From 63b3ff125cacaef178195ebe85091dc8d20d13be Mon Sep 17 00:00:00 2001 From: viferga Date: Thu, 28 Nov 2019 08:03:36 -0900 Subject: [PATCH] Add optional support for Position Independent Code and stack smashing protection plus source fortify. This is needed for Guix portability, when exporting the tarball to Alpine, the musl or ulibc does not support it. --- CMakeLists.txt | 2 + cmake/SecurityFlags.cmake | 100 ++++++++++++++++++++------------------ 2 files changed, 56 insertions(+), 46 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 56ca309da..247e9d1a5 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -82,6 +82,8 @@ option(OPTION_BUILD_SCRIPTS "Build scripts." ON) option(OPTION_BUILD_SERIALS "Build serials." ON) option(OPTION_BUILD_DETOURS "Build detours." ON) option(OPTION_BUILD_PORTS "Build ports." OFF) +option(OPTION_BUILD_PIC "Build with position independent code." ON) +option(OPTION_BUILD_SECURITY "Build with stack-smashing protection and source fortify." ON) option(OPTION_FORK_SAFE "Enable fork safety." ON) option(OPTION_THREAD_SAFE "Enable thread safety." OFF) option(OPTION_COVERAGE "Enable coverage." OFF) diff --git a/cmake/SecurityFlags.cmake b/cmake/SecurityFlags.cmake index 624aeaa7a..aeb856632 100644 --- a/cmake/SecurityFlags.cmake +++ b/cmake/SecurityFlags.cmake @@ -22,41 +22,45 @@ include(CheckCCompilerFlagStackSmashing) if("${CMAKE_C_COMPILER_ID}" STREQUAL "GNU") - # Detect position independent code flag - check_c_compiler_flag("-fPIC" PIC_C_FLAG) + if(OPTION_BUILD_PIC) + # Detect position independent code flag + check_c_compiler_flag("-fPIC" PIC_C_FLAG) - if(PIC_C_FLAG) - set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fPIC") + if(PIC_C_FLAG) + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fPIC") + endif() endif() - # Detect stack protector - check_c_compiler_flag_stack_smashing("-fstack-protector-strong" STACK_PROTECTOR_STRONG_C_FLAG) - - if(STACK_PROTECTOR_STRONG_C_FLAG) - set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fstack-protector-strong") + if(OPTION_BUILD_SECURITY) + # Detect stack protector + check_c_compiler_flag_stack_smashing("-fstack-protector-strong" STACK_PROTECTOR_STRONG_C_FLAG) - # use ssp-buffer-size if it is supported - if(CMAKE_C_COMPILER_VERSION VERSION_GREATER 4.9) - set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} --param ssp-buffer-size=4") - endif() - else() - check_c_compiler_flag_stack_smashing("-fstack-protector" STACK_PROTECTOR_CXX_FLAG) - - if(STACK_PROTECTOR_C_FLAG) - set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fstack-protector") + if(STACK_PROTECTOR_STRONG_C_FLAG) + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fstack-protector-strong") # use ssp-buffer-size if it is supported if(CMAKE_C_COMPILER_VERSION VERSION_GREATER 4.9) set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} --param ssp-buffer-size=4") endif() + else() + check_c_compiler_flag_stack_smashing("-fstack-protector" STACK_PROTECTOR_CXX_FLAG) + + if(STACK_PROTECTOR_C_FLAG) + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fstack-protector") + + # use ssp-buffer-size if it is supported + if(CMAKE_C_COMPILER_VERSION VERSION_GREATER 4.9) + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} --param ssp-buffer-size=4") + endif() + endif() endif() - endif() - # Detect fortify source - check_c_compiler_flag("-D_FORTIFY_SOURCE=2" FORTIFY_SOURCE_C_FLAG) + # Detect fortify source + check_c_compiler_flag("-D_FORTIFY_SOURCE=2" FORTIFY_SOURCE_C_FLAG) - if(FORTIFY_SOURCE_C_FLAG) - set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -O3 -D_FORTIFY_SOURCE=2") + if(FORTIFY_SOURCE_C_FLAG) + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -O3 -D_FORTIFY_SOURCE=2") + endif() endif() endif() @@ -66,41 +70,45 @@ include(CheckCXXCompilerFlagStackSmashing) if("${CMAKE_CXX_COMPILER_ID}" STREQUAL "GNU") - # Detect position independent code flag - check_cxx_compiler_flag("-fPIC" PIC_CXX_FLAG) + if(OPTION_BUILD_PIC) + # Detect position independent code flag + check_cxx_compiler_flag("-fPIC" PIC_CXX_FLAG) - if(PIC_CXX_FLAG) - set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fPIC") + if(PIC_CXX_FLAG) + set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fPIC") + endif() endif() - # Detect stack protector - check_cxx_compiler_flag_stack_smashing("-fstack-protector-strong" STACK_PROTECTOR_STRONG_CXX_FLAG) - - if(STACK_PROTECTOR_STRONG_CXX_FLAG) - set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fstack-protector-strong") + if(OPTION_BUILD_SECURITY) + # Detect stack protector + check_cxx_compiler_flag_stack_smashing("-fstack-protector-strong" STACK_PROTECTOR_STRONG_CXX_FLAG) - # use ssp-buffer-size if it is supported - if(CMAKE_CXX_COMPILER_VERSION VERSION_GREATER 4.9) - set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} --param ssp-buffer-size=4") - endif() - else() - check_cxx_compiler_flag_stack_smashing("-fstack-protector" STACK_PROTECTOR_CXX_FLAG) - - if(STACK_PROTECTOR_CXX_FLAG) - set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fstack-protector") + if(STACK_PROTECTOR_STRONG_CXX_FLAG) + set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fstack-protector-strong") # use ssp-buffer-size if it is supported if(CMAKE_CXX_COMPILER_VERSION VERSION_GREATER 4.9) set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} --param ssp-buffer-size=4") endif() + else() + check_cxx_compiler_flag_stack_smashing("-fstack-protector" STACK_PROTECTOR_CXX_FLAG) + + if(STACK_PROTECTOR_CXX_FLAG) + set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fstack-protector") + + # use ssp-buffer-size if it is supported + if(CMAKE_CXX_COMPILER_VERSION VERSION_GREATER 4.9) + set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} --param ssp-buffer-size=4") + endif() + endif() endif() - endif() - # Detect fortify source - check_cxx_compiler_flag("-D_FORTIFY_SOURCE=2" FORTIFY_SOURCE_CXX_FLAG) + # Detect fortify source + check_cxx_compiler_flag("-D_FORTIFY_SOURCE=2" FORTIFY_SOURCE_CXX_FLAG) - if(FORTIFY_SOURCE_CXX_FLAG) - set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -O3 -D_FORTIFY_SOURCE=2") + if(FORTIFY_SOURCE_CXX_FLAG) + set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -O3 -D_FORTIFY_SOURCE=2") + endif() endif() endif()