moritzruth/void-packages
1
0
Fork 0
Code Releases Activity Actions 2

configure/hardening.sh: use PIE and SSP by default, drop -specs hacks.

Browse source
This commit is contained in:
Jürgen Buchmüller 2017-08-18 19:02:23 +02:00
parent 1c2290eec1
commit b55932255d
1 changed files with 25 additions and 23 deletions
Download patch file Download diff file Expand all files Collapse all files

48
common/environment/configure/hardening.sh
View file

@ -1,26 +1,28 @@
# Enable SSP and FORITFY_SOURCE=2 by default. # Enable as-needed by default.
_CFLAGS=" -fstack-protector-strong -D_FORTIFY_SOURCE=2 ${CFLAGS}" LDFLAGS="-Wl,--as-needed ${LDFLAGS}"
_CXXFLAGS="-fstack-protector-strong -D_FORTIFY_SOURCE=2 ${CXXFLAGS}"
# Enable as-needed and relro by default.
_LDFLAGS="-Wl,--as-needed ${LDFLAGS}"
case "$XBPS_TARGET_MACHINE" in
i686-musl) # SSP currently broken (see https://github.com/voidlinux/void-packages/issues/2902)
_CFLAGS+=" -fno-stack-protector"
_CXXFLAGS+=" -fno-stack-protector"
;;
esac
if [ -z "$nopie" ]; then if [ -z "$nopie" ]; then
_GCCSPECSDIR=${XBPS_COMMONDIR}/environment/configure/gccspecs # Our compilers use --enable-default-pie and --enable-default-ssp,
case "$XBPS_TARGET_MACHINE" in # but the bootstrap host compiler may not, force them.
mips*) _GCCSPECSFILE=${_GCCSPECSDIR}/hardened-mips-cc1;; if [ -z "$CHROOT_READY" ]; then
*) _GCCSPECSFILE=${_GCCSPECSDIR}/hardened-cc1;; CFLAGS="-fstack-protector-strong -D_FORTIFY_SOURCE=2 ${CFLAGS}"
esac CXXFLAGS="-fstack-protector-strong -D_FORTIFY_SOURCE=2 ${CXXFLAGS}"
CFLAGS="-specs=${_GCCSPECSFILE} ${_CFLAGS}" _GCCSPECSDIR=${XBPS_COMMONDIR}/environment/configure/gccspecs
CXXFLAGS="-specs=${_GCCSPECSFILE} ${_CXXFLAGS}" case "$XBPS_TARGET_MACHINE" in
# We pass -z relro -z now here too, because libtool drops -specs... mips*) _GCCSPECSFILE="${_GCCSPECSDIR}/hardened-mips-cc1" ;;
LDFLAGS="-specs=${_GCCSPECSDIR}/hardened-ld -Wl,-z,relro -Wl,-z,now ${_LDFLAGS}" *) _GCCSPECSFILE="${_GCCSPECSDIR}/hardened-cc1" ;;
esac
CFLAGS="-specs=${_GCCSPECSFILE} ${CFLAGS}"
CXXFLAGS="-specs=${_GCCSPECSFILE} ${CXXFLAGS}"
LDFLAGS="-specs=${_GCCSPECSDIR}/hardened-ld -Wl,-z,relro -Wl,-z,now ${LDFLAGS}"
else
# Enable FORITFY_SOURCE=2
CFLAGS="-D_FORTIFY_SOURCE=2 ${CFLAGS}"
CXXFLAGS="-D_FORTIFY_SOURCE=2 ${CXXFLAGS}"
LDFLAGS="-Wl,-z,relro -Wl,-z,now ${LDFLAGS}"
fi
else
CFLAGS="-fno-PIE ${CFLAGS}"
CXXFLAGS="-fno-PIE ${CFLAGS}"
LDFLAGS="-no-pie ${LDFLAGS}"
fi fi
unset _CFLAGS _CXXFLAGS _LDFLAGS