From: Fred Morcos Date: Fri, 13 Oct 2023 08:17:39 +0000 (+0200) Subject: Meson: Hardening - Stack Clash Protection X-Git-Tag: rec-5.1.0-alpha1~80^2~92 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2b3dbc1e7901b4bb607f0fda35371d690b18044b;p=thirdparty%2Fpdns.git Meson: Hardening - Stack Clash Protection --- diff --git a/meson/hardening/meson.build b/meson/hardening/meson.build index 05df75533b..1859c63baf 100644 --- a/meson/hardening/meson.build +++ b/meson/hardening/meson.build @@ -31,3 +31,4 @@ endif subdir('fortify-source') # Fortify Source subdir('control-flow') # Control Flow Protection +subdir('stack-clash-prot') # Stack Clash Protection diff --git a/meson/hardening/stack-clash-prot/meson.build b/meson/hardening/stack-clash-prot/meson.build new file mode 100644 index 0000000000..cce9ae1444 --- /dev/null +++ b/meson/hardening/stack-clash-prot/meson.build @@ -0,0 +1,10 @@ +opt_scp = get_option('hardening-experimental-scp') + +support_scp = not opt_scp.disabled() and cxx.has_argument('-fstack-clash-protection') +if support_scp + add_project_arguments('-fstack-clash-protection', language: ['c', 'cpp']) +elif opt_scp.enabled() + error('Stack Clash Protection was explicitly requested but is not supported by the compiler') +endif + +summary('Stack Clash Protection', support_scp, bool_yn: true, section: 'Hardening') diff --git a/meson_options.txt b/meson_options.txt index 12f3e0d6d2..64d5dc8d2c 100644 --- a/meson_options.txt +++ b/meson_options.txt @@ -1,6 +1,7 @@ option('lua', type: 'combo', choices: ['auto', 'luajit', 'lua'], value: 'auto', description: 'Lua implementation to use') option('hardening', type: 'feature', value: 'auto', description: 'Compiler security checks') option('hardening-experimental-cf', type: 'combo', choices: ['disabled', 'full', 'branch', 'return', 'check'], value: 'disabled', description: 'Control Flow hardening') +option('hardening-experimental-scp', type: 'feature', value: 'disabled', description: 'Stack Clash Protection') option('hardening-fortify-source', type: 'combo', choices: ['auto', 'disabled', '1', '2', '3'], value: '2', description: 'Source fortification level') option('rng-kiss', type: 'boolean', value: false, description: 'Use the unsafe KISS RNG') option('signers-libsodium', type: 'feature', value: 'auto', description: 'Enable libsodium-based signers')