mirror of
https://github.com/monero-project/monero.git
synced 2025-01-08 20:09:47 +00:00
Add misc hardening flags to the cmake machinery
See https://wiki.debian.org/Hardening#User_Space
This commit is contained in:
parent
a0a8706946
commit
776b44f17b
9 changed files with 153 additions and 14 deletions
|
@ -27,6 +27,13 @@
|
|||
# THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
#
|
||||
# Parts of this file are originally copyright (c) 2012-2013 The Cryptonote developers
|
||||
list(INSERT CMAKE_MODULE_PATH 0
|
||||
"${CMAKE_SOURCE_DIR}/cmake")
|
||||
include(CheckCCompilerFlag)
|
||||
include(CheckCXXCompilerFlag)
|
||||
include(CheckLinkerFlag)
|
||||
include(CheckLibraryExists)
|
||||
|
||||
if (IOS)
|
||||
INCLUDE(CmakeLists_IOS.txt)
|
||||
endif()
|
||||
|
@ -48,6 +55,31 @@ function (die msg)
|
|||
message(FATAL_ERROR "${BoldRed}${msg}${ColourReset}")
|
||||
endfunction ()
|
||||
|
||||
function (add_c_flag_if_supported flag var)
|
||||
string(REPLACE "-" "_" supported ${flag}_c)
|
||||
check_c_compiler_flag(${flag} ${supported})
|
||||
if(${${supported}})
|
||||
set(${var} "${${var}} ${flag}" PARENT_SCOPE)
|
||||
endif()
|
||||
endfunction()
|
||||
|
||||
function (add_cxx_flag_if_supported flag var)
|
||||
string(REPLACE "-" "_" supported ${flag}_cxx)
|
||||
check_cxx_compiler_flag(${flag} ${supported})
|
||||
if(${${supported}})
|
||||
set(${var} "${${var}} ${flag}" PARENT_SCOPE)
|
||||
endif()
|
||||
endfunction()
|
||||
|
||||
function (add_linker_flag_if_supported flag var)
|
||||
string(REPLACE "-" "_" supported ${flag}_ld)
|
||||
string(REPLACE "," "_" supported ${flag}_ld)
|
||||
check_linker_flag(${flag} ${supported})
|
||||
if(${${supported}})
|
||||
set(${var} "${${var}} ${flag}" PARENT_SCOPE)
|
||||
endif()
|
||||
endfunction()
|
||||
|
||||
if(NOT CMAKE_BUILD_TYPE)
|
||||
set(CMAKE_BUILD_TYPE Release CACHE STRING "Build type" FORCE)
|
||||
message(STATUS "Setting default build type: ${CMAKE_BUILD_TYPE}")
|
||||
|
@ -210,11 +242,11 @@ endif()
|
|||
|
||||
if (BUILD_SHARED_LIBS)
|
||||
message(STATUS "Building internal libraries with position independent code")
|
||||
set(PIC_FLAG "-fPIC")
|
||||
add_definitions("-DBUILD_SHARED_LIBS")
|
||||
else()
|
||||
message(STATUS "Building internal libraries as static")
|
||||
endif()
|
||||
set(PIC_FLAG "-fPIC")
|
||||
|
||||
if(MINGW)
|
||||
string(REGEX MATCH "^[^/]:/[^/]*" msys2_install_path "${CMAKE_C_COMPILER}")
|
||||
|
@ -470,6 +502,52 @@ else()
|
|||
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fno-strict-aliasing")
|
||||
set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fno-strict-aliasing")
|
||||
|
||||
# if those don't work for your compiler, single it out where appropriate
|
||||
if(CMAKE_BUILD_TYPE STREQUAL "Release")
|
||||
set(C_SECURITY_FLAGS "${C_SECURITY_FLAGS} -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=1")
|
||||
set(CXX_SECURITY_FLAGS "${CXX_SECURITY_FLAGS} -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=1")
|
||||
endif()
|
||||
|
||||
# warnings
|
||||
add_c_flag_if_supported(-Wformat C_SECURITY_FLAGS)
|
||||
add_cxx_flag_if_supported(-Wformat CXX_SECURITY_FLAGS)
|
||||
add_c_flag_if_supported(-Wformat-security C_SECURITY_FLAGS)
|
||||
add_cxx_flag_if_supported(-Wformat-security CXX_SECURITY_FLAGS)
|
||||
|
||||
# -fstack-protector
|
||||
add_c_flag_if_supported(-fstack-protector C_SECURITY_FLAGS)
|
||||
add_cxx_flag_if_supported(-fstack-protector CXX_SECURITY_FLAGS)
|
||||
add_c_flag_if_supported(-fstack-protector-strong C_SECURITY_FLAGS)
|
||||
add_cxx_flag_if_supported(-fstack-protector-strong CXX_SECURITY_FLAGS)
|
||||
|
||||
# linker
|
||||
if (NOT WIN32)
|
||||
# Windows binaries die on startup with PIE
|
||||
add_linker_flag_if_supported(-pie LD_SECURITY_FLAGS)
|
||||
endif()
|
||||
add_linker_flag_if_supported(-Wl,-z,relro LD_SECURITY_FLAGS)
|
||||
add_linker_flag_if_supported(-Wl,-z,now LD_SECURITY_FLAGS)
|
||||
add_linker_flag_if_supported(-Wl,-z,noexecstack noexecstack_SUPPORTED)
|
||||
if (noexecstack_SUPPORTED)
|
||||
set(LD_SECURITY_FLAGS "${LD_SECURITY_FLAGS} -Wl,-z,noexecstack")
|
||||
set(LD_RAW_FLAGS ${LD_RAW_FLAGS} -z noexecstack)
|
||||
endif()
|
||||
add_linker_flag_if_supported(-Wl,-z,noexecheap noexecheap_SUPPORTED)
|
||||
if (noexecheap_SUPPORTED)
|
||||
set(LD_SECURITY_FLAGS "${LD_SECURITY_FLAGS} -Wl,-z,noexecheap")
|
||||
set(LD_RAW_FLAGS ${LD_RAW_FLAGS} -z noexecheap)
|
||||
endif()
|
||||
|
||||
# some windows linker bits
|
||||
if (WIN32)
|
||||
add_linker_flag_if_supported(-Wl,--dynamicbase LD_SECURITY_FLAGS)
|
||||
add_linker_flag_if_supported(-Wl,--nxcompat LD_SECURITY_FLAGS)
|
||||
endif()
|
||||
|
||||
message(STATUS "Using C security hardening flags: ${C_SECURITY_FLAGS}")
|
||||
message(STATUS "Using C++ security hardening flags: ${CXX_SECURITY_FLAGS}")
|
||||
message(STATUS "Using linker security hardening flags: ${LD_SECURITY_FLAGS}")
|
||||
|
||||
option(NO_AES "Explicitly disable AES support" ${NO_AES})
|
||||
|
||||
if(NO_AES)
|
||||
|
@ -498,8 +576,9 @@ else()
|
|||
message(STATUS "AES support disabled")
|
||||
endif()
|
||||
|
||||
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -std=c11 -D_GNU_SOURCE ${MINGW_FLAG} ${STATIC_ASSERT_FLAG} ${WARNINGS} ${C_WARNINGS} ${ARCH_FLAG} ${COVERAGE_FLAGS} ${PIC_FLAG}")
|
||||
set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -std=c++11 -D_GNU_SOURCE ${MINGW_FLAG} ${STATIC_ASSERT_CPP_FLAG} ${WARNINGS} ${CXX_WARNINGS} ${ARCH_FLAG} ${COVERAGE_FLAGS} ${PIC_FLAG}")
|
||||
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -std=c11 -D_GNU_SOURCE ${MINGW_FLAG} ${STATIC_ASSERT_FLAG} ${WARNINGS} ${C_WARNINGS} ${ARCH_FLAG} ${COVERAGE_FLAGS} ${PIC_FLAG} ${C_SECURITY_FLAGS}")
|
||||
set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -std=c++11 -D_GNU_SOURCE ${MINGW_FLAG} ${STATIC_ASSERT_CPP_FLAG} ${WARNINGS} ${CXX_WARNINGS} ${ARCH_FLAG} ${COVERAGE_FLAGS} ${PIC_FLAG} ${CXX_SECURITY_FLAGS}")
|
||||
set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} ${LD_SECURITY_FLAGS}")
|
||||
|
||||
# With GCC 6.1.1 the compiled binary malfunctions due to aliasing. Until that
|
||||
# is fixed in the code (Issue #847), force compiler to be conservative.
|
||||
|
@ -586,6 +665,7 @@ else()
|
|||
if(ANDROID AND NOT BUILD_GUI_DEPS STREQUAL "ON" OR IOS)
|
||||
#From Android 5: "only position independent executables (PIE) are supported"
|
||||
message(STATUS "Enabling PIE executable")
|
||||
set(PIC_FLAG "")
|
||||
set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fPIE")
|
||||
set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fPIE")
|
||||
set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_CXX_FLAGS} -fPIE -pie")
|
||||
|
@ -778,11 +858,7 @@ option(BUILD_GUI_DEPS "Build GUI dependencies." OFF)
|
|||
option(INSTALL_VENDORED_LIBUNBOUND "Install libunbound binary built from source vendored with this repo." OFF)
|
||||
|
||||
|
||||
include(CheckCCompilerFlag)
|
||||
|
||||
CHECK_C_COMPILER_FLAG(-std=c11 HAVE_C11)
|
||||
|
||||
include(CheckLibraryExists)
|
||||
|
||||
check_library_exists(c memset_s "string.h" HAVE_MEMSET_S)
|
||||
check_library_exists(c explicit_bzero "strings.h" HAVE_EXPLICIT_BZERO)
|
||||
|
|
14
cmake/CheckLinkerFlag.c
Normal file
14
cmake/CheckLinkerFlag.c
Normal file
|
@ -0,0 +1,14 @@
|
|||
#ifdef __CLASSIC_C__
|
||||
int main()
|
||||
{
|
||||
int ac;
|
||||
char* av[];
|
||||
#else
|
||||
int main(int ac, char* av[])
|
||||
{
|
||||
#endif
|
||||
if (ac > 1000) {
|
||||
return *av[0];
|
||||
}
|
||||
return 0;
|
||||
}
|
47
cmake/CheckLinkerFlag.cmake
Normal file
47
cmake/CheckLinkerFlag.cmake
Normal file
|
@ -0,0 +1,47 @@
|
|||
include(CheckCCompilerFlag)
|
||||
|
||||
macro(CHECK_LINKER_FLAG flag VARIABLE)
|
||||
if(NOT DEFINED "${VARIABLE}")
|
||||
if(NOT CMAKE_REQUIRED_QUIET)
|
||||
message(STATUS "Looking for ${flag} linker flag")
|
||||
endif()
|
||||
|
||||
set(_cle_source ${CMAKE_SOURCE_DIR}/cmake/CheckLinkerFlag.c)
|
||||
|
||||
set(saved_CMAKE_C_FLAGS ${CMAKE_C_FLAGS})
|
||||
set(CMAKE_C_FLAGS "${flag}")
|
||||
try_compile(${VARIABLE}
|
||||
${CMAKE_BINARY_DIR}
|
||||
${_cle_source}
|
||||
COMPILE_DEFINITIONS ${CMAKE_REQUIRED_DEFINITIONS} ${flag}
|
||||
CMAKE_FLAGS
|
||||
OUTPUT_VARIABLE OUTPUT)
|
||||
unset(_cle_source)
|
||||
set(CMAKE_C_FLAGS ${saved_CMAKE_C_FLAGS})
|
||||
unset(saved_CMAKE_C_FLAGS)
|
||||
|
||||
if ("${OUTPUT}" MATCHES "warning.*ignored")
|
||||
set(${VARIABLE} 0)
|
||||
endif()
|
||||
|
||||
if(${VARIABLE})
|
||||
if(NOT CMAKE_REQUIRED_QUIET)
|
||||
message(STATUS "Looking for ${flag} linker flag - found")
|
||||
endif()
|
||||
set(${VARIABLE} 1 CACHE INTERNAL "Have linker flag ${flag}")
|
||||
file(APPEND ${CMAKE_BINARY_DIR}${CMAKE_FILES_DIRECTORY}/CMakeOutput.log
|
||||
"Determining if the ${flag} linker flag is supported "
|
||||
"passed with the following output:\n"
|
||||
"${OUTPUT}\n\n")
|
||||
else()
|
||||
if(NOT CMAKE_REQUIRED_QUIET)
|
||||
message(STATUS "Looking for ${flag} linker flag - not found")
|
||||
endif()
|
||||
set(${VARIABLE} "" CACHE INTERNAL "Have linker flag ${flag}")
|
||||
file(APPEND ${CMAKE_BINARY_DIR}${CMAKE_FILES_DIRECTORY}/CMakeError.log
|
||||
"Determining if the ${flag} linker flag is suppored "
|
||||
"failed with the following output:\n"
|
||||
"${OUTPUT}\n\n")
|
||||
endif()
|
||||
endif()
|
||||
endmacro()
|
1
external/db_drivers/liblmdb/CMakeLists.txt
vendored
1
external/db_drivers/liblmdb/CMakeLists.txt
vendored
|
@ -54,3 +54,4 @@ if(${ARCH_WIDTH} EQUAL 32)
|
|||
target_compile_definitions(lmdb
|
||||
PUBLIC -DMDB_VL32)
|
||||
endif()
|
||||
set_property(TARGET lmdb APPEND PROPERTY COMPILE_FLAGS "-fPIC")
|
||||
|
|
1
external/easylogging++/CMakeLists.txt
vendored
1
external/easylogging++/CMakeLists.txt
vendored
|
@ -54,4 +54,5 @@ if (BUILD_GUI_DEPS)
|
|||
ARCHIVE DESTINATION ${lib_folder}
|
||||
LIBRARY DESTINATION ${lib_folder})
|
||||
endif()
|
||||
set_property(TARGET easylogging APPEND PROPERTY COMPILE_FLAGS "-fPIC")
|
||||
|
||||
|
|
|
@ -29,9 +29,9 @@
|
|||
set(blocksdat "")
|
||||
if(PER_BLOCK_CHECKPOINT)
|
||||
if(APPLE)
|
||||
add_custom_command(OUTPUT blocksdat.o MAIN_DEPENDENCY ../blocks/checkpoints.dat COMMAND cd ${CMAKE_CURRENT_SOURCE_DIR} && touch stub.c && ${CMAKE_C_COMPILER} -o stub.o -c stub.c COMMAND cd ${CMAKE_CURRENT_SOURCE_DIR} && ${CMAKE_LINKER} -r -sectcreate __DATA __blocks_dat ../blocks/checkpoints.dat -o ${CMAKE_CURRENT_BINARY_DIR}/blocksdat.o stub.o && rm -f stub.*)
|
||||
add_custom_command(OUTPUT blocksdat.o MAIN_DEPENDENCY ../blocks/checkpoints.dat COMMAND cd ${CMAKE_CURRENT_SOURCE_DIR} && touch stub.c && ${CMAKE_C_COMPILER} -o stub.o -c stub.c COMMAND cd ${CMAKE_CURRENT_SOURCE_DIR} && ${CMAKE_LINKER} ${LD_RAW_FLAGS} -r -sectcreate __DATA __blocks_dat ../blocks/checkpoints.dat -o ${CMAKE_CURRENT_BINARY_DIR}/blocksdat.o stub.o && rm -f stub.*)
|
||||
else()
|
||||
add_custom_command(OUTPUT blocksdat.o MAIN_DEPENDENCY ../blocks/checkpoints.dat COMMAND cd ${CMAKE_CURRENT_SOURCE_DIR} && cp ../blocks/checkpoints.dat blocks.dat && ${CMAKE_LINKER} -r -b binary -o ${CMAKE_CURRENT_BINARY_DIR}/blocksdat.o blocks.dat && rm -f blocks.dat)
|
||||
add_custom_command(OUTPUT blocksdat.o MAIN_DEPENDENCY ../blocks/checkpoints.dat COMMAND cd ${CMAKE_CURRENT_SOURCE_DIR} && cp ../blocks/checkpoints.dat blocks.dat && ${CMAKE_LINKER} ${LD_RAW_FLAGS} -r -b binary -o ${CMAKE_CURRENT_BINARY_DIR}/blocksdat.o blocks.dat && rm -f blocks.dat)
|
||||
endif()
|
||||
set(blocksdat "blocksdat.o")
|
||||
endif()
|
||||
|
|
|
@ -30,8 +30,8 @@ if(APPLE)
|
|||
add_library(blocks STATIC blockexports.c)
|
||||
set_target_properties(blocks PROPERTIES LINKER_LANGUAGE C)
|
||||
else()
|
||||
add_custom_command(OUTPUT blocks.o MAIN_DEPENDENCY blocks.dat COMMAND cd ${CMAKE_CURRENT_SOURCE_DIR} && ${CMAKE_LINKER} -r -b binary -o ${CMAKE_CURRENT_BINARY_DIR}/blocks.o blocks.dat)
|
||||
add_custom_command(OUTPUT testnet_blocks.o MAIN_DEPENDENCY testnet_blocks.dat COMMAND cd ${CMAKE_CURRENT_SOURCE_DIR} && ${CMAKE_LINKER} -r -b binary -o ${CMAKE_CURRENT_BINARY_DIR}/testnet_blocks.o testnet_blocks.dat)
|
||||
add_custom_command(OUTPUT blocks.o MAIN_DEPENDENCY blocks.dat COMMAND cd ${CMAKE_CURRENT_SOURCE_DIR} && ${CMAKE_LINKER} ${LD_RAW_FLAGS} -r -b binary -o ${CMAKE_CURRENT_BINARY_DIR}/blocks.o blocks.dat)
|
||||
add_custom_command(OUTPUT testnet_blocks.o MAIN_DEPENDENCY testnet_blocks.dat COMMAND cd ${CMAKE_CURRENT_SOURCE_DIR} && ${CMAKE_LINKER} ${LD_RAW_FLAGS} -r -b binary -o ${CMAKE_CURRENT_BINARY_DIR}/testnet_blocks.o testnet_blocks.dat)
|
||||
add_library(blocks STATIC blocks.o testnet_blocks.o blockexports.c)
|
||||
set_target_properties(blocks PROPERTIES LINKER_LANGUAGE C)
|
||||
endif()
|
||||
|
|
|
@ -29,9 +29,9 @@
|
|||
set(blocksdat "")
|
||||
if(PER_BLOCK_CHECKPOINT)
|
||||
if(APPLE)
|
||||
add_custom_command(OUTPUT blocksdat.o MAIN_DEPENDENCY ../blocks/checkpoints.dat COMMAND cd ${CMAKE_CURRENT_SOURCE_DIR} && touch stub.c && ${CMAKE_C_COMPILER} -o stub.o -c stub.c COMMAND cd ${CMAKE_CURRENT_SOURCE_DIR} && ${CMAKE_LINKER} -r -sectcreate __DATA __blocks_dat ../blocks/checkpoints.dat -o ${CMAKE_CURRENT_BINARY_DIR}/blocksdat.o stub.o && rm -f stub.*)
|
||||
add_custom_command(OUTPUT blocksdat.o MAIN_DEPENDENCY ../blocks/checkpoints.dat COMMAND cd ${CMAKE_CURRENT_SOURCE_DIR} && touch stub.c && ${CMAKE_C_COMPILER} -o stub.o -c stub.c COMMAND cd ${CMAKE_CURRENT_SOURCE_DIR} && ${CMAKE_LINKER} ${LD_RAW_FLAGS} -r -sectcreate __DATA __blocks_dat ../blocks/checkpoints.dat -o ${CMAKE_CURRENT_BINARY_DIR}/blocksdat.o stub.o && rm -f stub.*)
|
||||
else()
|
||||
add_custom_command(OUTPUT blocksdat.o MAIN_DEPENDENCY ../blocks/checkpoints.dat COMMAND cd ${CMAKE_CURRENT_SOURCE_DIR} && cp ../blocks/checkpoints.dat blocks.dat && ${CMAKE_LINKER} -r -b binary -o ${CMAKE_CURRENT_BINARY_DIR}/blocksdat.o blocks.dat && rm -f blocks.dat)
|
||||
add_custom_command(OUTPUT blocksdat.o MAIN_DEPENDENCY ../blocks/checkpoints.dat COMMAND cd ${CMAKE_CURRENT_SOURCE_DIR} && cp ../blocks/checkpoints.dat blocks.dat && ${CMAKE_LINKER} ${LD_RAW_FLAGS} -r -b binary -o ${CMAKE_CURRENT_BINARY_DIR}/blocksdat.o blocks.dat && rm -f blocks.dat)
|
||||
endif()
|
||||
set(blocksdat "blocksdat.o")
|
||||
endif()
|
||||
|
|
|
@ -87,7 +87,7 @@ macro(config_compiler_and_linker)
|
|||
set(cxx_no_exception_flags "-D_HAS_EXCEPTIONS=0")
|
||||
set(cxx_no_rtti_flags "-GR-")
|
||||
elseif (CMAKE_COMPILER_IS_GNUCXX)
|
||||
set(cxx_base_flags "-Wall -Wshadow")
|
||||
set(cxx_base_flags "-Wall -Wshadow -fPIC")
|
||||
set(cxx_exception_flags "-fexceptions")
|
||||
set(cxx_no_exception_flags "-fno-exceptions")
|
||||
# Until version 4.3.2, GCC doesn't define a macro to indicate
|
||||
|
|
Loading…
Reference in a new issue