.
|
||||||
|
|
||||||
|
In addition, `redhat-rpm-config` re-selects the built-in default
|
||||||
|
tuning in the `gcc` package. These settings are:
|
||||||
|
|
||||||
|
* **i686**: `-march=x86-64` is used to select a minimum supported
|
||||||
|
CPU level matching the baseline for the x86_64 architecture.
|
||||||
|
`-mtune=generic` activates tuning for a current blend of CPUs.
|
||||||
|
`-mfpmath=sse` uses the SSE2 unit for floating point math,
|
||||||
|
instead of the legacy i387 FPU, avoiding issues related to excess
|
||||||
|
precision. `-mstackrealign` ensures that the generated code
|
||||||
|
does not assume 16-byte stack alignment (as required by the current
|
||||||
|
i386 ABI), but stays compatible with application code compiled
|
||||||
|
before the introduction of 16-byte stack alignment along with SSE2
|
||||||
|
support.
|
||||||
|
* **ppc64le**: `-mcpu=power8 -mtune=power8` selects a minimum supported
|
||||||
|
CPU level of POWER8 (the first CPU with ppc64le support) and tunes
|
||||||
|
for POWER8.
|
||||||
|
* **s390x**: `-march=z13 -mtune=z14` specifies a minimum supported CPU
|
||||||
|
level of z13, while optimizing for a subsequent CPU generation
|
||||||
|
(z14).
|
||||||
|
* **x86_64**: `-mtune=generic` selects tuning which is expected to
|
||||||
|
beneficial for a broad range of current CPUs.
|
||||||
|
* **aarch64** does not have any architecture-specific tuning.
|
||||||
|
|
||||||
|
# Individual linker flags
|
||||||
|
|
||||||
|
Linker flags end up in the environment variable `LDFLAGS`.
|
||||||
|
|
||||||
|
The linker flags listed below are injected. Note that they are
|
||||||
|
prefixed with `-Wl` because it is expected that these flags are passed
|
||||||
|
to the compiler driver `gcc`, and not directly to the link editor
|
||||||
|
`ld`.
|
||||||
|
|
||||||
|
* `-z relro`: Activate the *read-only after relocation* feature.
|
||||||
|
Constant data and relocations are placed on separate pages, and the
|
||||||
|
dynamic linker is instructed to revoke write permissions after
|
||||||
|
dynamic linking. Full protection of relocation data requires the
|
||||||
|
`-z now` flag (see below).
|
||||||
|
* `-z defs`: Refuse to link shared objects (DSOs) with undefined symbols
|
||||||
|
(optional, see above).
|
||||||
|
|
||||||
|
For hardened builds, the
|
||||||
|
`-specs=/usr/lib/rpm/redhat/redhat-hardened-ld` flag is added to the
|
||||||
|
compiler driver command line. (This can be disabled by undefining the
|
||||||
|
`%_hardened_build` macro; see above) This activates the following
|
||||||
|
linker flags:
|
||||||
|
|
||||||
|
* `-pie`: Produce a PIE binary. This is only activated for the main
|
||||||
|
executable, and only if it is dynamically linked. This requires
|
||||||
|
that all objects which are linked in the main executable have been
|
||||||
|
compiled with `-fPIE` or `-fPIC` (or `-fpie` or `-fpic`; see above).
|
||||||
|
By itself, `-pie` has only a slight performance impact because it
|
||||||
|
disables some link editor optimization, however the `-fPIE` compiler
|
||||||
|
flag has some overhead.
|
||||||
|
* `-z now`: Disable lazy binding and turn on the `BIND_NOW` dynamic
|
||||||
|
linker feature. Lazy binding involves an array of function pointers
|
||||||
|
which is writable at run time (which could be overwritten as part of
|
||||||
|
security exploits, redirecting execution). Therefore, it is
|
||||||
|
preferable to turn of lazy binding, although it increases startup
|
||||||
|
time.
|
||||||
|
|
||||||
|
# Support for extension builders
|
||||||
|
|
||||||
|
Some packages include extension builders that allow users to build
|
||||||
|
extension modules (which are usually written in C and C++) under the
|
||||||
|
control of a special-purpose build system. This is a common
|
||||||
|
functionality provided by scripting languages such as Python and Perl.
|
||||||
|
Traditionally, such extension builders captured the Fedora build flags
|
||||||
|
when these extension were built. However, these compiler flags are
|
||||||
|
adjusted for a specific Fedora release and toolchain version and
|
||||||
|
therefore do not work with a custom toolchain (e.g., different C/C++
|
||||||
|
compilers), and users might want to build their own extension modules
|
||||||
|
with such toolchains.
|
||||||
|
|
||||||
|
The macros `%{extension_cflags}`, `%{extension_cxxflags}`,
|
||||||
|
`%{extension_fflags}`, `%{extension_ldflags}` contain a subset of
|
||||||
|
flags that have been adjusted for compatibility with alternative
|
||||||
|
toolchains, while still preserving some of the compile-time security
|
||||||
|
hardening that the standard Fedora build flags provide.
|
||||||
|
|
||||||
|
The current set of differences are:
|
||||||
|
|
||||||
|
* No GCC plugins (such as annobin) are activated.
|
||||||
|
* No GCC spec files (`-specs=` arguments) are used.
|
||||||
|
|
||||||
|
Additional flags may be removed in the future if they prove to be
|
||||||
|
incompatible with alternative toolchains.
|
||||||
|
|
||||||
|
Extension builders should detect whether they are performing a regular
|
||||||
|
RPM build (e.g., by looking for an `RPM_OPT_FLAGS` variable). In this
|
||||||
|
case, they should use the *current* set of Fedora build flags (that
|
||||||
|
is, the output from `rpm --eval '%{build_cflags}'` and related
|
||||||
|
commands). Otherwise, when not performing an RPM build, they can
|
||||||
|
either use hard-coded extension builder flags (thus avoiding a
|
||||||
|
run-time dependency on `redhat-rpm-config`), or use the current
|
||||||
|
extension builder flags (with a run-time dependency on
|
||||||
|
`redhat-rpm-config`).
|
||||||
|
|
||||||
|
As a result, extension modules built for Fedora will use the official
|
||||||
|
Fedora build flags, while users will still be able to build their own
|
||||||
|
extension modules with custom toolchains.
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,66 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
# dist.sh
|
||||||
|
# Author: Tom "spot" Callaway <tcallawa@redhat.com>
|
||||||
|
# License: GPL
|
||||||
|
# This is a script to output the value for the %{dist}
|
||||||
|
# tag. The dist tag takes the following format: .$type$num
|
||||||
|
# Where $type is one of: el, fc, rh
|
||||||
|
# (for RHEL, Fedora Core, and RHL, respectively)
|
||||||
|
# And $num is the version number of the distribution.
|
||||||
|
# NOTE: We can't detect Rawhide or Fedora Test builds properly.
|
||||||
|
# If we successfully detect the version number, we output the
|
||||||
|
# dist tag. Otherwise, we exit with no output.
|
||||||
|
|
||||||
|
RELEASEFILE=/etc/redhat-release
|
||||||
|
|
||||||
|
function check_num {
|
||||||
|
MAINVER=`cut -d "(" -f 1 < $RELEASEFILE | \
|
||||||
|
sed -e "s/[^0-9.]//g" -e "s/$//g" | cut -d "." -f 1`
|
||||||
|
|
||||||
|
echo $MAINVER | grep -q '[0-9]' && echo $MAINVER
|
||||||
|
}
|
||||||
|
|
||||||
|
function check_rhl {
|
||||||
|
grep -q "Red Hat Linux" $RELEASEFILE && ! grep -q "Advanced" $RELEASEFILE && echo $DISTNUM
|
||||||
|
}
|
||||||
|
|
||||||
|
function check_rhel {
|
||||||
|
egrep -q "(Enterprise|Advanced)" $RELEASEFILE && echo $DISTNUM
|
||||||
|
}
|
||||||
|
|
||||||
|
function check_fedora {
|
||||||
|
grep -q Fedora $RELEASEFILE && echo $DISTNUM
|
||||||
|
}
|
||||||
|
|
||||||
|
DISTNUM=`check_num`
|
||||||
|
DISTFC=`check_fedora`
|
||||||
|
DISTRHL=`check_rhl`
|
||||||
|
DISTRHEL=`check_rhel`
|
||||||
|
if [ -n "$DISTNUM" ]; then
|
||||||
|
if [ -n "$DISTFC" ]; then
|
||||||
|
DISTTYPE=fc
|
||||||
|
elif [ -n "$DISTRHEL" ]; then
|
||||||
|
DISTTYPE=el
|
||||||
|
elif [ -n "$DISTRHL" ]; then
|
||||||
|
DISTTYPE=rhl
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
[ -n "$DISTTYPE" -a -n "$DISTNUM" ] && DISTTAG=".${DISTTYPE}${DISTNUM}"
|
||||||
|
|
||||||
|
case "$1" in
|
||||||
|
--el) echo -n "$DISTRHEL" ;;
|
||||||
|
--fc) echo -n "$DISTFC" ;;
|
||||||
|
--rhl) echo -n "$DISTRHL" ;;
|
||||||
|
--distnum) echo -n "$DISTNUM" ;;
|
||||||
|
--disttype) echo -n "$DISTTYPE" ;;
|
||||||
|
--help)
|
||||||
|
printf "Usage: $0 [OPTIONS]\n"
|
||||||
|
printf " Default mode is --dist. Possible options:\n"
|
||||||
|
printf " --el\t\tfor RHEL version (if RHEL)\n"
|
||||||
|
printf " --fc\t\tfor Fedora version (if Fedora)\n"
|
||||||
|
printf " --rhl\t\tfor RHL version (if RHL)\n"
|
||||||
|
printf " --dist\t\tfor distribution tag\n"
|
||||||
|
printf " --distnum\tfor distribution number (major)\n"
|
||||||
|
printf " --disttype\tfor distribution type\n" ;;
|
||||||
|
*) echo -n "$DISTTAG" ;;
|
||||||
|
esac
|
@ -0,0 +1,50 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# This script reads filenames from STDIN and outputs any relevant provides
|
||||||
|
# information that needs to be included in the package.
|
||||||
|
|
||||||
|
if [ "$1" ]
|
||||||
|
then
|
||||||
|
package_name="$1"
|
||||||
|
fi
|
||||||
|
|
||||||
|
filelist=`sed "s/['\"]/\\\&/g"`
|
||||||
|
|
||||||
|
[ -x /usr/lib/rpm/rpmdeps -a -n "$filelist" ] &&
|
||||||
|
echo $filelist | tr '[:blank:]' \\n | /usr/lib/rpm/rpmdeps --provides
|
||||||
|
|
||||||
|
#
|
||||||
|
# --- any other extra find-provides scripts
|
||||||
|
for i in /usr/lib/rpm/redhat/find-provides.d/*.prov
|
||||||
|
do
|
||||||
|
[ -x $i ] &&
|
||||||
|
(echo $filelist | tr '[:blank:]' \\n | $i | sort -u)
|
||||||
|
done
|
||||||
|
|
||||||
|
#
|
||||||
|
# --- Kernel module imported symbols
|
||||||
|
#
|
||||||
|
# Since we don't (yet) get passed the name of the package being built, we
|
||||||
|
# cheat a little here by looking first for a kernel, then for a kmod.
|
||||||
|
#
|
||||||
|
|
||||||
|
is_kmod=1
|
||||||
|
for f in $filelist; do
|
||||||
|
if [ $(echo "$f" | sed -r -ne 's:^.*/lib/modules/(.*)/(.*)\.ko(\.gz|\.bz2|\.xz)?$:\2:p') ]
|
||||||
|
then
|
||||||
|
is_kernel=1;
|
||||||
|
fi
|
||||||
|
if [ $(echo "$f" | sed -r -ne 's:^.*/boot/(.*):\1:p') ]
|
||||||
|
then
|
||||||
|
unset is_kmod;
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if [ ! "$is_kernel" ] || [ "$package_name" == "kernel" ]
|
||||||
|
then
|
||||||
|
unset is_kmod
|
||||||
|
fi
|
||||||
|
|
||||||
|
[ -x /usr/lib/rpm/redhat/find-provides.ksyms ] && [ "$is_kmod" ] &&
|
||||||
|
printf "%s\n" "${filelist[@]}" | /usr/lib/rpm/redhat/find-provides.ksyms
|
||||||
|
|
||||||
|
exit 0
|
@ -0,0 +1,48 @@
|
|||||||
|
#! /bin/bash
|
||||||
|
|
||||||
|
IFS=$'\n'
|
||||||
|
|
||||||
|
for module in $(grep -E '/lib/modules/.+\.ko(\.gz|\.bz2|\.xz)?$'); do
|
||||||
|
tmpfile=""
|
||||||
|
if [ "x${module%.ko}" = "x${module}" ]; then
|
||||||
|
tmpfile=$(mktemp -t ${0##*/}.XXXXXX.ko)
|
||||||
|
proc_bin=
|
||||||
|
case "${module##*.}" in
|
||||||
|
xz)
|
||||||
|
proc_bin=xz
|
||||||
|
;;
|
||||||
|
bz2)
|
||||||
|
proc_bin=bzip2
|
||||||
|
;;
|
||||||
|
gz)
|
||||||
|
proc_bin=gzip
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
[ -n "$proc_bin" ] || continue
|
||||||
|
|
||||||
|
"$proc_bin" -d -c - < "$module" > "$tmpfile" || continue
|
||||||
|
module="$tmpfile"
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [[ -n $(nm $module | sed -r -ne 's:^0*([0-9a-f]+) A __crc_(.+):0x\1 \2:p') ]]; then
|
||||||
|
nm $module \
|
||||||
|
| sed -r -ne 's:^0*([0-9a-f]+) A __crc_(.+):0x\1 \2:p' \
|
||||||
|
| awk --non-decimal-data '{printf("ksym(%s) = 0x%08x\n", $2, $1)}' \
|
||||||
|
| LC_ALL=C sort -u
|
||||||
|
else
|
||||||
|
ELFRODATA=$(readelf -R .rodata $module | awk '/0x/{printf $2$3$4$5}')
|
||||||
|
if [[ -n $(readelf -h $module | grep "little endian") ]]; then
|
||||||
|
RODATA=$(echo $ELFRODATA | sed 's/\(..\)\(..\)\(..\)\(..\)/\4\3\2\1/g')
|
||||||
|
else
|
||||||
|
RODATA=$ELFRODATA
|
||||||
|
fi
|
||||||
|
for sym in $(nm $module | sed -r -ne 's:^0*([0-9a-f]+) R __crc_(.+):0x\1 \2:p'); do
|
||||||
|
echo $sym $RODATA
|
||||||
|
done \
|
||||||
|
| awk --non-decimal-data '{printf("ksym(%s) = 0x%08s\n", $2, substr($3,($1*2)+1,8))}' \
|
||||||
|
| LC_ALL=C sort -u
|
||||||
|
fi
|
||||||
|
|
||||||
|
[ -z "$tmpfile" ] || rm -f -- "$tmpfile"
|
||||||
|
done
|
@ -0,0 +1,38 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
#
|
||||||
|
# Auto-generate requirements for executables (both ELF and a.out) and library
|
||||||
|
# sonames, script interpreters, and perl modules.
|
||||||
|
#
|
||||||
|
|
||||||
|
ulimit -c 0
|
||||||
|
|
||||||
|
filelist=`sed "s/[]['\"*?{}]/\\\\\&/g"`
|
||||||
|
|
||||||
|
[ -x /usr/lib/rpm/rpmdeps -a -n "$filelist" ] && \
|
||||||
|
echo $filelist | tr '[:blank:]' \\n | /usr/lib/rpm/rpmdeps --requires
|
||||||
|
|
||||||
|
#
|
||||||
|
# --- Kernel module imported symbols
|
||||||
|
#
|
||||||
|
# Since we don't (yet) get passed the name of the package being built, we
|
||||||
|
# cheat a little here by looking first for a kernel, then for a kmod.
|
||||||
|
#
|
||||||
|
|
||||||
|
unset is_kmod
|
||||||
|
|
||||||
|
for f in $filelist; do
|
||||||
|
if [ $(echo "$f" | sed -r -ne 's:^.*/lib/modules/(.*)/(.*)\.ko(\.gz|\.bz2|\.xz)?$:\2:p') ]
|
||||||
|
then
|
||||||
|
is_kmod=1;
|
||||||
|
elif [ $(echo "$f" | sed -r -ne 's:^.*/boot/(.*):\1:p') ]
|
||||||
|
then
|
||||||
|
unset is_kmod;
|
||||||
|
break;
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
[ -x /usr/lib/rpm/redhat/find-requires.ksyms ] && [ "$is_kmod" ] &&
|
||||||
|
printf "%s\n" "${filelist[@]}" | /usr/lib/rpm/redhat/find-requires.ksyms
|
||||||
|
|
||||||
|
exit 0
|
@ -0,0 +1,155 @@
|
|||||||
|
#! /bin/bash
|
||||||
|
#
|
||||||
|
# This script is called during external module building to create dependencies
|
||||||
|
# both upon the RHEL kernel, and on additional external modules. Symbols that
|
||||||
|
# cannot be reconciled against those provided by the kernel are assumed to be
|
||||||
|
# provided by an external module and "ksym" replaces th regular "kernel" dep.
|
||||||
|
|
||||||
|
IFS=$'\n'
|
||||||
|
|
||||||
|
# Extract all of the symbols provided by this module.
|
||||||
|
all_provides() {
|
||||||
|
for module in "$@"; do
|
||||||
|
tmpfile=""
|
||||||
|
if [ "x${module%.ko}" = "x${module}" ]; then
|
||||||
|
tmpfile=$(mktemp -t ${0##*/}.XXXXXX.ko)
|
||||||
|
proc_bin=
|
||||||
|
case "${module##*.}" in
|
||||||
|
xz)
|
||||||
|
proc_bin=xz
|
||||||
|
;;
|
||||||
|
bz2)
|
||||||
|
proc_bin=bzip2
|
||||||
|
;;
|
||||||
|
gz)
|
||||||
|
proc_bin=gzip
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
[ -n "$proc_bin" ] || continue
|
||||||
|
|
||||||
|
"$proc_bin" -d -c - < "$module" > "$tmpfile" || continue
|
||||||
|
module="$tmpfile"
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [[ -n $(nm "$module" | sed -r -ne 's:^0*([0-9a-f]+) A __crc_(.+):0x\1 \2:p') ]]; then
|
||||||
|
nm "$module" \
|
||||||
|
| sed -r -ne 's:^0*([0-9a-f]+) A __crc_(.+):0x\1 \2:p' \
|
||||||
|
| awk --non-decimal-data '{printf("%s:0x%08x\n", $2, $1)}'
|
||||||
|
else
|
||||||
|
ELFRODATA=$(readelf -R .rodata "$module" | awk '/0x/{printf $2$3$4$5}')
|
||||||
|
if [[ -n $(readelf -h "$module" | grep "little endian") ]]; then
|
||||||
|
RODATA=$(echo $ELFRODATA | sed 's/\(..\)\(..\)\(..\)\(..\)/\4\3\2\1/g')
|
||||||
|
else
|
||||||
|
RODATA=$ELFRODATA
|
||||||
|
fi
|
||||||
|
for sym in $(nm "$module" | sed -r -ne 's:^0*([0-9a-f]+) R __crc_(.+):0x\1 \2:p'); do
|
||||||
|
echo $sym $RODATA
|
||||||
|
done \
|
||||||
|
| awk --non-decimal-data '{printf("%s:0x%08s\n", $2, substr($3,($1*2)+1,8))}'
|
||||||
|
fi
|
||||||
|
|
||||||
|
[ -z "$tmpfile" ] || rm -f -- "$tmpfile"
|
||||||
|
done \
|
||||||
|
| LC_ALL=C sort -k1,1 -u
|
||||||
|
}
|
||||||
|
|
||||||
|
# Extract all of the requirements of this module.
|
||||||
|
all_requires() {
|
||||||
|
for module in "$@"; do
|
||||||
|
set -- $(/sbin/modinfo -F vermagic "$module" | sed -e 's: .*::' -e q)
|
||||||
|
/sbin/modprobe --dump-modversions "$module" \
|
||||||
|
| awk --non-decimal-data '
|
||||||
|
BEGIN { FS = "\t" ; OFS = "\t" }
|
||||||
|
{printf("%s:0x%08x\n", $2, $1)}' \
|
||||||
|
| sed -r -e 's:$:\t'"$1"':'
|
||||||
|
done \
|
||||||
|
| LC_ALL=C sort -k1,1 -u
|
||||||
|
}
|
||||||
|
|
||||||
|
# Filter out requirements fulfilled by the module itself.
|
||||||
|
mod_requires() {
|
||||||
|
LC_ALL=C join -t $'\t' -j 1 -v 1 \
|
||||||
|
<(all_requires "$@") \
|
||||||
|
<(all_provides "$@") \
|
||||||
|
| LC_ALL=C sort -k1,1 -u
|
||||||
|
}
|
||||||
|
|
||||||
|
if ! [ -e /sbin/modinfo -a -e /sbin/modprobe ]; then
|
||||||
|
cat > /dev/null
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
check_kabi() {
|
||||||
|
arch=$(uname -m)
|
||||||
|
kabi_file="/lib/modules/kabi-current/kabi_whitelist_$arch"
|
||||||
|
|
||||||
|
# If not installed, output a warning and return (continue)
|
||||||
|
if [ ! -f "$kabi_file" ]; then
|
||||||
|
echo "" >&2
|
||||||
|
echo "********************************************************************************" >&2
|
||||||
|
echo "*********************** KERNEL ABI COMPATIBILITY WARNING ***********************" >&2
|
||||||
|
echo "********************************************************************************" >&2
|
||||||
|
echo "The kernel ABI reference files (provided by "kabi-whitelists") were not found." >&2
|
||||||
|
echo "No compatibility check was performed. Please install the kABI reference files" >&2
|
||||||
|
echo "and rebuild if you would like to verify compatibility with kernel ABI." >&2
|
||||||
|
echo "" >&2
|
||||||
|
return
|
||||||
|
fi
|
||||||
|
|
||||||
|
unset non_kabi
|
||||||
|
for symbol in "$@"; do
|
||||||
|
if ! egrep "^[[:space:]]$symbol\$" $kabi_file >/dev/null; then
|
||||||
|
non_kabi=("${non_kabi[@]}" "$symbol")
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
|
||||||
|
if [ ${#non_kabi[@]} -gt 0 ]; then
|
||||||
|
echo "" >&2
|
||||||
|
echo "********************************************************************************" >&2
|
||||||
|
echo "*********************** KERNEL ABI COMPATIBILITY WARNING ***********************" >&2
|
||||||
|
echo "********************************************************************************" >&2
|
||||||
|
echo "The following kernel symbols are not guaranteed to remain compatible with" >&2
|
||||||
|
echo "future kernel updates to this RHEL release:" >&2
|
||||||
|
echo "" >&2
|
||||||
|
for symbol in "${non_kabi[@]}"; do
|
||||||
|
printf "\t$symbol\n" >&2
|
||||||
|
done
|
||||||
|
echo "" >&2
|
||||||
|
echo "Red Hat recommends that you consider using only official kernel ABI symbols" >&2
|
||||||
|
echo "where possible. Requests for additions to the kernel ABI can be filed with" >&2
|
||||||
|
echo "your partner or customer representative (component: driver-update-program)." >&2
|
||||||
|
echo "" >&2
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
modules=($(grep -E '/lib/modules/.+\.ko(\.gz|\.bz2|\.xz)?$'))
|
||||||
|
if [ ${#modules[@]} -gt 0 ]; then
|
||||||
|
kernel=$(/sbin/modinfo -F vermagic "${modules[0]}" | sed -e 's: .*::' -e q)
|
||||||
|
|
||||||
|
# get all that kernel provides
|
||||||
|
symvers=$(mktemp -t ${0##*/}.XXXXX)
|
||||||
|
|
||||||
|
cat /usr/src/kernels/$kernel/Module.symvers | awk '
|
||||||
|
BEGIN { FS = "\t" ; OFS = "\t" }
|
||||||
|
{ print $2 ":" $1 }
|
||||||
|
' \
|
||||||
|
| sed -r -e 's:$:\t'"$kernel"':' \
|
||||||
|
| LC_ALL=C sort -k1,1 -u > $symvers
|
||||||
|
|
||||||
|
# Symbols matching with the kernel get a "kernel" dependency
|
||||||
|
mod_req=$(mktemp -t mod_req.XXXXX)
|
||||||
|
mod_requires "${modules[@]}" > "$mod_req"
|
||||||
|
LC_ALL=C join -t $'\t' -j 1 $symvers "$mod_req" | LC_ALL=C sort -u \
|
||||||
|
| awk 'BEGIN { FS = "[\t:]" ; OFS = "\t" } { print "kernel(" $1 ") = " $2 }'
|
||||||
|
|
||||||
|
# Symbols from elsewhere get a "ksym" dependency
|
||||||
|
LC_ALL=C join -t $'\t' -j 1 -v 2 $symvers "$mod_req" | LC_ALL=C sort -u \
|
||||||
|
| awk 'BEGIN { FS = "[\t:]" ; OFS = "\t" } { print "ksym(" $1 ") = " $2 }'
|
||||||
|
|
||||||
|
# Check kABI if the kabi-whitelists package is installed
|
||||||
|
# Do this last so we can try to output this error at the end
|
||||||
|
kabi_check_symbols=($(LC_ALL=C join -t $'\t' -j 1 $symvers "$mod_req" | LC_ALL=C sort -u \
|
||||||
|
| awk 'BEGIN { FS = "[\t:]" ; OFS = "\t" } { print $1 }'))
|
||||||
|
check_kabi "${kabi_check_symbols[@]}"
|
||||||
|
fi
|
@ -0,0 +1,14 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
#
|
||||||
|
# firmware.prov - Automatically extract any and all firmware dependencies from
|
||||||
|
# kernel object (.ko) files and add to RPM deps.
|
||||||
|
|
||||||
|
IFS=$'\n'
|
||||||
|
|
||||||
|
for module in $(grep -E '/lib/modules/.+\.ko(\.gz|\.bz2|\.xz)?$') $*;
|
||||||
|
do
|
||||||
|
for firmware in `/sbin/modinfo -F firmware $module`;
|
||||||
|
do
|
||||||
|
echo "firmware($firmware)"
|
||||||
|
done
|
||||||
|
done
|
@ -0,0 +1,111 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# Copyright 2018 B. Persson, Bjorn@Rombobeorn.se
|
||||||
|
#
|
||||||
|
# This material is provided as is, with absolutely no warranty expressed
|
||||||
|
# or implied. Any use is at your own risk.
|
||||||
|
#
|
||||||
|
# Permission is hereby granted to use or copy this shellscript
|
||||||
|
# for any purpose, provided the above notices are retained on all copies.
|
||||||
|
# Permission to modify the code and to distribute modified code is granted,
|
||||||
|
# provided the above notices are retained, and a notice that the code was
|
||||||
|
# modified is included with the above copyright notice.
|
||||||
|
|
||||||
|
|
||||||
|
function print_help {
|
||||||
|
cat <<'EOF'
|
||||||
|
Usage: gpgverify --keyring=<pathname> --signature=<pathname> --data=<pathname>
|
||||||
|
|
||||||
|
gpgverify is a wrapper around gpgv designed for easy and safe scripting. It
|
||||||
|
verifies a file against a detached OpenPGP signature and a keyring. The keyring
|
||||||
|
shall contain all the keys that are trusted to certify the authenticity of the
|
||||||
|
file, and must not contain any untrusted keys.
|
||||||
|
|
||||||
|
The differences, compared to invoking gpgv directly, are that gpgverify accepts
|
||||||
|
the keyring in either ASCII-armored or unarmored form, and that it will not
|
||||||
|
accidentally use a default keyring in addition to the specified one.
|
||||||
|
|
||||||
|
Parameters:
|
||||||
|
--keyring=<pathname> keyring with all the trusted keys and no others
|
||||||
|
--signature=<pathname> detached signature to verify
|
||||||
|
--data=<pathname> file to verify against the signature
|
||||||
|
EOF
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
fatal_error() {
|
||||||
|
message="$1" # an error message
|
||||||
|
status=$2 # a number to use as the exit code
|
||||||
|
echo "gpgverify: $message" >&2
|
||||||
|
exit $status
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
require_parameter() {
|
||||||
|
term="$1" # a term for a required parameter
|
||||||
|
value="$2" # Complain and terminate if this value is empty.
|
||||||
|
if test -z "${value}" ; then
|
||||||
|
fatal_error "No ${term} was provided." 2
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
check_status() {
|
||||||
|
action="$1" # a string that describes the action that was attempted
|
||||||
|
status=$2 # the exit code of the command
|
||||||
|
if test $status -ne 0 ; then
|
||||||
|
fatal_error "$action failed." $status
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
# Parse the command line.
|
||||||
|
keyring=
|
||||||
|
signature=
|
||||||
|
data=
|
||||||
|
for parameter in "$@" ; do
|
||||||
|
case "${parameter}" in
|
||||||
|
(--help)
|
||||||
|
print_help
|
||||||
|
exit
|
||||||
|
;;
|
||||||
|
(--keyring=*)
|
||||||
|
keyring="${parameter#*=}"
|
||||||
|
;;
|
||||||
|
(--signature=*)
|
||||||
|
signature="${parameter#*=}"
|
||||||
|
;;
|
||||||
|
(--data=*)
|
||||||
|
data="${parameter#*=}"
|
||||||
|
;;
|
||||||
|
(*)
|
||||||
|
fatal_error "Unknown parameter: \"${parameter}\"" 2
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
require_parameter 'keyring' "${keyring}"
|
||||||
|
require_parameter 'signature' "${signature}"
|
||||||
|
require_parameter 'data file' "${data}"
|
||||||
|
|
||||||
|
# Make a temporary working directory.
|
||||||
|
workdir="$(mktemp --directory)"
|
||||||
|
check_status 'Making a temporary directory' $?
|
||||||
|
workring="${workdir}/keyring.gpg"
|
||||||
|
|
||||||
|
# Decode any ASCII armor on the keyring. This is harmless if the keyring isn't
|
||||||
|
# ASCII-armored.
|
||||||
|
gpg2 --homedir="${workdir}" --yes --output="${workring}" --dearmor "${keyring}"
|
||||||
|
check_status 'Decoding the keyring' $?
|
||||||
|
|
||||||
|
# Verify the signature using the decoded keyring.
|
||||||
|
gpgv2 --homedir="${workdir}" --keyring="${workring}" "${signature}" "${data}"
|
||||||
|
check_status 'Signature verification' $?
|
||||||
|
|
||||||
|
# (--homedir isn't actually necessary. --dearmor processes only the input file,
|
||||||
|
# and if --keyring is used and contains a slash, then gpgv2 uses only that
|
||||||
|
# keyring. Thus neither command will look for a default keyring, but --homedir
|
||||||
|
# makes extra double sure that no default keyring will be touched in case
|
||||||
|
# another version of GPG works differently.)
|
||||||
|
|
||||||
|
# Clean up. (This is not done in case of an error that may need inspection.)
|
||||||
|
rm --recursive --force ${workdir}
|
@ -0,0 +1,2 @@
|
|||||||
|
%__kabi_provides %{_rpmconfigdir}/kabi.sh
|
||||||
|
%__kabi_path ^(/boot/symvers-.*|/lib/modules/[1-9].*/symvers)\.gz$
|
@ -0,0 +1,13 @@
|
|||||||
|
#!/bin/bash +x
|
||||||
|
#
|
||||||
|
# kabi.sh - Automatically extract any kernel symbol checksum from the
|
||||||
|
# symvers file and add to RPM deps. This is used to move the
|
||||||
|
# checksum checking from modprobe to rpm install for 3rd party
|
||||||
|
# modules (so they can fail during install and not at load).
|
||||||
|
|
||||||
|
IFS=$'\n'
|
||||||
|
|
||||||
|
for symvers in $(grep -E '(/boot/symvers-.*|/lib/modules/[1-9].*/symvers)\.gz') "$@";
|
||||||
|
do
|
||||||
|
zcat $symvers | awk ' {print "kernel(" $2 ") = " $1 }'
|
||||||
|
done
|
@ -0,0 +1,2 @@
|
|||||||
|
%__kmod_provides %{_rpmconfigdir}/kmod.prov
|
||||||
|
%__kmod_path ^/lib/modules/.*$
|
@ -0,0 +1,28 @@
|
|||||||
|
#!/bin/sh +x
|
||||||
|
# Kernel build can have many thousands of modules.
|
||||||
|
# kmod.prov is run for every one of them.
|
||||||
|
# Try to make this script run as fast as we can.
|
||||||
|
# For example, use shell string ops instead of external programs
|
||||||
|
# where possible.
|
||||||
|
|
||||||
|
IFS=$'\n'
|
||||||
|
|
||||||
|
read -r fname || exit
|
||||||
|
|
||||||
|
# Only process files from .../lib/modules/... subtree
|
||||||
|
[ "${fname#*/lib/modules/*}" != "$fname" ] || exit 0
|
||||||
|
|
||||||
|
kmod=${fname##*/} # like basename, but faster
|
||||||
|
|
||||||
|
if [ "$kmod" = "modules.builtin" ]; then
|
||||||
|
for j in $(cat -- "$fname"); do
|
||||||
|
echo "kmod(${j##*/})"
|
||||||
|
done
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
kmod=${kmod%.gz}
|
||||||
|
kmod=${kmod%.xz}
|
||||||
|
if [ "${kmod%.ko}" != "$kmod" ]; then
|
||||||
|
echo "kmod($kmod)"
|
||||||
|
fi
|
@ -0,0 +1,349 @@
|
|||||||
|
#!/bin/bash
|
||||||
|
|
||||||
|
# kmodtool - Helper script for building kernel module RPMs
|
||||||
|
# An original version appeared in Fedora. This version is
|
||||||
|
# generally called only by the %kernel_module_package RPM macro
|
||||||
|
# during the process of building Driver Update Packages (which
|
||||||
|
# are also known as "kmods" in the Fedora community).
|
||||||
|
#
|
||||||
|
# Copyright (c) 2003-2010 Ville Skyttä <ville.skytta@iki.fi>,
|
||||||
|
# Thorsten Leemhuis <fedora@leemhuis.info>
|
||||||
|
# Jon Masters <jcm@redhat.com>
|
||||||
|
#
|
||||||
|
# Permission is hereby granted, free of charge, to any person obtaining
|
||||||
|
# a copy of this software and associated documentation files (the
|
||||||
|
# "Software"), to deal in the Software without restriction, including
|
||||||
|
# without limitation the rights to use, copy, modify, merge, publish,
|
||||||
|
# distribute, sublicense, and/or sell copies of the Software, and to
|
||||||
|
# permit persons to whom the Software is furnished to do so, subject to
|
||||||
|
# the following conditions:
|
||||||
|
#
|
||||||
|
# The above copyright notice and this permission notice shall be
|
||||||
|
# included in all copies or substantial portions of the Software.
|
||||||
|
#
|
||||||
|
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
||||||
|
# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
||||||
|
# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
||||||
|
# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
|
||||||
|
# LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
|
||||||
|
# OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
||||||
|
# WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
||||||
|
|
||||||
|
# Changelog:
|
||||||
|
#
|
||||||
|
# 2010/07/28 - Add fixes for filelists in line with LF standard
|
||||||
|
# - Remove now defunct "framepointer" kernel variant
|
||||||
|
# - Change version to "rhel6-rh2" as a consequence.
|
||||||
|
#
|
||||||
|
# 2010/01/10 - Simplified for RHEL6. We are working on upstream
|
||||||
|
# moving to a newer format and in any case do not
|
||||||
|
# need to retain support for really old systems.
|
||||||
|
|
||||||
|
shopt -s extglob
|
||||||
|
|
||||||
|
myprog="kmodtool"
|
||||||
|
myver="0.10.10_rhel8"
|
||||||
|
knownvariants=@(debug|kdump|zfcpdump)
|
||||||
|
kmod_name=
|
||||||
|
kver=
|
||||||
|
verrel=
|
||||||
|
variant=
|
||||||
|
|
||||||
|
get_verrel ()
|
||||||
|
{
|
||||||
|
verrel=${1:-$(uname -r)}
|
||||||
|
verrel=${verrel/%[.+]$knownvariants/}
|
||||||
|
}
|
||||||
|
|
||||||
|
print_verrel ()
|
||||||
|
{
|
||||||
|
get_verrel "$@"
|
||||||
|
echo "${verrel}"
|
||||||
|
}
|
||||||
|
|
||||||
|
get_variant ()
|
||||||
|
{
|
||||||
|
get_verrel "$@"
|
||||||
|
variant=${1:-$(uname -r)}
|
||||||
|
variant=${variant/#$verrel?(.+)/}
|
||||||
|
variant=${variant:-'""'}
|
||||||
|
}
|
||||||
|
|
||||||
|
print_variant ()
|
||||||
|
{
|
||||||
|
get_variant $@
|
||||||
|
echo "${variant}"
|
||||||
|
}
|
||||||
|
|
||||||
|
# Detect flavor separator character. We have to do that due to
|
||||||
|
# a systemd-tailored patch for kernel spec[1][2] introduced in Fedora and then
|
||||||
|
# imported in RHEL 8 that broke all OOT kmod infrastructure for the flavored
|
||||||
|
# kernels.
|
||||||
|
#
|
||||||
|
# [1] https://lists.fedoraproject.org/pipermail/kernel/2013-June/004262.html
|
||||||
|
# [2] https://src.fedoraproject.org/rpms/kernel/c/faf25207dc86666a611c45ae3ffaf385c170bd2a
|
||||||
|
#
|
||||||
|
# $1 - kver
|
||||||
|
# $2 - variant
|
||||||
|
get_variant_char ()
|
||||||
|
{
|
||||||
|
variant="$2"
|
||||||
|
[ "$variant" != "default" ] || variant=""
|
||||||
|
|
||||||
|
get_verrel "$1"
|
||||||
|
|
||||||
|
variant_char=""
|
||||||
|
[ -n "$variant" ] || return 0
|
||||||
|
|
||||||
|
# We expect that the flavored kernel is already installed in the buildroot
|
||||||
|
variant_char="+"
|
||||||
|
[ -e "/usr/src/kernels/${verrel}+${variant}" ] && return 0
|
||||||
|
|
||||||
|
variant_char="."
|
||||||
|
}
|
||||||
|
|
||||||
|
print_variant_char ()
|
||||||
|
{
|
||||||
|
get_variant_char "$@"
|
||||||
|
echo "${variant_char}"
|
||||||
|
}
|
||||||
|
|
||||||
|
print_kernel_source ()
|
||||||
|
{
|
||||||
|
get_variant_char "$@"
|
||||||
|
echo "/usr/src/kernels/${verrel}${variant_char}${variant}"
|
||||||
|
}
|
||||||
|
|
||||||
|
get_filelist() {
|
||||||
|
local IFS=$'\n'
|
||||||
|
filelist=($(cat))
|
||||||
|
|
||||||
|
if [ ${#filelist[@]} -gt 0 ];
|
||||||
|
then
|
||||||
|
for ((n = 0; n < ${#filelist[@]}; n++));
|
||||||
|
do
|
||||||
|
line="${filelist[n]}"
|
||||||
|
line=$(echo "$line" \
|
||||||
|
| sed -e "s/%verrel/$verrel/g" \
|
||||||
|
| sed -e "s/%variant/$variant/g" \
|
||||||
|
| sed -e "s/%dashvariant/$dashvariant/g" \
|
||||||
|
| sed -e "s/%dotvariant/$dotvariant/g" \
|
||||||
|
| sed -e "s/\+%1/$dotvariant/g" \
|
||||||
|
| sed -e "s/\.%1/$dotvariant/g" \
|
||||||
|
| sed -e "s/\-%1/$dotvariant/g" \
|
||||||
|
| sed -e "s/%2/$verrel/g")
|
||||||
|
echo "$line"
|
||||||
|
done
|
||||||
|
else
|
||||||
|
echo "%defattr(644,root,root,755)"
|
||||||
|
echo "/lib/modules/${verrel}${dotvariant}"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
get_rpmtemplate ()
|
||||||
|
{
|
||||||
|
local variant="${1}"
|
||||||
|
|
||||||
|
get_variant_char "${verrel}" "${variant}"
|
||||||
|
|
||||||
|
local dashvariant="${variant:+-${variant}}"
|
||||||
|
local dotvariant="${variant:+${variant_char}${variant}}"
|
||||||
|
|
||||||
|
echo "%package -n kmod-${kmod_name}${dashvariant}"
|
||||||
|
|
||||||
|
if [ -z "$kmod_provides_summary" ]; then
|
||||||
|
echo "Summary: ${kmod_name} kernel module(s)"
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -z "$kmod_provides_group" ]; then
|
||||||
|
echo "Group: System Environment/Kernel"
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ ! -z "$kmod_version" ]; then
|
||||||
|
echo "Version: %{kmod_version}"
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ ! -z "$kmod_release" ]; then
|
||||||
|
echo "Release: %{kmod_release}"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Turn of the internal dep generator so we will use the kmod scripts.
|
||||||
|
echo "%global _use_internal_dependency_generator 0"
|
||||||
|
|
||||||
|
cat <<EOF
|
||||||
|
Provides: kernel-modules >= ${verrel}${dotvariant}
|
||||||
|
Provides: kernel${dashvariant}-modules >= ${verrel}
|
||||||
|
Provides: ${kmod_name}-kmod = %{?epoch:%{epoch}:}%{version}-%{release}
|
||||||
|
Requires(post): /usr/sbin/depmod
|
||||||
|
Requires(postun): /usr/sbin/depmod
|
||||||
|
Requires(post): /usr/sbin/weak-modules
|
||||||
|
Requires(postun): /usr/sbin/weak-modules
|
||||||
|
EOF
|
||||||
|
|
||||||
|
if [ "yes" != "$nobuildreqs" ]
|
||||||
|
then
|
||||||
|
cat <<EOF
|
||||||
|
BuildRequires: kernel${dashvariant}-devel
|
||||||
|
BuildRequires: kernel-abi-whitelists
|
||||||
|
BuildRequires: redhat-rpm-config kernel-rpm-macros
|
||||||
|
BuildRequires: elfutils-libelf-devel kmod
|
||||||
|
EOF
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ "" != "$override_preamble" ]
|
||||||
|
then
|
||||||
|
cat "$override_preamble"
|
||||||
|
fi
|
||||||
|
|
||||||
|
cat <<EOF
|
||||||
|
%description -n kmod-${kmod_name}${dashvariant}
|
||||||
|
This package provides the ${kmod_name} kernel modules built for
|
||||||
|
the Linux kernel ${verrel}${dotvariant} for the %{_target_cpu}
|
||||||
|
family of processors.
|
||||||
|
EOF
|
||||||
|
|
||||||
|
##############################################################################
|
||||||
|
## The following are not part of this script directly, they are scripts ##
|
||||||
|
## that will be executed by RPM during various stages of package processing ##
|
||||||
|
##############################################################################
|
||||||
|
|
||||||
|
cat <<EOF
|
||||||
|
%post -n kmod-${kmod_name}${dashvariant}
|
||||||
|
if [ -e "/boot/System.map-${verrel}${dotvariant}" ]; then
|
||||||
|
/usr/sbin/depmod -aeF "/boot/System.map-${verrel}${dotvariant}" "${verrel}${dotvariant}" > /dev/null || :
|
||||||
|
fi
|
||||||
|
|
||||||
|
modules=( \$(find /lib/modules/${verrel}${dotvariant}/extra/${kmod_name} | grep '\.ko$') )
|
||||||
|
if [ -x "/usr/sbin/weak-modules" ]; then
|
||||||
|
printf '%s\n' "\${modules[@]}" \
|
||||||
|
| /usr/sbin/weak-modules --add-modules
|
||||||
|
fi
|
||||||
|
EOF
|
||||||
|
|
||||||
|
cat <<EOF
|
||||||
|
%preun -n kmod-${kmod_name}${dashvariant}
|
||||||
|
rpm -ql kmod-${kmod_name}${dashvariant}-%{kmod_version}-%{kmod_release}.$(arch) | grep '\.ko$' > /var/run/rpm-kmod-${kmod_name}${dashvariant}-modules
|
||||||
|
EOF
|
||||||
|
|
||||||
|
cat <<EOF
|
||||||
|
%postun -n kmod-${kmod_name}${dashvariant}
|
||||||
|
if [ -e "/boot/System.map-${verrel}${dotvariant}" ]; then
|
||||||
|
/usr/sbin/depmod -aeF "/boot/System.map-${verrel}${dotvariant}" "${verrel}${dotvariant}" > /dev/null || :
|
||||||
|
fi
|
||||||
|
|
||||||
|
modules=( \$(cat /var/run/rpm-kmod-${kmod_name}${dashvariant}-modules) )
|
||||||
|
rm /var/run/rpm-kmod-${kmod_name}${dashvariant}-modules
|
||||||
|
if [ -x "/usr/sbin/weak-modules" ]; then
|
||||||
|
printf '%s\n' "\${modules[@]}" \
|
||||||
|
| /usr/sbin/weak-modules --remove-modules
|
||||||
|
fi
|
||||||
|
EOF
|
||||||
|
|
||||||
|
echo "%files -n kmod-${kmod_name}${dashvariant}"
|
||||||
|
|
||||||
|
if [ "" == "$override_filelist" ];
|
||||||
|
then
|
||||||
|
echo "%defattr(644,root,root,755)"
|
||||||
|
echo "/lib/modules/${verrel}${dotvariant}"
|
||||||
|
else
|
||||||
|
cat "$override_filelist" | get_filelist
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
print_rpmtemplate ()
|
||||||
|
{
|
||||||
|
kmod_name="${1}"
|
||||||
|
shift
|
||||||
|
kver="${1}"
|
||||||
|
get_verrel "${1}"
|
||||||
|
shift
|
||||||
|
if [ -z "${kmod_name}" ] ; then
|
||||||
|
echo "Please provide the kmodule-name as first parameter." >&2
|
||||||
|
exit 2
|
||||||
|
elif [ -z "${kver}" ] ; then
|
||||||
|
echo "Please provide the kver as second parameter." >&2
|
||||||
|
exit 2
|
||||||
|
elif [ -z "${verrel}" ] ; then
|
||||||
|
echo "Couldn't find out the verrel." >&2
|
||||||
|
exit 2
|
||||||
|
fi
|
||||||
|
|
||||||
|
for variant in "$@" ; do
|
||||||
|
if [ "default" == "$variant" ];
|
||||||
|
then
|
||||||
|
get_rpmtemplate ""
|
||||||
|
else
|
||||||
|
get_rpmtemplate "${variant}"
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
}
|
||||||
|
|
||||||
|
usage ()
|
||||||
|
{
|
||||||
|
cat <<EOF
|
||||||
|
You called: ${invocation}
|
||||||
|
|
||||||
|
Usage: ${myprog} <command> <option>+
|
||||||
|
Commands:
|
||||||
|
verrel <uname>
|
||||||
|
- Get "base" version-release.
|
||||||
|
variant <uname>
|
||||||
|
- Get variant from uname.
|
||||||
|
variant_char <uname> <variant>
|
||||||
|
- Get kernel variant separator character.
|
||||||
|
kernel_source <uname> <variant>
|
||||||
|
- Get path to kernel source directory.
|
||||||
|
rpmtemplate <mainpgkname> <uname> <variants>
|
||||||
|
- Return a template for use in a source RPM
|
||||||
|
version
|
||||||
|
- Output version number and exit.
|
||||||
|
EOF
|
||||||
|
}
|
||||||
|
|
||||||
|
invocation="$(basename ${0}) $@"
|
||||||
|
while [ "${1}" ] ; do
|
||||||
|
case "${1}" in
|
||||||
|
verrel)
|
||||||
|
shift
|
||||||
|
print_verrel "$@"
|
||||||
|
exit $?
|
||||||
|
;;
|
||||||
|
variant)
|
||||||
|
shift
|
||||||
|
print_variant "$@"
|
||||||
|
exit $?
|
||||||
|
;;
|
||||||
|
variant_char)
|
||||||
|
shift
|
||||||
|
print_variant_char "$@"
|
||||||
|
exit $?
|
||||||
|
;;
|
||||||
|
kernel_source)
|
||||||
|
shift
|
||||||
|
print_kernel_source "$@"
|
||||||
|
exit $?
|
||||||
|
;;
|
||||||
|
rpmtemplate)
|
||||||
|
shift
|
||||||
|
print_rpmtemplate "$@"
|
||||||
|
exit $?
|
||||||
|
;;
|
||||||
|
version)
|
||||||
|
echo "${myprog} ${myver}"
|
||||||
|
exit 0
|
||||||
|
;;
|
||||||
|
*)
|
||||||
|
echo "Error: Unknown option '${1}'." >&2
|
||||||
|
usage >&2
|
||||||
|
exit 2
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
|
||||||
|
# Local variables:
|
||||||
|
# mode: sh
|
||||||
|
# sh-indentation: 2
|
||||||
|
# indent-tabs-mode: nil
|
||||||
|
# End:
|
||||||
|
# ex: ts=2 sw=2 et
|
@ -0,0 +1,5 @@
|
|||||||
|
# Make libfoo.so symlinks require the soname-provide of the target library
|
||||||
|
%__libsymlink_requires %{_rpmconfigdir}/elfdeps --provides --soname-only
|
||||||
|
%__libsymlink_magic ^symbolic link to .*lib.*\.so\..*$
|
||||||
|
%__libsymlink_path ^.*\.so$
|
||||||
|
%__libsymlink_flags magic_and_path
|
@ -0,0 +1,268 @@
|
|||||||
|
# Per-platform rpm configuration file.
|
||||||
|
|
||||||
|
#==============================================================================
|
||||||
|
# ---- per-platform macros.
|
||||||
|
#
|
||||||
|
%_vendor redhat
|
||||||
|
%_os linux
|
||||||
|
%_target_platform %{_target_cpu}-%{_vendor}-%{_target_os}%{?_gnu}
|
||||||
|
|
||||||
|
#==============================================================================
|
||||||
|
# ---- configure macros. note that most of these are inherited
|
||||||
|
# from the defaults.
|
||||||
|
#
|
||||||
|
%_localstatedir /var
|
||||||
|
|
||||||
|
%_pkgdocdir %{_docdir}/%{name}
|
||||||
|
%_docdir_fmt %%{NAME}
|
||||||
|
|
||||||
|
%_fmoddir %{_libdir}/gfortran/modules
|
||||||
|
|
||||||
|
%_enable_debug_packages 1
|
||||||
|
%_include_minidebuginfo 1
|
||||||
|
%_include_gdb_index 1
|
||||||
|
%_debugsource_packages 1
|
||||||
|
%_debuginfo_subpackages 1
|
||||||
|
|
||||||
|
#==============================================================================
|
||||||
|
# ---- compiler flags.
|
||||||
|
|
||||||
|
# C compiler flags. This is traditionally called CFLAGS in makefiles.
|
||||||
|
# Historically also available as %%{optflags}, and %%build sets the
|
||||||
|
# environment variable RPM_OPT_FLAGS to this value.
|
||||||
|
%build_cflags %{optflags}
|
||||||
|
|
||||||
|
# C++ compiler flags. This is traditionally called CXXFLAGS in makefiles.
|
||||||
|
%build_cxxflags %{optflags}
|
||||||
|
|
||||||
|
# Fortran compiler flags. Makefiles use both FFLAGS and FCFLAGS as
|
||||||
|
# the corresponding variable names.
|
||||||
|
%build_fflags %{optflags} -I%{_fmoddir}
|
||||||
|
|
||||||
|
# Link editor flags. This is usually called LDFLAGS in makefiles.
|
||||||
|
# (Some makefiles use LFLAGS instead.) The default value assumes that
|
||||||
|
# the flags, while intended for ld, are still passed through the gcc
|
||||||
|
# compiler driver. At the beginning of %%build, the environment
|
||||||
|
# variable RPM_LD_FLAGS to this value.
|
||||||
|
%build_ldflags -Wl,-z,relro %{_ld_symbols_flags} %{_hardened_ldflags}
|
||||||
|
|
||||||
|
# Expands to shell code to seot the compiler/linker environment
|
||||||
|
# variables CFLAGS, CXXFLAGS, FFLAGS, FCFLAGS, LDFLAGS if they have
|
||||||
|
# not been set already. RPM_OPT_FLAGS and RPM_LD_FLAGS have already
|
||||||
|
# been set implicitly at the start of the %%build section.
|
||||||
|
%set_build_flags \
|
||||||
|
CFLAGS="${CFLAGS:-%{build_cflags}}" ; export CFLAGS ; \
|
||||||
|
CXXFLAGS="${CXXFLAGS:-%{build_cxxflags}}" ; export CXXFLAGS ; \
|
||||||
|
FFLAGS="${FFLAGS:-%{build_fflags}}" ; export FFLAGS ; \
|
||||||
|
FCFLAGS="${FCFLAGS:-%{build_fflags}}" ; export FCFLAGS ; \
|
||||||
|
LDFLAGS="${LDFLAGS:-%{build_ldflags}}" ; export LDFLAGS
|
||||||
|
|
||||||
|
# Internal-only. Do not use. Expand a variable and strip the flags
|
||||||
|
# not suitable to extension builders.
|
||||||
|
%__extension_strip_flags() %{lua:
|
||||||
|
local name = rpm.expand("%{1}")
|
||||||
|
local value = " " .. rpm.expand("%{build_" .. name .. "}")
|
||||||
|
local result = string.gsub(value, "%s+-specs=[^%s]+", " ")
|
||||||
|
print(result)
|
||||||
|
}
|
||||||
|
|
||||||
|
# Variants of CFLAGS, CXXFLAGS, FFLAGS, LDFLAGS for use within
|
||||||
|
# extension builders.
|
||||||
|
%extension_cflags %{__extension_strip_flags cflags}
|
||||||
|
%extension_cxxflags %{__extension_strip_flags cxxflags}
|
||||||
|
%extension_fflags %{__extension_strip_flags fflags}
|
||||||
|
%extension_ldflags %{__extension_strip_flags ldflags}
|
||||||
|
|
||||||
|
# Deprecated names. For backwards compatibility only.
|
||||||
|
%__global_cflags %{build_cflags}
|
||||||
|
%__global_cxxflags %{build_cxxflags}
|
||||||
|
%__global_fflags %{build_fflags}
|
||||||
|
%__global_fcflags %{build_fflags}
|
||||||
|
%__global_ldflags %{build_ldflags}
|
||||||
|
|
||||||
|
#==============================================================================
|
||||||
|
# ---- configure and makeinstall.
|
||||||
|
#
|
||||||
|
%_configure_gnuconfig_hack 1
|
||||||
|
%_configure_libtool_hardening_hack 1
|
||||||
|
# If defined, _configure_disable_silent_rules will cause --disable-silent-rules
|
||||||
|
# to be added to the list of options passed to the configure script.
|
||||||
|
# Eventually we'll want to turn this on by default, but this gives packagers a
|
||||||
|
# way to turn it back off.
|
||||||
|
# %_configure_disable_silent_rules 1
|
||||||
|
%configure \
|
||||||
|
%{set_build_flags}; \
|
||||||
|
[ "%_configure_gnuconfig_hack" = 1 ] && for i in $(find $(dirname %{_configure}) -name config.guess -o -name config.sub) ; do \
|
||||||
|
[ -f /usr/lib/rpm/redhat/$(basename $i) ] && %{__rm} -f $i && %{__cp} -fv /usr/lib/rpm/redhat/$(basename $i) $i ; \
|
||||||
|
done ; \
|
||||||
|
[ "%_configure_libtool_hardening_hack" = 1 ] && [ x != "x%{_hardened_ldflags}" ] && \
|
||||||
|
for i in $(find . -name ltmain.sh) ; do \
|
||||||
|
%{__sed} -i.backup -e 's~compiler_flags=$~compiler_flags="%{_hardened_ldflags}"~' $i \
|
||||||
|
done ; \
|
||||||
|
%{_configure} --build=%{_build} --host=%{_host} \\\
|
||||||
|
--program-prefix=%{?_program_prefix} \\\
|
||||||
|
--disable-dependency-tracking \\\
|
||||||
|
%{?_configure_disable_silent_rules:--disable-silent-rules} \\\
|
||||||
|
--prefix=%{_prefix} \\\
|
||||||
|
--exec-prefix=%{_exec_prefix} \\\
|
||||||
|
--bindir=%{_bindir} \\\
|
||||||
|
--sbindir=%{_sbindir} \\\
|
||||||
|
--sysconfdir=%{_sysconfdir} \\\
|
||||||
|
--datadir=%{_datadir} \\\
|
||||||
|
--includedir=%{_includedir} \\\
|
||||||
|
--libdir=%{_libdir} \\\
|
||||||
|
--libexecdir=%{_libexecdir} \\\
|
||||||
|
--localstatedir=%{_localstatedir} \\\
|
||||||
|
--sharedstatedir=%{_sharedstatedir} \\\
|
||||||
|
--mandir=%{_mandir} \\\
|
||||||
|
--infodir=%{_infodir}
|
||||||
|
|
||||||
|
# Maximum number of CPU's to use when building, 0 for unlimited.
|
||||||
|
#
|
||||||
|
# This was for some time capped at 16. Please see
|
||||||
|
# https://bugzilla.redhat.com/show_bug.cgi?id=669638 and
|
||||||
|
# https://bugzilla.redhat.com/show_bug.cgi?id=1384938 for the situation
|
||||||
|
# surrounding this.
|
||||||
|
#%_smp_ncpus_max 0
|
||||||
|
%_smp_mflags %([ -z "$RPM_BUILD_NCPUS" ] \\\
|
||||||
|
&& RPM_BUILD_NCPUS="`/usr/bin/getconf _NPROCESSORS_ONLN`"; \\\
|
||||||
|
ncpus_max=%{?_smp_ncpus_max}; \\\
|
||||||
|
if [ -n "$ncpus_max" ] && [ "$ncpus_max" -gt 0 ] && [ "$RPM_BUILD_NCPUS" -gt "$ncpus_max" ]; then RPM_BUILD_NCPUS="$ncpus_max"; fi; \\\
|
||||||
|
if [ "$RPM_BUILD_NCPUS" -gt 1 ]; then echo "-j$RPM_BUILD_NCPUS"; fi)
|
||||||
|
|
||||||
|
#==============================================================================
|
||||||
|
# ---- Build policy macros.
|
||||||
|
#
|
||||||
|
#
|
||||||
|
#---------------------------------------------------------------------
|
||||||
|
# Expanded at beginning of %install scriptlet.
|
||||||
|
#
|
||||||
|
|
||||||
|
%__spec_install_pre %{___build_pre}\
|
||||||
|
[ "$RPM_BUILD_ROOT" != "/" ] && rm -rf "${RPM_BUILD_ROOT}"\
|
||||||
|
mkdir -p `dirname "$RPM_BUILD_ROOT"`\
|
||||||
|
mkdir "$RPM_BUILD_ROOT"\
|
||||||
|
%{nil}
|
||||||
|
|
||||||
|
#---------------------------------------------------------------------
|
||||||
|
# Expanded at end of %install scriptlet.
|
||||||
|
#
|
||||||
|
|
||||||
|
%__arch_install_post /usr/lib/rpm/check-buildroot
|
||||||
|
|
||||||
|
# Build root policy macros. Standard naming:
|
||||||
|
# convert all '-' in basename to '_', add two leading underscores.
|
||||||
|
%__brp_ldconfig /usr/lib/rpm/redhat/brp-ldconfig
|
||||||
|
%__brp_compress /usr/lib/rpm/brp-compress
|
||||||
|
%__brp_strip /usr/lib/rpm/brp-strip %{__strip}
|
||||||
|
%__brp_strip_comment_note /usr/lib/rpm/brp-strip-comment-note %{__strip} %{__objdump}
|
||||||
|
%__brp_strip_static_archive /usr/lib/rpm/brp-strip-static-archive %{__strip}
|
||||||
|
%__brp_python_bytecompile /usr/lib/rpm/brp-python-bytecompile "" %{?_python_bytecompile_errors_terminate_build}
|
||||||
|
%__brp_python_hardlink /usr/lib/rpm/brp-python-hardlink
|
||||||
|
# __brp_mangle_shebangs_exclude - shebangs to exclude
|
||||||
|
# __brp_mangle_shebangs_exclude_file - file from which to get shebangs to exclude
|
||||||
|
# __brp_mangle_shebangs_exclude_from - files to ignore
|
||||||
|
# __brp_mangle_shebangs_exclude_from_file - file from which to get files to ignore
|
||||||
|
%__brp_mangle_shebangs PYTHON3="%{__python3}" /usr/lib/rpm/redhat/brp-mangle-shebangs %{?__brp_mangle_shebangs_exclude:--shebangs "%{?__brp_mangle_shebangs_exclude}"} %{?__brp_mangle_shebangs_exclude_file:--shebangs-from "%{__brp_mangle_shebangs_exclude_file}"} %{?__brp_mangle_shebangs_exclude_from:--files "%{?__brp_mangle_shebangs_exclude_from}"} %{?__brp_mangle_shebangs_exclude_from_file:--files-from "%{__brp_mangle_shebangs_exclude_from_file}"}
|
||||||
|
|
||||||
|
%__os_install_post \
|
||||||
|
%{?__brp_ldconfig} \
|
||||||
|
%{?__brp_compress} \
|
||||||
|
%{!?__debug_package:\
|
||||||
|
%{?__brp_strip} \
|
||||||
|
%{?__brp_strip_comment_note} \
|
||||||
|
} \
|
||||||
|
%{?__brp_strip_static_archive} \
|
||||||
|
%{?py_auto_byte_compile:%{?__brp_python_bytecompile}} \
|
||||||
|
%{?__brp_python_hardlink} \
|
||||||
|
%{?__brp_mangle_shebangs} \
|
||||||
|
%{nil}
|
||||||
|
|
||||||
|
%__spec_install_post\
|
||||||
|
%{?__debug_package:%{__debug_install_post}}\
|
||||||
|
%{__arch_install_post}\
|
||||||
|
%{__os_install_post}\
|
||||||
|
%{nil}
|
||||||
|
|
||||||
|
%install %{?_enable_debug_packages:%{?buildsubdir:%{debug_package}}}\
|
||||||
|
%%install\
|
||||||
|
%{nil}
|
||||||
|
|
||||||
|
#
|
||||||
|
# Should missing buildids terminate a build?
|
||||||
|
%_missing_build_ids_terminate_build 1
|
||||||
|
|
||||||
|
#
|
||||||
|
## Automatically compile python files
|
||||||
|
%py_auto_byte_compile 1
|
||||||
|
|
||||||
|
#
|
||||||
|
## Should python bytecompilation errors terminate a build?
|
||||||
|
%_python_bytecompile_errors_terminate_build 1
|
||||||
|
|
||||||
|
# Use SHA-256 for FILEDIGESTS instead of default MD5
|
||||||
|
%_source_filedigest_algorithm 8
|
||||||
|
%_binary_filedigest_algorithm 8
|
||||||
|
|
||||||
|
# Use XZ compression for binary payloads
|
||||||
|
%_binary_payload w2.xzdio
|
||||||
|
|
||||||
|
%_hardening_cflags -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1
|
||||||
|
# we don't escape symbols '~', '"', etc. so be careful when changing this
|
||||||
|
%_hardening_ldflags -Wl,-z,now -specs=/usr/lib/rpm/redhat/redhat-hardened-ld
|
||||||
|
|
||||||
|
# Harden packages by default for Fedora 23:
|
||||||
|
# https://fedorahosted.org/fesco/ticket/1384 (accepted on 2014-02-11)
|
||||||
|
# Use "%undefine _hardened_build" to disable.
|
||||||
|
%_hardened_build 1
|
||||||
|
%_hardened_cflags %{?_hardened_build:%{_hardening_cflags}}
|
||||||
|
%_hardened_ldflags %{?_hardened_build:%{_hardening_ldflags}}
|
||||||
|
|
||||||
|
%_annobin_cflags -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1
|
||||||
|
|
||||||
|
# Add extra information to binary objects created by gcc for Fedora 28:
|
||||||
|
# https://pagure.io/fesco/issue/1780 (accepted on 2017-10-30)
|
||||||
|
# Use "%undefine _annotated_build" to disable.
|
||||||
|
%_annotated_build 1
|
||||||
|
%_annotated_cflags %{?_annotated_build:%{_annobin_cflags}}
|
||||||
|
|
||||||
|
# Fail linking if there are undefined symbols. Required for proper
|
||||||
|
# ELF symbol versioning support. Disabled by default.
|
||||||
|
# Use "%define _strict_symbol_defs_build 1" to enable.
|
||||||
|
#%_strict_symbol_defs_build 1
|
||||||
|
%_ld_symbols_flags %{?_strict_symbol_defs_build:-Wl,-z,defs}
|
||||||
|
|
||||||
|
%__global_compiler_flags -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches %{_hardened_cflags} %{_annotated_cflags}
|
||||||
|
|
||||||
|
#==============================================================================
|
||||||
|
# ---- Generic auto req/prov filtering macros
|
||||||
|
#
|
||||||
|
# http://fedoraproject.org/wiki/PackagingDrafts/AutoProvidesAndRequiresFiltering
|
||||||
|
|
||||||
|
# prevent anything matching from being scanned for provides
|
||||||
|
%filter_provides_in(P) %{expand: \
|
||||||
|
%global __filter_prov_cmd %{?__filter_prov_cmd} %{__grep} -v %{-P} '%*' | \
|
||||||
|
}
|
||||||
|
|
||||||
|
# prevent anything matching from being scanned for requires
|
||||||
|
%filter_requires_in(P) %{expand: \
|
||||||
|
%global __filter_req_cmd %{?__filter_req_cmd} %{__grep} -v %{-P} '%*' | \
|
||||||
|
}
|
||||||
|
|
||||||
|
# filter anything matching out of the provides stream
|
||||||
|
%filter_from_provides() %{expand: \
|
||||||
|
%global __filter_from_prov %{?__filter_from_prov} | %{__sed} -e '%*' \
|
||||||
|
}
|
||||||
|
|
||||||
|
# filter anything matching out of the requires stream
|
||||||
|
%filter_from_requires() %{expand: \
|
||||||
|
%global __filter_from_req %{?__filter_from_req} | %{__sed} -e '%*' \
|
||||||
|
}
|
||||||
|
|
||||||
|
# actually set up the filtering bits
|
||||||
|
%filter_setup %{expand: \
|
||||||
|
%global _use_internal_dependency_generator 0 \
|
||||||
|
%global __deploop() while read FILE; do echo "${FILE}" | /usr/lib/rpm/rpmdeps -%{1}; done | /bin/sort -u \
|
||||||
|
%global __find_provides /bin/sh -c "%{?__filter_prov_cmd} %{__deploop P} %{?__filter_from_prov}" \
|
||||||
|
%global __find_requires /bin/sh -c "%{?__filter_req_cmd} %{__deploop R} %{?__filter_from_req}" \
|
||||||
|
}
|
@ -0,0 +1,39 @@
|
|||||||
|
# Macros for reducing debug info size using dwz(1) utility.
|
||||||
|
|
||||||
|
# The two default values below should result in dwz taking at most
|
||||||
|
# 3GB of RAM or so on 64-bit hosts and 2.5GB on 32-bit hosts
|
||||||
|
# on the largest *.debug files (in mid 2012 those are
|
||||||
|
# libreoffice-debuginfo, debuginfos containing
|
||||||
|
# libxul.so.debug and libwebkitgtk-*.so.*.debug).
|
||||||
|
# This needs to be tuned based on the amount of available RAM
|
||||||
|
# on build boxes for each architecture as well as virtual address
|
||||||
|
# space limitations if dwz is 32-bit program. While it needs less
|
||||||
|
# memory than 64-bit program because pointers are smaller, it can
|
||||||
|
# never have more than 4GB-epsilon of RAM and on some architecture
|
||||||
|
# even less than that (e.g. 2GB).
|
||||||
|
|
||||||
|
# Number of debugging information entries (DIEs) above which
|
||||||
|
# dwz will stop considering file for multifile optimizations
|
||||||
|
# and enter a low memory mode, in which it will optimize
|
||||||
|
# in about half the memory needed otherwise.
|
||||||
|
%_dwz_low_mem_die_limit 10000000
|
||||||
|
# Number of DIEs above which dwz will stop processing
|
||||||
|
# a file altogether.
|
||||||
|
%_dwz_max_die_limit 50000000
|
||||||
|
|
||||||
|
# On x86_64 increase the higher limit to make libwebkit* optimizable.
|
||||||
|
# libwebkit* in mid 2012 contains roughly 87mil DIEs, and 64-bit
|
||||||
|
# dwz is able to optimize it from ~1.1GB to ~410MB using 5.2GB of RAM.
|
||||||
|
%_dwz_max_die_limit_x86_64 110000000
|
||||||
|
|
||||||
|
# On ARM, build boxes often have only 512MB of RAM and are very slow.
|
||||||
|
# Lower both the limits.
|
||||||
|
%_dwz_low_mem_die_limit_armv5tel 4000000
|
||||||
|
%_dwz_low_mem_die_limit_armv7hl 4000000
|
||||||
|
%_dwz_max_die_limit_armv5tel 10000000
|
||||||
|
%_dwz_max_die_limit_armv7hl 10000000
|
||||||
|
|
||||||
|
%_dwz_limit() %{expand:%%{?%{1}_%{_arch}}%%{!?%{1}_%{_arch}:%%%{1}}}
|
||||||
|
%_find_debuginfo_dwz_opts --run-dwz\\\
|
||||||
|
--dwz-low-mem-die-limit %{_dwz_limit _dwz_low_mem_die_limit}\\\
|
||||||
|
--dwz-max-die-limit %{_dwz_limit _dwz_max_die_limit}
|
@ -0,0 +1,8 @@
|
|||||||
|
# Some miscellaneous Fedora-related macros
|
||||||
|
|
||||||
|
# A directory for rpm macros
|
||||||
|
%rpmmacrodir /usr/lib/rpm/macros.d
|
||||||
|
|
||||||
|
# A directory for appdata metainfo. This has changed between releases so a
|
||||||
|
# macro is useful.
|
||||||
|
%_metainfodir %{_datadir}/metainfo
|
@ -0,0 +1,3 @@
|
|||||||
|
# kernel_arches lists what arches the full kernel is built for.
|
||||||
|
|
||||||
|
%kernel_arches x86_64 s390x ppc64le aarch64 %{arm}
|
@ -0,0 +1,97 @@
|
|||||||
|
# Use these macros to differentiate between RH and other KMP implementation(s).
|
||||||
|
%global redhat_kernel_module_package 1
|
||||||
|
%global kernel_module_package_release 1
|
||||||
|
|
||||||
|
%global redhat_kmp_has_post_hooks 1
|
||||||
|
|
||||||
|
%__brp_kmod_set_exec_bit /usr/lib/rpm/redhat/brp-kmod-set-exec-bit
|
||||||
|
%__brp_kmod_restore_perms /usr/lib/rpm/redhat/brp-kmod-restore-perms
|
||||||
|
|
||||||
|
%__kmod_brps_added 0
|
||||||
|
|
||||||
|
%__find_provides /usr/lib/rpm/redhat/find-provides
|
||||||
|
%__find_requires /usr/lib/rpm/redhat/find-requires
|
||||||
|
|
||||||
|
#kernel_module_package [ -n name ] [ -v version ] [ -r release ] [ -s script ]
|
||||||
|
# [ -f filelist] [ -x ] [ -p preamble ] flavor flavor ...
|
||||||
|
|
||||||
|
%kernel_module_package_buildreqs %global kmodtool_generate_buildreqs 1 \
|
||||||
|
kernel-devel kernel-abi-whitelists redhat-rpm-config kernel-rpm-macros elfutils-libelf-devel kmod
|
||||||
|
|
||||||
|
%kernel_module_package(n:v:r:s:f:xp:) %{expand:%( \
|
||||||
|
## An ugly hack: we want kmods to be processed by find-debuginfo,
|
||||||
|
## but it processes only files with executable permission set.
|
||||||
|
## It is important now since, as of now, if debuginfo package
|
||||||
|
## is enabled (and it is enabled), there's an RPM build error
|
||||||
|
## as a result of lack of ether absence or emptiness of
|
||||||
|
## debugsourcefiles.list (which is likely a bug in RPM, but it looks
|
||||||
|
## like that there's no obvious fix and apparently no one have
|
||||||
|
## any issues with this).
|
||||||
|
## In order to minimise intrusiveness, usually (in Red Hat-built kmod
|
||||||
|
## RPMs) *.ko files just have executable permission being set as a part
|
||||||
|
## of %build section. There are two caveats with kmp, however:
|
||||||
|
## * We have no control over %build section itself (and it wasn't
|
||||||
|
## required previously)
|
||||||
|
## * Changing the criteria used in find-debuginfo.sh/brp-strip
|
||||||
|
## for selecting files that have to undergo debug section separation
|
||||||
|
## may introduce regression.
|
||||||
|
## As a result, we insert additional hooks in __spec_install_post
|
||||||
|
## (__brp_kmod_set_exec_bit in the beginning and
|
||||||
|
## __brp_kmod_restore_perms in the end) that (temporarily) set
|
||||||
|
## executable permission for *.ko files so find-debuginfo.sh will pick
|
||||||
|
## them up.
|
||||||
|
## Unfortunately, __spec_install_post's body is copied here since
|
||||||
|
## we want that __debug_package macro expansion has been performed
|
||||||
|
## lazily and it looks like RPM has no ability to provide a body
|
||||||
|
## of a macro verbatim.
|
||||||
|
if [ 0 = "%{__kmod_brps_added}" ]; then \
|
||||||
|
echo "%%global __spec_install_post \\\\" \
|
||||||
|
echo " %%{?__brp_kmod_set_exec_bit} \\\\" \
|
||||||
|
echo " %%%%{?__debug_package:%%%%{__debug_install_post}} \\\\" \
|
||||||
|
echo " %%{__arch_install_post} \\\\" \
|
||||||
|
echo " %%{__os_install_post} \\\\" \
|
||||||
|
echo " %%{?__brp_kmod_pre_sign_process} \\\\" \
|
||||||
|
echo " %%{?__brp_kmod_sign} \\\\" \
|
||||||
|
echo " %%{?__brp_kmod_post_sign_process} \\\\" \
|
||||||
|
echo " %%{?__brp_kmod_compress} \\\\" \
|
||||||
|
echo " %%{?__brp_kmod_post_compress_process} \\\\" \
|
||||||
|
echo " %%{?__brp_kmod_restore_perms} \\\\" \
|
||||||
|
echo "%%{nil}" \
|
||||||
|
fi \
|
||||||
|
%global __kmod_brps_added 1 \
|
||||||
|
%global kmodtool %{-s*}%{!-s:/usr/lib/rpm/redhat/kmodtool} \
|
||||||
|
%global kmod_version %{-v*}%{!-v:%{version}} \
|
||||||
|
%global kmod_release %{-r*}%{!-r:%{release}} \
|
||||||
|
%global latest_kernel %({ rpm -q --qf '%%{VERSION}-%%{RELEASE}.%%{ARCH}\\\\n' `rpm -qa | egrep "^kernel(-rt|-aarch64)?-devel" | /usr/lib/rpm/redhat/rpmsort -r | head -n 1`; echo '%%%%{nil}'; } | head -n 1) \
|
||||||
|
%{!?kernel_version:%{expand:%%global kernel_version %{latest_kernel}}} \
|
||||||
|
%global kverrel %(%{kmodtool} verrel %{?kernel_version} 2>/dev/null) \
|
||||||
|
flavors="default" \
|
||||||
|
if [ -z "%*" ]; then \
|
||||||
|
flavors_to_build=$flavors \
|
||||||
|
elif [ -z "%{-x}" ]; then \
|
||||||
|
flavors_to_build="%*" \
|
||||||
|
else \
|
||||||
|
flavors_to_build=" $flavors "\
|
||||||
|
for i in %* \
|
||||||
|
do \
|
||||||
|
flavors_to_build=${flavors_to_build//$i /}
|
||||||
|
done \
|
||||||
|
fi \
|
||||||
|
echo "%%global flavors_to_build ${flavors_to_build:-%%nil}" \
|
||||||
|
echo "%%global kernel_source() \\\$([ default = \"%%%%{1}\" ] && echo \"/usr/src/kernels//%%%%kverrel\" || %{kmodtool} kernel_source \"%%%%{kverrel}\" \"%%%%{1}\" 2>/dev/null || { ls -Ud \"/usr/src/kernels///%%%%{kverrel}\"[.+]\"%%%%{1}\" | sort -V | tail -n 1; } || echo \"/usr/src/kernels////%%%%kverrel.%%%%1\")" \
|
||||||
|
echo "%%global kernel_module_package_moddir() extra" \
|
||||||
|
if [ ! -z "%{-f*}" ] \
|
||||||
|
then \
|
||||||
|
filelist="%{-f*}" \
|
||||||
|
fi \
|
||||||
|
if [ ! -z "%{-p*}" ] \
|
||||||
|
then \
|
||||||
|
preamble="%{-p*}" \
|
||||||
|
fi \
|
||||||
|
nobuildreqs="yes" \
|
||||||
|
if [ "x%{kmodtool_generate_buildreqs}" != "x1" ] \
|
||||||
|
then \
|
||||||
|
nobuildreqs="no" \
|
||||||
|
fi \
|
||||||
|
override_filelist="$filelist" override_preamble="$preamble" nobuildreqs="$nobuildreqs" kmod_version=%kmod_version kmod_release=%kmod_release %{kmodtool} rpmtemplate %{-n*}%{!-n:%name} %{kverrel} $flavors_to_build 2>/dev/null \
|
||||||
|
)}
|
@ -0,0 +1,2 @@
|
|||||||
|
# arches that ldc builds on
|
||||||
|
%ldc_arches %{ix86} x86_64 %{arm} %{power64}
|
@ -0,0 +1,9 @@
|
|||||||
|
#%ldconfig /sbin/ldconfig
|
||||||
|
%ldconfig_post(n:) %{?ldconfig:%post -p %ldconfig %{?*} %{-n:-n %{-n*}}\
|
||||||
|
%end}
|
||||||
|
%ldconfig_postun(n:) %{?ldconfig:%postun -p %ldconfig %{?*} %{-n:-n %{-n*}}\
|
||||||
|
%end}
|
||||||
|
%ldconfig_scriptlets(n:) %{?ldconfig:\
|
||||||
|
%ldconfig_post %{?*} %{-n:-n %{-n*}}\
|
||||||
|
%ldconfig_postun %{?*} %{-n:-n %{-n*}}\
|
||||||
|
}
|
@ -0,0 +1,5 @@
|
|||||||
|
# arches that mono builds on
|
||||||
|
%mono_arches %{ix86} x86_64 sparc sparcv9 ia64 %{arm} aarch64 alpha s390x ppc ppc64 ppc64le
|
||||||
|
|
||||||
|
%_monodir %{_prefix}/lib/mono
|
||||||
|
%_monogacdir %{_monodir}/gac
|
@ -0,0 +1,7 @@
|
|||||||
|
# nodejs_arches lists what arches Node.js and dependent packages run on.
|
||||||
|
#
|
||||||
|
# Enabling Node.js on other arches requires porting the V8 JavaScript JIT to
|
||||||
|
# those arches. Support for POWER and aarch64 arrived in nodejs v4. Support
|
||||||
|
# for s390x arrived in nodejs v6
|
||||||
|
|
||||||
|
%nodejs_arches %{ix86} x86_64 %{arm} aarch64 %{power64} s390x
|
@ -0,0 +1,3 @@
|
|||||||
|
# valgrind_arches lists what arches Valgrind works on
|
||||||
|
|
||||||
|
%valgrind_arches %{ix86} x86_64 ppc ppc64 ppc64le armv7hl aarch64 s390x
|
@ -0,0 +1,7 @@
|
|||||||
|
# ---- VPATH default settings
|
||||||
|
|
||||||
|
# directory where CMakeLists.txt/meson.build/etc. are placed
|
||||||
|
%_vpath_srcdir .
|
||||||
|
|
||||||
|
# directory (doesn't need to exist) where all generated build files will be placed
|
||||||
|
%_vpath_builddir %_target_platform
|
@ -0,0 +1,78 @@
|
|||||||
|
#! /bin/bash -efu
|
||||||
|
|
||||||
|
# heavily based upon find-suggests.ksyms by Andreas Gruenbacher <agruen@suse.de>.
|
||||||
|
# with modifications by Michael Brown <Michael_E_Brown@dell.com>
|
||||||
|
#
|
||||||
|
# -- added module versioning info to modalias() symbols
|
||||||
|
# -- removed code which inspects spec files.
|
||||||
|
|
||||||
|
IFS=$'\n'
|
||||||
|
|
||||||
|
#
|
||||||
|
# Initially, dont generate modalias() lines for kernel package. This needs
|
||||||
|
# additional discussion. Would like to eventually add them for
|
||||||
|
# completeness, so that we can determine when drivers are folded into
|
||||||
|
# mainline kernel.
|
||||||
|
#
|
||||||
|
is_kernel_package=""
|
||||||
|
case "${1:-}" in
|
||||||
|
kernel-module-*) ;; # Fedora kernel module package names start with
|
||||||
|
# kernel-module.
|
||||||
|
kernel*) is_kernel_package=1 ;;
|
||||||
|
esac
|
||||||
|
|
||||||
|
if ! [ -z "$is_kernel_package" ]; then
|
||||||
|
cat > /dev/null
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Check for presence of the commands used
|
||||||
|
which /sbin/modinfo >/dev/null || exit 0
|
||||||
|
which sed >/dev/null || exit 0
|
||||||
|
which sort >/dev/null || exit 0
|
||||||
|
|
||||||
|
print_modaliases() {
|
||||||
|
declare class=$1 variants=$2 pos=$3
|
||||||
|
if [ -n "$variants" ]; then
|
||||||
|
echo "${class:0:pos}[$variants]${class:pos+1}"
|
||||||
|
else
|
||||||
|
[ -z "$class" ] || echo "$class"
|
||||||
|
fi
|
||||||
|
}
|
||||||
|
|
||||||
|
combine_modaliases() {
|
||||||
|
declare tag class variants="" pos="" n
|
||||||
|
read class
|
||||||
|
while read tag; do
|
||||||
|
for ((n=0; n<${#class}; n++)); do
|
||||||
|
if [ "*" != "${class:n:1}" -a \
|
||||||
|
"${class:0:n}" = "${tag:0:n}" -a \
|
||||||
|
"${class:n+1}" = "${tag:n+1}" ] &&
|
||||||
|
( [ -z "$pos" ] || [ $n = $pos ] ); then
|
||||||
|
variants="${variants:-${class:n:1}}${tag:n:1}"
|
||||||
|
pos=$n
|
||||||
|
break
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
if [ $n -eq ${#class} ]; then
|
||||||
|
print_modaliases "$class" "$variants" "$pos"
|
||||||
|
variants=
|
||||||
|
pos=
|
||||||
|
class=$tag
|
||||||
|
fi
|
||||||
|
done
|
||||||
|
print_modaliases "$class" "$variants" "$pos"
|
||||||
|
}
|
||||||
|
|
||||||
|
for module in $(grep -E '/lib/modules/.+\.ko(\.gz|\.bz2|\.xz)?$') "$@"; do
|
||||||
|
# | head -n1 because some modules have *two* version tags. *cough*b44*cough*
|
||||||
|
modver=$(/sbin/modinfo -F version "$module"| head -n1)
|
||||||
|
modver=${modver//[^0-9a-zA-Z._]/_}
|
||||||
|
# only add version tag if it has a version
|
||||||
|
[ -z "$modver" ] || modver=" = $modver"
|
||||||
|
|
||||||
|
/sbin/modinfo -F alias "$module" \
|
||||||
|
| sed -nre "s,[^][0-9a-zA-Z._:*?/-],_,g; s,(.+),modalias(\\1)$modver,p"
|
||||||
|
done \
|
||||||
|
| sort -u \
|
||||||
|
| combine_modaliases
|
@ -0,0 +1,2 @@
|
|||||||
|
*cc1_options:
|
||||||
|
+ %{!-fno-use-annobin:%{!iplugindir*:%:find-plugindir()} -fplugin=annobin}
|
@ -0,0 +1,199 @@
|
|||||||
|
#!/usr/bin/sh
|
||||||
|
# This is a script to select which GCC spec file fragment
|
||||||
|
# should be the destination of the redhat-annobin-cc1 symlink.
|
||||||
|
|
||||||
|
# Author: Nick Clifton <nickc@redhat.com>
|
||||||
|
# Copyright (c) 2021 Red Hat.
|
||||||
|
#
|
||||||
|
# This is free software; you can redistribute it and/or modify it
|
||||||
|
# under the terms of the GNU General Public License as published
|
||||||
|
# by the Free Software Foundation; either version 2, or (at your
|
||||||
|
# option) any later version.
|
||||||
|
|
||||||
|
# It is distributed in the hope that it will be useful, but
|
||||||
|
# WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
# GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# Usage:
|
||||||
|
# redhat-annobin-plugin-select [script-dir]
|
||||||
|
#
|
||||||
|
# If script-dir is not provided then /usr/lib/rpm/redhat is used
|
||||||
|
# as the location where all of the annobin plugin selection files
|
||||||
|
# can be found.
|
||||||
|
|
||||||
|
if test "x$1" = "x" ;
|
||||||
|
then
|
||||||
|
rrcdir=/usr/lib/rpm/redhat
|
||||||
|
else
|
||||||
|
rrcdir=$1
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Set this variable to non-zero to enable the generation of debugging
|
||||||
|
# messages.
|
||||||
|
debug=0
|
||||||
|
|
||||||
|
# Decide which version of the annobin plugin for gcc should be used.
|
||||||
|
# There are two possible versions, one created by the annobin package and one
|
||||||
|
# created by the gcc package. The logic selects the gcc version unless both
|
||||||
|
# have been built by the same version of the compiler. In that case the
|
||||||
|
# annobin version is selected instead.
|
||||||
|
#
|
||||||
|
# The point of all this is that the annobin plugin is very sensitive to
|
||||||
|
# mismatches with the version of gcc that built it. If the plugin is built
|
||||||
|
# by version A of gcc, but then run on version B of gcc, it is possible for
|
||||||
|
# the plugin to misbehave, which then causes problems if gating tests examine
|
||||||
|
# the plugin's output. (This has happened more than once in RHEL...).
|
||||||
|
#
|
||||||
|
# So the plugin is built both by gcc and by the annobin package. This means
|
||||||
|
# that whenever gcc is updated a fresh plugin is built, and the logic below
|
||||||
|
# will select that version. But in order to allow annobin development to
|
||||||
|
# proceed independtently of gcc, the annobin package can also update its
|
||||||
|
# version of the plugin, and the logic will select this new version.
|
||||||
|
|
||||||
|
# This is where the annobin package stores the information on the version
|
||||||
|
# of gcc that built the annobin plugin.
|
||||||
|
aver=`gcc --print-file-name=plugin`/annobin-plugin-version-info
|
||||||
|
|
||||||
|
# This is where the gcc package stores its version information.
|
||||||
|
gver=`gcc --print-file-name=rpmver`
|
||||||
|
|
||||||
|
aplugin=`gcc --print-file-name=plugin`/annobin.so.0.0.0
|
||||||
|
gplugin=`gcc --print-file-name=plugin`/gcc-annobin.so.0.0.0
|
||||||
|
|
||||||
|
# This is the file that needs to be updated when either of those version
|
||||||
|
# files changes.
|
||||||
|
rac1=redhat-annobin-cc1
|
||||||
|
|
||||||
|
# This is the GCC spec file fragment that selects the gcc-built version of
|
||||||
|
# the annobin plugin
|
||||||
|
select_gcc=redhat-annobin-select-gcc-built-plugin
|
||||||
|
|
||||||
|
# This is the GCC spec file fragment that selects the annobin-built version
|
||||||
|
# of the annobin plugin
|
||||||
|
select_annobin=redhat-annobin-select-annobin-built-plugin
|
||||||
|
|
||||||
|
install_annobin_version=0
|
||||||
|
install_gcc_version=0
|
||||||
|
|
||||||
|
if [ -f $aplugin ]
|
||||||
|
then
|
||||||
|
if [ -f $gplugin ]
|
||||||
|
then
|
||||||
|
if [ $debug -eq 1 ]
|
||||||
|
then
|
||||||
|
echo " redhat-rpm-config: Both plugins exist, checking version information"
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ -f $gver ]
|
||||||
|
then
|
||||||
|
if [ -f $aver ]
|
||||||
|
then
|
||||||
|
if [ $debug -eq 1 ]
|
||||||
|
then
|
||||||
|
echo " redhat-rpm-config: Both plugin version files exist - comparing..."
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Get the first line from the version info files. This is just in
|
||||||
|
# vase there are extra lines in the files.
|
||||||
|
avers=`head --lines=1 $aver`
|
||||||
|
gvers=`head --lines=1 $gver`
|
||||||
|
|
||||||
|
if [ $debug -eq 1 ]
|
||||||
|
then
|
||||||
|
echo " redhat-rpm-config: Annobin plugin built by gcc $avers"
|
||||||
|
echo " redhat-rpm-config: GCC plugin built by gcc $gvers"
|
||||||
|
fi
|
||||||
|
|
||||||
|
# If both plugins were built by the same version of gcc then select
|
||||||
|
# the one from the annobin package (in case it is built from newer
|
||||||
|
# sources). If the plugin builder versions differ, select the gcc
|
||||||
|
# built version instead. This assumes that the gcc built version
|
||||||
|
# always matches the installed gcc, which should be true.
|
||||||
|
if [ $avers = $gvers ]
|
||||||
|
then
|
||||||
|
if [ $debug -eq 1 ]
|
||||||
|
then
|
||||||
|
echo " redhat-rpm-config: Both plugins built by the same compiler - using annobin-built plugin"
|
||||||
|
fi
|
||||||
|
install_annobin_version=1
|
||||||
|
else
|
||||||
|
if [ $debug -eq 1 ]
|
||||||
|
then
|
||||||
|
echo " redhat-rpm-config: Versions differ - using gcc-built plugin"
|
||||||
|
fi
|
||||||
|
install_gcc_version=1
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
if [ $debug -eq 1 ]
|
||||||
|
then
|
||||||
|
echo " redhat-rpm-config: Annobin version file does not exist, using gcc-built plugin"
|
||||||
|
fi
|
||||||
|
install_gcc_version=1
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
if [ -f $aver ]
|
||||||
|
then
|
||||||
|
# FIXME: This is suspicious. If the installed GCC does not supports plugins
|
||||||
|
# then enabling the annobin plugin will not work.
|
||||||
|
if [ $debug -eq 1 ]
|
||||||
|
then
|
||||||
|
echo " redhat-rpm-config: GCC plugin version file does not exist, using annobin-built plugin"
|
||||||
|
fi
|
||||||
|
install_annobin_version=1
|
||||||
|
else
|
||||||
|
if [ $debug -eq 1 ]
|
||||||
|
then
|
||||||
|
echo " redhat-rpm-config: Neither version file exists - playing safe and using gcc-built plugin"
|
||||||
|
echo " redhat-rpm-config: Note: expected to find $aver and/or $gver"
|
||||||
|
fi
|
||||||
|
install_gcc_version=1
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
if [ $debug -eq 1 ]
|
||||||
|
then
|
||||||
|
echo " redhat-rpm-config: Only the annobin plugin exists - using that"
|
||||||
|
fi
|
||||||
|
install_annobin_version=1
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
if [ -f $gplugin ]
|
||||||
|
then
|
||||||
|
if [ $debug -eq 1 ]
|
||||||
|
then
|
||||||
|
echo " redhat-rpm-config: Only the gcc plugin exists - using that"
|
||||||
|
fi
|
||||||
|
else
|
||||||
|
if [ $debug -eq 1 ]
|
||||||
|
then
|
||||||
|
echo " redhat-rpm-config: Neither plugin exists - playing safe and using gcc-built plugin"
|
||||||
|
echo " redhat-rpm-config: Note: expected to find $aplugin and/or $gplugin"
|
||||||
|
fi
|
||||||
|
fi
|
||||||
|
install_gcc_version=1
|
||||||
|
fi
|
||||||
|
|
||||||
|
if [ $install_annobin_version -eq 1 ]
|
||||||
|
then
|
||||||
|
if [ $debug -eq 1 ]
|
||||||
|
then
|
||||||
|
echo " redhat-rpm-config: Installing annobin version of $rac1"
|
||||||
|
fi
|
||||||
|
pushd $rrcdir > /dev/null
|
||||||
|
rm -f $rac1
|
||||||
|
ln -s $select_annobin "$rac1"
|
||||||
|
popd > /dev/null
|
||||||
|
|
||||||
|
else if [ $install_gcc_version -eq 1 ]
|
||||||
|
then
|
||||||
|
if [ $debug -eq 1 ]
|
||||||
|
then
|
||||||
|
echo " redhat-rpm-config: Installing gcc version of $rac1"
|
||||||
|
fi
|
||||||
|
pushd $rrcdir > /dev/null
|
||||||
|
rm -f $rac1
|
||||||
|
ln -s $select_gcc $rac1
|
||||||
|
popd > /dev/null
|
||||||
|
fi
|
||||||
|
fi
|
@ -0,0 +1,2 @@
|
|||||||
|
*cc1_options:
|
||||||
|
+ %{!-fno-use-annobin:%{!iplugindir*:%:find-plugindir()} -fplugin=annobin}
|
@ -0,0 +1,2 @@
|
|||||||
|
*cc1_options:
|
||||||
|
+ %{!-fno-use-annobin:%{!iplugindir*:%:find-plugindir()} -fplugin=gcc-annobin}
|
@ -0,0 +1,2 @@
|
|||||||
|
*cc1_options:
|
||||||
|
+ %{!r:%{!fpie:%{!fPIE:%{!fpic:%{!fPIC:%{!fno-pic:-fPIE}}}}}}
|
@ -0,0 +1,2 @@
|
|||||||
|
*self_spec:
|
||||||
|
+ %{!static:%{!shared:%{!r:-pie}}}
|
@ -0,0 +1,97 @@
|
|||||||
|
include: /usr/lib/rpm/rpmrc
|
||||||
|
|
||||||
|
optflags: i386 %{__global_compiler_flags} -m32 -march=i386 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection
|
||||||
|
optflags: i486 %{__global_compiler_flags} -m32 -march=i486 -fasynchronous-unwind-tables -fstack-clash-protection
|
||||||
|
optflags: i586 %{__global_compiler_flags} -m32 -march=i586 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection
|
||||||
|
optflags: i686 %{__global_compiler_flags} -m32 -march=x86-64 -mtune=generic -mfpmath=sse -mstackrealign -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection
|
||||||
|
optflags: athlon %{__global_compiler_flags} -m32 -march=athlon -fasynchronous-unwind-tables -fstack-clash-protection
|
||||||
|
optflags: ia64 %{__global_compiler_flags}
|
||||||
|
optflags: x86_64 %{__global_compiler_flags} -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection
|
||||||
|
|
||||||
|
optflags: alpha %{__global_compiler_flags} -mieee
|
||||||
|
optflags: alphaev5 %{__global_compiler_flags} -mieee -mcpu=ev5
|
||||||
|
optflags: alphaev56 %{__global_compiler_flags} -mieee -mcpu=ev56
|
||||||
|
optflags: alphapca56 %{__global_compiler_flags} -mieee -mcpu=pca56
|
||||||
|
optflags: alphaev6 %{__global_compiler_flags} -mieee -mcpu=ev6
|
||||||
|
optflags: alphaev67 %{__global_compiler_flags} -mieee -mcpu=ev67
|
||||||
|
|
||||||
|
optflags: sparc %{__global_compiler_flags} -m32 -mcpu=v7 -mtune=ultrasparc
|
||||||
|
optflags: sparcv8 %{__global_compiler_flags} -m32 -mcpu=v8
|
||||||
|
optflags: sparcv9 %{__global_compiler_flags} -m32 -mcpu=ultrasparc
|
||||||
|
optflags: sparcv9v %{__global_compiler_flags} -m32 -mcpu=niagara
|
||||||
|
optflags: sparc64 %{__global_compiler_flags} -m64 -mcpu=ultrasparc
|
||||||
|
optflags: sparc64v %{__global_compiler_flags} -m64 -mcpu=niagara
|
||||||
|
|
||||||
|
optflags: m68k %{__global_compiler_flags}
|
||||||
|
|
||||||
|
optflags: ppc %{__global_compiler_flags} -m32 -funwind-tables
|
||||||
|
optflags: ppciseries %{__global_compiler_flags} -m32
|
||||||
|
optflags: ppcpseries %{__global_compiler_flags} -m32
|
||||||
|
optflags: ppc64 %{__global_compiler_flags} -m64 -funwind-tables -fstack-clash-protection
|
||||||
|
optflags: ppc64p7 %{__global_compiler_flags} -m64 -O3 -mcpu=power7 -mtune=power7 -funwind-tables -fstack-clash-protection
|
||||||
|
optflags: ppc64le %{__global_compiler_flags} -m64 -mcpu=power8 -mtune=power8 -funwind-tables -fstack-clash-protection
|
||||||
|
optflags: ppc64iseries %{__global_compiler_flags} -m64
|
||||||
|
optflags: ppc64pseries %{__global_compiler_flags} -m64
|
||||||
|
optflags: ppc8260 %{__global_compiler_flags} -m32
|
||||||
|
optflags: ppc8560 %{__global_compiler_flags} -m32
|
||||||
|
|
||||||
|
optflags: parisc %{__global_compiler_flags} -mpa-risc-1-0
|
||||||
|
optflags: hppa1.0 %{__global_compiler_flags} -mpa-risc-1-0
|
||||||
|
optflags: hppa1.1 %{__global_compiler_flags} -mpa-risc-1-0
|
||||||
|
optflags: hppa1.2 %{__global_compiler_flags} -mpa-risc-1-0
|
||||||
|
optflags: hppa2.0 %{__global_compiler_flags} -mpa-risc-1-0
|
||||||
|
|
||||||
|
optflags: mips %{__global_compiler_flags} -march=mips32r2 -mfpxx
|
||||||
|
optflags: mipsel %{__global_compiler_flags} -march=mips32r2 -mfpxx
|
||||||
|
optflags: mips64 %{__global_compiler_flags} -march=mips64r2 -mabi=64
|
||||||
|
optflags: mips64el %{__global_compiler_flags} -march=mips64r2 -mabi=64
|
||||||
|
optflags: mipsr6 %{__global_compiler_flags} -march=mips32r6
|
||||||
|
optflags: mipsr6el %{__global_compiler_flags} -march=mips32r6
|
||||||
|
optflags: mips64r6 %{__global_compiler_flags} -march=mips64r6
|
||||||
|
optflags: mips64r6el %{__global_compiler_flags} -march=mips64r6
|
||||||
|
|
||||||
|
optflags: armv3l %{__global_compiler_flags} -fsigned-char -march=armv3
|
||||||
|
optflags: armv4b %{__global_compiler_flags} -fsigned-char -march=armv4
|
||||||
|
optflags: armv4l %{__global_compiler_flags} -fsigned-char -march=armv4
|
||||||
|
optflags: armv4tl %{__global_compiler_flags} -march=armv4t
|
||||||
|
optflags: armv5tel %{__global_compiler_flags} -march=armv5te -mfloat-abi=soft
|
||||||
|
optflags: armv5tejl %{__global_compiler_flags} -march=armv5te -mfloat-abi=soft
|
||||||
|
optflags: armv6l %{__global_compiler_flags} -march=armv6 -mfloat-abi=soft
|
||||||
|
optflags: armv6hl %{__global_compiler_flags} -march=armv6 -mfpu=vfp -mfloat-abi=hard
|
||||||
|
optflags: armv6hnl %{__global_compiler_flags} -march=armv6 -mfpu=neon -mfloat-abi=hard
|
||||||
|
optflags: armv7l %{__global_compiler_flags} -march=armv7-a -mfloat-abi=soft
|
||||||
|
optflags: armv7hl %{__global_compiler_flags} -march=armv7-a -mfpu=vfpv3-d16 -mtune=generic-armv7-a -mabi=aapcs-linux -mfloat-abi=hard
|
||||||
|
optflags: armv7hnl %{__global_compiler_flags} -march=armv7-a -mfpu=neon -mfloat-abi=hard
|
||||||
|
|
||||||
|
optflags: atarist %{__global_compiler_flags}
|
||||||
|
optflags: atariste %{__global_compiler_flags}
|
||||||
|
optflags: ataritt %{__global_compiler_flags}
|
||||||
|
optflags: falcon %{__global_compiler_flags}
|
||||||
|
optflags: atariclone %{__global_compiler_flags}
|
||||||
|
optflags: milan %{__global_compiler_flags}
|
||||||
|
optflags: hades %{__global_compiler_flags}
|
||||||
|
|
||||||
|
optflags: s390 %{__global_compiler_flags} -m31 -march=z13 -mtune=z14 -fasynchronous-unwind-tables
|
||||||
|
optflags: s390x %{__global_compiler_flags} -m64 -march=z13 -mtune=z14 -fasynchronous-unwind-tables -fstack-clash-protection
|
||||||
|
|
||||||
|
optflags: aarch64 %{__global_compiler_flags} -fasynchronous-unwind-tables -fstack-clash-protection
|
||||||
|
|
||||||
|
optflags: riscv64 %{__global_compiler_flags}
|
||||||
|
|
||||||
|
# set build arch to fedora buildarches on hardware capable of running it
|
||||||
|
# saves having to do rpmbuild --target=
|
||||||
|
buildarchtranslate: athlon: i686
|
||||||
|
buildarchtranslate: geode: i686
|
||||||
|
buildarchtranslate: pentium4: i686
|
||||||
|
buildarchtranslate: pentium3: i686
|
||||||
|
buildarchtranslate: i686: i686
|
||||||
|
buildarchtranslate: i586: i586
|
||||||
|
|
||||||
|
buildarchtranslate: sparcv9: sparcv9
|
||||||
|
buildarchtranslate: sparcv9v: sparcv9
|
||||||
|
|
||||||
|
buildarchtranslate: armv5tejl: armv5tel
|
||||||
|
buildarchtranslate: armv6l: armv5tel
|
||||||
|
buildarchtranslate: armv7l: armv5tel
|
||||||
|
buildarchtranslate: armv7hl: armv7hl
|
||||||
|
buildarchtranslate: armv7hnl: armv7hl
|
@ -0,0 +1,76 @@
|
|||||||
|
#! /usr/bin/perl -w
|
||||||
|
|
||||||
|
# This program is free software; you can redistribute it and/or
|
||||||
|
# modify it under the terms of the GNU General Public License
|
||||||
|
# as published by the Free Software Foundation; either version 2
|
||||||
|
# of the License, or (at your option) any later version.
|
||||||
|
#
|
||||||
|
# This program is distributed in the hope that it will be useful,
|
||||||
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
# GNU General Public License for more details.
|
||||||
|
#
|
||||||
|
# You should have received a copy of the GNU General Public License
|
||||||
|
# along with this program; if not, write to the Free Software
|
||||||
|
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307,
|
||||||
|
# USA.
|
||||||
|
|
||||||
|
use Getopt::Long qw(:config gnu_getopt);
|
||||||
|
|
||||||
|
sub rpm_cmp_versions {
|
||||||
|
my ($evr1, $evr2) = @_;
|
||||||
|
|
||||||
|
sub _rpm_cmp {
|
||||||
|
my ($s1, $s2) = @_;
|
||||||
|
|
||||||
|
return defined $s1 <=> defined $s2
|
||||||
|
unless defined $s1 && defined $s2;
|
||||||
|
|
||||||
|
my ($r, $x1, $x2);
|
||||||
|
do {
|
||||||
|
$s1 =~ s/^[^a-zA-Z0-9]+//;
|
||||||
|
$s2 =~ s/^[^a-zA-Z0-9]+//;
|
||||||
|
if ($s1 =~ /^\d/ || $s2 =~ /^\d/) {
|
||||||
|
$s1 =~ s/^0*(\d*)//; $x1 = $1;
|
||||||
|
$s2 =~ s/^0*(\d*)//; $x2 = $1;
|
||||||
|
$r = length $x1 <=> length $x2 || $x1 cmp $x2;
|
||||||
|
} else {
|
||||||
|
$s1 =~ s/^([a-zA-Z]*)//; $x1 = $1;
|
||||||
|
$s2 =~ s/^([a-zA-Z]*)//; $x2 = $1;
|
||||||
|
return 0
|
||||||
|
if $x1 eq '' && $x2 eq '';
|
||||||
|
$r = $x1 cmp $x2;
|
||||||
|
}
|
||||||
|
} until $r;
|
||||||
|
return $r;
|
||||||
|
}
|
||||||
|
|
||||||
|
my ($e1, $v1, $r1) = $evr1 =~ /^(?:(\d*):)?(.*?)(?:-([^-]*))?$/;
|
||||||
|
my ($e2, $v2, $r2) = $evr2 =~ /^(?:(\d*):)?(.*?)(?:-([^-]*))?$/;
|
||||||
|
my $r = _rpm_cmp($e1 || 0, $e2 || 0);
|
||||||
|
$r = _rpm_cmp($v1, $v2)
|
||||||
|
unless $r;
|
||||||
|
$r = _rpm_cmp($r1, $r2)
|
||||||
|
unless $r;
|
||||||
|
return $r;
|
||||||
|
}
|
||||||
|
|
||||||
|
my $reorder = sub { return @_ };
|
||||||
|
my $key = 0;
|
||||||
|
|
||||||
|
GetOptions ("r|reverse" => sub { $reorder = sub { return reverse @_ } },
|
||||||
|
"k|key=i" => \$key)
|
||||||
|
or do {
|
||||||
|
print STDERR "Usage\n";
|
||||||
|
exit 1;
|
||||||
|
};
|
||||||
|
|
||||||
|
if ($key == 0) {
|
||||||
|
# Sort by entire lines
|
||||||
|
map { print } &$reorder(sort { rpm_cmp_versions($a, $b) } <>);
|
||||||
|
} else {
|
||||||
|
# Sort by field $key
|
||||||
|
my @data = map { [(split)[$key-1], $_] } <>;
|
||||||
|
map { print } &$reorder(map { $_->[1] }
|
||||||
|
sort { rpm_cmp_versions($a->[0], $b->[0]) } @data);
|
||||||
|
}
|
@ -0,0 +1,40 @@
|
|||||||
|
#! /bin/sh
|
||||||
|
|
||||||
|
# Create a table of all symbol sets defined in all /boot/symsets*.tar.gz
|
||||||
|
# files.
|
||||||
|
#
|
||||||
|
# Format:
|
||||||
|
# kernelrelease/modver/symbol <tab> symset <tab> symset_hash
|
||||||
|
#
|
||||||
|
# This table is needed for computing the appropriate Requires: tags for
|
||||||
|
# kernel module packages.
|
||||||
|
|
||||||
|
tmpdir=$(mktemp -t -d ${0##*/}.XXXXXX)
|
||||||
|
trap "cd / ; rm -rf $tmpdir" EXIT
|
||||||
|
cd $tmpdir
|
||||||
|
|
||||||
|
shopt -s nullglob
|
||||||
|
for symsets in /boot/symsets-*.tar.gz; do
|
||||||
|
zcat $symsets \
|
||||||
|
| tar xf -
|
||||||
|
done
|
||||||
|
|
||||||
|
for symsets in /usr/src/kernels/*/symsets-*.tar.gz; do
|
||||||
|
zcat $symsets \
|
||||||
|
| tar xf -
|
||||||
|
done
|
||||||
|
|
||||||
|
for symsets in *; do
|
||||||
|
krel=${symsets#symsets-}
|
||||||
|
for symset in $symsets/*; do
|
||||||
|
class=${symset##*/} ; class=${class%.*}
|
||||||
|
hash=${symset##*.}
|
||||||
|
awk '
|
||||||
|
BEGIN { FS = "\t" ; OFS = "\t" }
|
||||||
|
{ sub(/0x0*/, "", $1)
|
||||||
|
print krel "/" $1 "/" $2, class, hash }
|
||||||
|
' krel="$krel" class="$class" hash="$hash" $symset
|
||||||
|
done
|
||||||
|
done
|
||||||
|
|
||||||
|
# vim:shiftwidth=4 softtabstop=4
|
File diff suppressed because it is too large
Load Diff
Loading…
Reference in new issue