From: E.Smith <31170571+azlm8t@users.noreply.github.com> Date: Mon, 1 Oct 2018 17:32:26 +0000 (+0100) Subject: build: Add hardening options. X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a26e74d718310feaa76d6629a0e615987e5276e9;p=thirdparty%2Ftvheadend.git build: Add hardening options. Add some hardening options from: https://wiki.debian.org/Hardening These protect against basic buffer overruns. Although debian/rules can have an "export DEB_BUILD_HARDENING=1", it's useful to have these available across all builds that support the compiler options. --- diff --git a/Makefile b/Makefile index 82d257623..06951861b 100644 --- a/Makefile +++ b/Makefile @@ -31,7 +31,8 @@ LANGUAGES ?= $(LANGUAGES_ALL) # Common compiler flags # -CFLAGS += -g +# https://wiki.debian.org/Hardening +CFLAGS += -g -D_FORTIFY_SOURCE=2 ifeq ($(CONFIG_CCDEBUG),yes) CFLAGS += -O0 else diff --git a/configure b/configure index a4b901b61..66f2e8ee1 100755 --- a/configure +++ b/configure @@ -148,6 +148,12 @@ check_cc_header execinfo check_cc_option mmx check_cc_option sse2 check_cc_optionW unused-result +# Some options from https://wiki.debian.org/Hardening +check_cc_optionf stack-protector +check_cc_optionf stack-protector-strong +# Useful for multi-threaded programs +check_cc_optionf stack-check +check_cc_optionf PIE if check_cc ' #if !defined(__clang__) diff --git a/support/configure.inc b/support/configure.inc index f7386f4a3..bca414ebe 100755 --- a/support/configure.inc +++ b/support/configure.inc @@ -325,6 +325,27 @@ check_cc_optionW () fi } +# Check compiler option +check_cc_optionf () +{ + local opt=$1 + local nam=$2 + [ -z "$nam" ] && nam=$opt + nam=$(echo "f_$nam" | sed -e 's/[-=]/_/g') + + printf "$TAB" "checking for cc -f$opt ..." + + # Enable if supported + if check_cc "" -f${opt}; then + echo "ok" + enable $nam + else + echo "fail" + return 1 + fi +} + + # Check compiler library check_cc_lib () {