ignore hardening flags on plain builds

The 'plain' optimization level doesn't add any flags and gives the
control to the packager. Similarly, avoid any hardening flags in this
level.

Necessary flags such as `-fno-delete-null-pointer-checks` and
`-fno-strict-aliasing` are still included.

diff --git a/doc/arm/build.inc.rst b/doc/arm/build.inc.rst
index 64a80103690c02684e025e72c6db2c78359aad7d..5e78871ae79a6c9def6fae63f2d0dc220cdfc240 100644 (file)
--- a/doc/arm/build.inc.rst
+++ b/doc/arm/build.inc.rst
@@ -156,3 +156,12 @@ installed. These can be downloaded from
 https://developer.apple.com/xcode/resources/ or, if Xcode is already
 installed, simply run ``xcode-select --install``. (Note that an Apple ID
 may be required to access the download page.)
+
+Packager Builds
+~~~~~~~~~~~~~~~
+
+Packagers are recommended to use the ``plain`` optimization level or the
+``plain`` build type when setting up the build directory. This will also
+disable the default hardening flags and any such flag must be set with
+``CFLAGS``. The top ``meson.build`` file in the source tree can be
+inspected for recommended flags.

diff --git a/meson.build b/meson.build
index 6a1e57fa9a160c4c038a16512ce6aa3ac47433aa..853650118661f2b4b94c28dad538440629916f3a 100644 (file)
--- a/meson.build
+++ b/meson.build
@@ -43,6 +43,7 @@ endif
 developer_mode = get_option('developer').enabled()
 
 c_std = get_option('c_std')
+optimization = get_option('optimization')
 sanitizer = get_option('b_sanitize')
 
 trace_logging = get_option('trace-logging')
@@ -148,27 +149,14 @@ add_project_arguments(
         '-Werror=strict-prototypes',
         '-Werror=vla',
 
-        '-fcf-protection=full',
         '-fdiagnostics-show-option',
         '-fno-delete-null-pointer-checks',
         '-fno-strict-aliasing',
-        '-fstack-clash-protection',
-        '-fstack-protector-strong',
         '-fstrict-flex-arrays=3',
     ),
     language: 'c',
 )
 
-add_project_link_arguments(
-    cc.get_supported_link_arguments(
-        '-Wl,-z,noexecstack',
-        '-Wl,-z,now',
-        '-Wl,-z,relro',
-        '-Wl,-z,separate-code',
-    ),
-    language: 'c',
-)
-
 if developer_mode
     add_project_arguments('-Werror', language: 'c')
 endif
@@ -183,16 +171,39 @@ int main(void) {
 }
 '''
 
-if not (get_option('optimization') == '0' or get_option('buildtype') == 'plain')
-    if cc.compiles(
-        fortify_test,
-        args: ['-Werror=cpp', '-U_FORTIFY_SOURCE', '-D_FORTIFY_SOURCE=3'],
-        name: 'usage of _FORTIFY_SOURCE=3',
-    )
-        add_project_arguments('-U_FORTIFY_SOURCE', '-D_FORTIFY_SOURCE=3', language: 'c')
-    else
-        add_project_arguments('-U_FORTIFY_SOURCE', '-D_FORTIFY_SOURCE=2', language: 'c')
+if optimization != 'plain'
+    if optimization != '0'
+        if cc.compiles(
+            fortify_test,
+            args: ['-Werror=cpp', '-U_FORTIFY_SOURCE', '-D_FORTIFY_SOURCE=3'],
+            name: 'usage of _FORTIFY_SOURCE=3',
+        )
+            add_project_arguments('-U_FORTIFY_SOURCE', '-D_FORTIFY_SOURCE=3', language: 'c')
+        else
+            add_project_arguments('-U_FORTIFY_SOURCE', '-D_FORTIFY_SOURCE=2', language: 'c')
+        endif
     endif
+
+    add_project_arguments(
+        cc.get_supported_arguments(
+            '-fcf-protection=full',
+            '-fstack-clash-protection',
+            '-fstack-protector-strong',
+
+            '-mbranch-protection=standard',
+        ),
+        language: 'c',
+    )
+
+    add_project_link_arguments(
+        cc.get_supported_link_arguments(
+            '-Wl,-z,noexecstack',
+            '-Wl,-z,now',
+            '-Wl,-z,relro',
+            '-Wl,-z,separate-code',
+        ),
+        language: 'c',
+    )
 endif
 
 if host_machine.system() == 'x86'