Pass and use hardening flags from RPM configuration

Maintain the executable security but allows to have a working
X11 module. X11 modules cannot be compiled with "-z now" due to
the way X11 modules work.
Signed-off-by: Frediano Ziglio <freddy77@gmail.com>

configure.ac

@@ -17,6 +17,12 @@ PKG_CHECK_MODULES(PIXMAN, pixman-1)
 
 AM_CONDITIONAL([HAVE_GTEST], [pkg-config --atleast-version=2.38 glib-2.0])
 
+# Fedora likes to harden builds.  We cannot use the hardening flags on the
+#  spice-video-dummy, as -znow causes Xorg conventions to fail.
+#  We use these flags to pass the hardening options only to x11spice.
+AC_SUBST([X11SPICE_ONLY_CFLAGS])
+AC_SUBST([X11SPICE_ONLY_LDFLAGS])
+
 AC_ARG_ENABLE([dummy], AS_HELP_STRING([--enable-dummy], [Builds the spice-video-dummy driver]), [dummy=true])
 AM_CONDITIONAL([DUMMY], test x$dummy = xtrue)
 

src/Makefile.am

@@ -5,8 +5,9 @@
 bin_PROGRAMS = x11spice
 ALL_XCB_CFLAGS=$(XCB_CFLAGS) $(DAMAGE_CFLAGS) $(XTEST_CFLAGS) $(SHM_CFLAGS) $(UTIL_CFLAGS) $(XKB_CFLAGS) $(XFIXES_CFLAGS)
 ALL_XCB_LIBS=$(XCB_LIBS) $(DAMAGE_LIBS) $(XTEST_LIBS) $(SHM_LIBS) $(UTIL_LIBS) $(XKB_LIBS) $(XFIXES_LIBS)
-CUSTOM_CFLAGS=-Wall -Wno-deprecated-declarations -Wno-format-security -Werror
+CUSTOM_CFLAGS=-Wall -Wno-deprecated-declarations -Wno-format-security -Werror $(X11SPICE_ONLY_CFLAGS)
 AM_CFLAGS = $(CUSTOM_CFLAGS) $(ALL_XCB_CFLAGS) $(GTK_CFLAGS) $(SPICE_CFLAGS) $(SPICE_PROTOCOL_CFLAGS) $(GLIB2_CFLAGS) $(PIXMAN_CFLAGS) $(CODE_COVERAGE_CFLAGS)
+AM_LDFLAGS = $(X11SPICE_ONLY_LDFLAGS)
 x11spice_LDADD = $(ALL_XCB_LIBS) $(GTK_LIBS) $(SPICE_LIBS) $(GLIB2_LIBS) $(PIXMAN_LIBS) $(CODE_COVERAGE_LDFLAGS)
 x11spice_SOURCES = \
     agent.c \

src/data/x11spice.spec

@@ -23,6 +23,9 @@ Utility to share x11 desktops via Spice.
 
 
 %build
+# The Xorg modules cannot use -Znow, so we harden just x11spice
+export X11SPICE_ONLY_CFLAGS="%{_hardened_cflags}"
+export X11SPICE_ONLY_LDFLAGS="%{_hardened_ldflags}"
 %undefine _hardened_build
 %configure --enable-dummy
 make %{?_smp_mflags}