From 2ab526ca9c7db35d78d5bd2df188db4d9f37aaac Mon Sep 17 00:00:00 2001
From: Vector Li <huanli@redhat.com>
Date: Mon, 16 Jan 2023 20:22:48 +0800
Subject: [PATCH] Build binaries with relro/pie/bind_now

Note that package 'annobin-plugin-gcc' should be installed on the
system to build the binaries.

Signed-off-by: Vector Li <huanli@redhat.com>
---
 src/Makefile | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/src/Makefile b/src/Makefile
index e933843b..41ce1c8b 100644
--- a/src/Makefile
+++ b/src/Makefile
@@ -33,6 +33,25 @@ CFLAGS += -Wall -Werror -std=c99 $(shell pkg-config --cflags $(PACKAGES))
 # Keep this until we have Glib 2.68 in third-party module
 CFLAGS += -Wno-deprecated-declarations
 
+# XXX: Support to build binaries relro/pie/bind_now. For more,
+#      please refer to:
+#          https://github.com/restraint-harness/restraint/issues/255
+CFLAGS_x86_64 =
+CFLAGS_aarch64 =
+CFLAGS_ppc64le =
+
+CFLAGS_x86_64 += -fshort-enums
+CFLAGS_x86_64 += -fcf-protection=full
+CFLAGS_x86_64 += -fplugin=annobin
+CFLAGS_x86_64 += -fstack-protector-strong
+CFLAGS_x86_64 += -D_FORTIFY_SOURCE=2
+CFLAGS_x86_64 += -D_GLIBCXX_ASSERTIONS
+
+CFLAGS += $(CFLAGS_$(shell uname -i))
+CFLAGS += -fpie
+LDFLAGS += -Wl,-z,now
+LDFLAGS += -pie
+
 ifeq ($(STATIC), 1)
     # The LIBS list must start with static then followed with dynamic.
     # DYNAMICLIBS must be stripped out of THIRDPTYLIBS leaving