build: Add hardening options.

Add some hardening options from:
https://wiki.debian.org/Hardening
These protect against basic buffer overruns.

Although debian/rules can have an "export DEB_BUILD_HARDENING=1",
it's useful to have these available across all builds that support
the compiler options.

diff --git a/Makefile b/Makefile
index 82d2576237d36c40c74e3139d741318bc573f8ef..06951861b6dd39c16f7ab1216bb238150c93e83d 100644 (file)
--- a/Makefile
+++ b/Makefile
@@ -31,7 +31,8 @@ LANGUAGES ?= $(LANGUAGES_ALL)
 # Common compiler flags
 #
 
-CFLAGS  += -g
+# https://wiki.debian.org/Hardening
+CFLAGS  += -g -D_FORTIFY_SOURCE=2
 ifeq ($(CONFIG_CCDEBUG),yes)
 CFLAGS  += -O0
 else

diff --git a/configure b/configure
index a4b901b61d92be35cf04f0916f2a8e25ee68551b..66f2e8ee155c3e4051c5af1577a8174317259707 100755 (executable)
--- a/configure
+++ b/configure
@@ -148,6 +148,12 @@ check_cc_header execinfo
 check_cc_option mmx
 check_cc_option sse2
 check_cc_optionW unused-result
+# Some options from https://wiki.debian.org/Hardening
+check_cc_optionf stack-protector
+check_cc_optionf stack-protector-strong
+# Useful for multi-threaded programs
+check_cc_optionf stack-check
+check_cc_optionf PIE
 
 if check_cc '
 #if !defined(__clang__)

diff --git a/support/configure.inc b/support/configure.inc
index f7386f4a39e9a33d8d9d0b407f05839b43160f2d..bca414ebec1e2b90b384f2b6aececddbf15e8c0c 100755 (executable)
--- a/support/configure.inc
+++ b/support/configure.inc
@@ -325,6 +325,27 @@ check_cc_optionW ()
   fi
 }
 
+# Check compiler option
+check_cc_optionf ()
+{
+  local opt=$1
+  local nam=$2
+  [ -z "$nam" ] && nam=$opt
+  nam=$(echo "f_$nam" | sed -e 's/[-=]/_/g')
+
+  printf "$TAB" "checking for cc -f$opt ..."
+
+  # Enable if supported
+  if check_cc "" -f${opt}; then
+    echo "ok"
+    enable $nam
+  else
+    echo "fail"
+    return 1
+  fi
+}
+
+
 # Check compiler library
 check_cc_lib ()
 {