From 9fcd572737283a9c2b781b29747998bb2034d252 Mon Sep 17 00:00:00 2001
From: Sait Talha Nisanci <s.talhanisanci@gmail.com>
Date: Tue, 20 Oct 2020 17:02:00 +0300
Subject: [PATCH] Pass security flags and check gcc version

We were not passing security flags for citus community packages, which
we are for enterprise.

Also this adds the check for gcc version to make sure we are compliant
with security.
---
 citus.spec                  | 13 ++++++++++++-
 debian/check-gcc-version.sh |  9 +++++++++
 debian/rules                |  1 +
 3 files changed, 22 insertions(+), 1 deletion(-)
 create mode 100755 debian/check-gcc-version.sh

diff --git a/citus.spec b/citus.spec
index 96e0c77bc..ad2be6bfb 100644
--- a/citus.spec
+++ b/citus.spec
@@ -34,8 +34,19 @@ commands.
 %prep
 %setup -q -n %{sname}-%{version}
 
+# Flags taken from: https://liquid.microsoft.com/Web/Object/Read/ms.security/Requirements/Microsoft.Security.SystemsADM.10203#guide
+SECURITY_CFLAGS="-fstack-protector-strong -D_FORTIFY_SOURCE=2 -O2 -z noexecstack -fpic -Wl,-z,relro -Wl,-z,now -Wformat -Wformat-security -Werror=format-security"
+
+currentgccver="$(gcc -dumpversion)"
+requiredgccver="4.8.2"
+if [ "$(printf '%s\n' "$requiredgccver" "$currentgccver" | sort -V | tail -n1)" = "$requiredgccver" ]; then
+      echo WARNING: Using slower security flags because of outdated compiler
+      SECURITY_CFLAGS="-fstack-protector-all -D_FORTIFY_SOURCE=2 -O2 -z noexecstack -fpic -Wl,-z,relro -Wl,-z,now -Wformat -Wformat-security -Werror=format-security"
+    fi
+fi
+
 %build
-%configure PG_CONFIG=%{pginstdir}/bin/pg_config --with-extra-version="%{?conf_extra_version}"
+%configure PG_CONFIG=%{pginstdir}/bin/pg_config --with-extra-version="%{?conf_extra_version}" CC=$(command -v gcc) CFLAGS="$SECURITY_CFLAGS"
 make %{?_smp_mflags}
 
 %install
diff --git a/debian/check-gcc-version.sh b/debian/check-gcc-version.sh
new file mode 100755
index 000000000..4f036d7cf
--- /dev/null
+++ b/debian/check-gcc-version.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+set -euxo pipefail
+
+currentgccver="$($(pg_config --cc) -dumpversion)"
+requiredgccver="4.8.2"
+if [ "$(printf '%s\n' "$requiredgccver" "$currentgccver" | sort -V | tail -n1)" = "$requiredgccver" ]; then
+    echo ERROR: At least GCC version "$requiredgccver" is needed
+    exit 1
+fi
diff --git a/debian/rules b/debian/rules
index d7bbf511e..8659b1e17 100755
--- a/debian/rules
+++ b/debian/rules
@@ -12,6 +12,7 @@ override_dh_auto_test:
 	# nothing to do here, see debian/tests/* instead
 
 override_dh_auto_configure:
+	debian/check-gcc-version.sh
 	+pg_buildext configure build-%v --with-extra-version="$${CONF_EXTRA_VERSION:-}"
 
 override_dh_auto_install: