From 1ba600728148965c5f301ac2c1ac135d6facbbe5 Mon Sep 17 00:00:00 2001
From: xingweizheng <xingweizheng@huawei.com>
Date: Wed, 14 Sep 2022 11:07:15 +0800
Subject: [PATCH] improve security compile option of isula-build binary

---
 VERSION-openeuler                             |  2 +-
 apply-patches                                 |  4 +--
 git-commit                                    |  2 +-
 isula-build.spec                              |  8 +++++-
 ...-compile-option-of-isula-build-binar.patch | 25 +++++++++++++++++++
 series.conf                                   |  3 ++-
 6 files changed, 38 insertions(+), 6 deletions(-)
 create mode 100644 patch/0126-improve-security-compile-option-of-isula-build-binar.patch

diff --git a/VERSION-openeuler b/VERSION-openeuler
index 6b10799..5b2e3ee 100644
--- a/VERSION-openeuler
+++ b/VERSION-openeuler
@@ -1 +1 @@
-0.9.6-11
+0.9.6-12
diff --git a/apply-patches b/apply-patches
index c5733c8..24cfdd8 100755
--- a/apply-patches
+++ b/apply-patches
@@ -9,7 +9,7 @@ set -ex
 pkg=isula-build
 cwd=${PWD}
 src=${cwd}/${pkg}
-tar_file=v"$(awk -F"-" '{print $1}' < VERSION-openeuler)".tar.gz
+tar_file=v"$(awk -F"-" '{print $1}' <VERSION-openeuler)".tar.gz
 
 mkdir ${src} && tar -zxvf "${tar_file}" -C ${src} --strip-components 1
 if [ ! -d patch ]; then
@@ -25,7 +25,7 @@ git commit -m 'init build'
 cd "${cwd}"
 
 series=${cwd}/series.conf
-while IPF= read -r line; do
+while IPF= read -r line || [ -n "$line" ]; do
     if [[ "${line}" =~ ^patch* ]]; then
         echo "git apply ${cwd}/${line}"
         cd "${src}" && git apply "${cwd}/${line}"
diff --git a/git-commit b/git-commit
index fa10cef..3f1a08d 100644
--- a/git-commit
+++ b/git-commit
@@ -1 +1 @@
-e88af88d105b4a5f68bd3a816ced949c3958353c
+716dbdd867b5ee948f741de9958525531b59a31e
diff --git a/isula-build.spec b/isula-build.spec
index 360e13e..d9e9cc7 100644
--- a/isula-build.spec
+++ b/isula-build.spec
@@ -2,7 +2,7 @@
 
 Name: isula-build
 Version: 0.9.6
-Release: 11
+Release: 12
 Summary: A tool to build container images
 License: Mulan PSL V2
 URL: https://gitee.com/openeuler/isula-build
@@ -85,6 +85,12 @@ fi
 /usr/share/bash-completion/completions/isula-build
 
 %changelog
+* Wed Sep 14 2022 xingweizheng <xingweizheng@huawei.com> - 0.9.6-12
+- Type:bugfix
+- CVE:NA
+- SUG:restart
+- DESC:improve security compile option of isula-build binary
+
 * Fri Aug 19 2022 daisicheng <daisicheng@huawei.com> - 0.9.6-11
 - Type:bugfix
 - CVE:NA
diff --git a/patch/0126-improve-security-compile-option-of-isula-build-binar.patch b/patch/0126-improve-security-compile-option-of-isula-build-binar.patch
new file mode 100644
index 0000000..7c683be
--- /dev/null
+++ b/patch/0126-improve-security-compile-option-of-isula-build-binar.patch
@@ -0,0 +1,25 @@
+From bdbd4b3136d57ef5e8d30f8537d03693cc11c481 Mon Sep 17 00:00:00 2001
+From: xingweizheng <xingweizheng@huawei.com>
+Date: Tue, 13 Sep 2022 23:07:28 +0800
+Subject: [PATCH] improve security compile option of isula-build binary
+
+---
+ Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/Makefile b/Makefile
+index 4bdb064..0d6bd01 100644
+--- a/Makefile
++++ b/Makefile
+@@ -23,7 +23,7 @@ BUILDFLAGS := -tags "$(BUILDTAGS)"
+ TMPDIR := /tmp/isula_build_tmpdir
+ BEFLAG := -tmpdir=${TMPDIR}
+ SAFEBUILDFLAGS := -buildid=IdByIsula -buildmode=pie -extldflags=-ftrapv -extldflags=-zrelro -extldflags=-znow $(BEFLAG) $(LDFLAGS)
+-STATIC_LDFLAGS := -linkmode=external -extldflags=-static
++STATIC_LDFLAGS := -linkmode=external -extldflags "-static-pie -Wl,-z,now"
+ 
+ IMAGE_BUILDARGS := $(if $(http_proxy), --build-arg http_proxy=$(http_proxy))
+ IMAGE_BUILDARGS += $(if $(https_proxy), --build-arg https_proxy=$(https_proxy))
+-- 
+2.27.0
+
diff --git a/series.conf b/series.conf
index 0b44f49..bed2cd1 100644
--- a/series.conf
+++ b/series.conf
@@ -33,4 +33,5 @@ patch/0121-print-first-and-second-error-when-dockerfile-not-fou.patch
 patch/0122-registries.toml-could-not-be-empty-hosts-resolv.conf.patch
 patch/0123-modify-the-Makefile-and-README-document.patch
 patch/0124-add-the-constraints-and-limitations-of-the-doc.patch
-patch/0125-fix-the-possible-file-leakage-problem-in-util-cipher.patch
\ No newline at end of file
+patch/0125-fix-the-possible-file-leakage-problem-in-util-cipher.patch
+patch/0126-improve-security-compile-option-of-isula-build-binar.patch