Add extra build flags to CMakeLists.txt. (#16641)

* Add stack-protector flag handling. * Add stack clash protection flag. * Add CFI flag * Only add flags that are not already in the compiler flags. * Add branch protection flag. * Add fortify source options. * Add function/data section flags. * Fix inclusion of hardening flags. Co-authored-by: Ilya Mashchenko <ilya@netdata.cloud> --------- Co-authored-by: Ilya Mashchenko <ilya@netdata.cloud>
author: Austin S. Hemmelgarn <austin@netdata.cloud> 2024-01-04 08:30:29 -0500
committer: GitHub <noreply@github.com> 2024-01-04 08:30:29 -0500
commit: b536fef45cc6f7726289e106077c2f9388d72940 (patch)
tree: 3187089ad71e0acd5201453f16864a27bce2b1a5 /CMakeLists.txt
parent: 4ea0f4650bd6d8fd6ede88b97914a70109d396e5 (diff)
1 files changed, 85 insertions, 0 deletions
diff --git a/CMakeLists.txt b/CMakeLists.txt
index 162545c725..42dd32cba1 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -109,6 +109,91 @@ option(ENABLE_BUNDLED_PROTOBUF "enable bundled protobuf" False)
 option(ENABLE_LOGS_MANAGEMENT_TESTS "enable logs management tests" True)
 
 #
+# handling of extra compiler flags
+#
+
+include(CheckCCompilerFlag)
+
+option(DISABLE_HARDENING "disable adding extra compiler flags for hardening" False)
+
+set(EXTRA_HARDENING_FLAGS "")
+
+if(NOT ${DISABLE_HARDENING})
+        if(NOT ${CMAKE_C_FLAGS} MATCHES "stack-protector")
+                check_c_compiler_flag("-fstack-protector-strong" HAVE_STACK_PROTECTOR_STRONG_FLAG)
+                if(HAVE_STACK_PROTECTOR_STRONG_FLAG)
+                        set(EXTRA_HARDENING_FLAGS "${EXTRA_HARDENING_FLAGS} -fstack-protector-strong")
+                else()
+                        check_c_compiler_flag("-fstack-protector" HAVE_STACK_PROTECTOR)
+                        if(HAVE_STACK_PROTECTOR)
+                                set(EXTRA_HARDENING_FLAGS "${EXTRA_HARDENING_FLAGS} -fstack-protector")
+                        endif()
+                endif()
+        endif()
+
+        if(NOT ${CMAKE_C_FLAGS} MATCHES "stack-clash-protection")
+                check_c_compiler_flag("-fstack-clash-protection", HAVE_STACK_CLASH_FLAG)
+                if(HAVE_STACK_CLASH_FLAG)
+                        set(EXTRA_HARDENING_FLAGS "${EXTRA_HARDENING_FLAGS} -fstack-clash-protection")
+                endif()
+        endif()
+
+        if(NOT ${CMAKE_C_FLAGS} MATCHES "-fcf-protection")
+                check_c_compiler_flag("-fcf-protection=full" HAVE_CFI_FLAG)
+                if(HAVE_CFI_FLAG)
+                        set(EXTRA_HARDENING_FLAGS "${EXTRA_HARDENING_FLAGS} -fcf-protection=full")
+                endif()
+        endif()
+
+        if(NOT ${CMAKE_C_FLAGS} MATCHES "branch-protection")
+                check_c_compiler_flag("-mbranch-protection=standard" HAVE_BRANCH_PROT_FLAG)
+                if(HAVE_BRANCH_PROT_FLAG)
+                        set(EXTRA_HARDENING_FLAGS "${EXTRA_HARDENING_FLAGS} -mbranch-protection=standard")
+                endif()
+        endif()
+
+        if(NOT ${CMAKE_C_FLAGS} MATCHES "_FORTIFY_SOURCE")
+                check_c_compiler_flag("-D_FORTIFY_SOURCE=3" HAVE_FORTIFY_SOURCE_3)
+                if(HAVE_FORTIFY_SOURCE_3)
+                        set(EXTRA_HARDENING_FLAGS "${EXTRA_HARDENING_FLAGS} -D_FRTIFY_SOURCE=3")
+                else()
+                        check_c_compiler_flag("-D_FORTIFY_SOURCE=2" HAVE_FORTIFY_SOURCE_2)
+                        if(HAVE_FORTIFY_SOURCE_2)
+                                set(EXTRA_HARDENING_FLAGS "${EXTRA_HARDENING_FLAGS} -D_FRTIFY_SOURCE=2")
+                        endif()
+                endif()
+        endif()
+endif()
+
+set(EXTRA_OPT_FLAGS "")
+
+if(NOT ${CMAKE_C_FLAGS} MATCHES "function-sections")
+        check_c_compiler_flag("-ffunction-sections" HAVE_FUNCTION_SECTIONS)
+        if(HAVE_FUNCTION_SECTIONS)
+                set(EXTRA_OPT_FLAGS "${EXTRA_OPT_FLAGS} -ffunction-sections")
+        endif()
+endif()
+
+if(NOT ${CMAKE_C_FLAGS} MATCHES "data-sections")
+        check_c_compiler_flag("-fdata-sections" HAVE_DATA_SECTIONS)
+        if(HAVE_DATA_SECTIONS)
+                set(EXTRA_OPT_FLAGS "${EXTRA_OPT_FLAGS} -fdata-sections")
+        endif()
+endif()
+
+set(CMAKE_C_FLAGS_RELEASE "${CMAKE_C_FLAGS_RELEASE} ${EXTRA_HARDENING_FLAGS} ${EXTRA_OPT_FLAGS}")
+set(CMAKE_CXX_FLAGS_RELEASE "${CMAKE_CXX_FLAGS_RELEASE} ${EXTRA_HARDENING_FLAGS} ${EXTRA_OPT_FLAGS}")
+
+set(CMAKE_C_FLAGS_DEBUG "${CMAKE_C_FLAGS_DEBUG} ${EXTRA_HARDENING_FLAGS} ${EXTRA_OPT_FLAGS}")
+set(CMAKE_CXX_FLAGS_DEBUG "${CMAKE_CXX_FLAGS_DEBUG} ${EXTRA_HARDENING_FLAGS} ${EXTRA_OPT_FLAGS}")
+
+set(CMAKE_C_FLAGS_RELWITHDEBINFO "${CMAKE_C_FLAGS_RELWITHDEBINFO} ${EXTRA_HARDENING_FLAGS} ${EXTRA_OPT_FLAGS}")
+set(CMAKE_CXX_FLAGS_RELWITHDEBINFO "${CMAKE_CXX_FLAGS_RELWITHDEBINFO} ${EXTRA_HARDENING_FLAGS} ${EXTRA_OPT_FLAGS}")
+
+set(CMAKE_C_FLAGS_MINSIZEREL "${CMAKE_C_FLAGS_MINSIZEREL} ${EXTRA_HARDENING_FLAGS} ${EXTRA_OPT_FLAGS}")
+set(CMAKE_CXX_FLAGS_MINSIZEREL "${CMAKE_CXX_FLAGS_MINSIZEREL} ${EXTRA_HARDENING_FLAGS} ${EXTRA_OPT_FLAGS}")
+
+#
 # detect OS
 #
author	Austin S. Hemmelgarn <austin@netdata.cloud>	2024-01-04 08:30:29 -0500
committer	GitHub <noreply@github.com>	2024-01-04 08:30:29 -0500
commit	b536fef45cc6f7726289e106077c2f9388d72940 (patch)
tree	3187089ad71e0acd5201453f16864a27bce2b1a5 /CMakeLists.txt
parent	4ea0f4650bd6d8fd6ede88b97914a70109d396e5 (diff)