From 4659d703bea04e79371075bcd111933cd65a89e0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?V=C3=ADt=20Ondruch?= <vondruch@redhat.com>
Date: Tue, 8 Nov 2016 13:37:17 +0100
Subject: [PATCH] Check hardening.

---
 ruby.spec | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/ruby.spec b/ruby.spec
index 253969f..352955f 100644
--- a/ruby.spec
+++ b/ruby.spec
@@ -148,6 +148,8 @@ BuildRequires: %{_bindir}/dtrace
 # RubyGems test suite optional dependencies.
 BuildRequires: git
 BuildRequires: %{_bindir}/cmake
+# Required to test hardening.
+BuildRequires: %{_bindir}/checksec
 
 # This package provides %%{_bindir}/ruby-mri therefore it is marked by this
 # virtual provide. It can be installed as dependency of rubypick.
@@ -678,6 +680,10 @@ sed -i 's/^/%doc /' .ruby-doc.*
 sed -i 's/^/%lang(ja) /' .ruby-doc.ja
 
 %check
+# Check Ruby hardening.
+checksec -f libruby.so.%{ruby_version} | \
+  grep "Full RELRO.*Canary found.*NX enabled.*DSO.*No RPATH.*No RUNPATH.*Yes.*\d*.*\d*.*libruby.so.%{ruby_version}"
+
 # Check RubyGems version correctness.
 [ "`make runruby TESTRUN_SCRIPT='bin/gem -v' | tail -1`" == '%{rubygems_version}' ]
 # Check Molinillo version correctness.