diff options
| -rw-r--r-- | build_external/clean-install-arch-debug.Dockerfile | 4 | ||||
| -rw-r--r-- | build_external/clean-install-arch-extras.Dockerfile | 4 | ||||
| -rw-r--r-- | build_external/clean-install-arch.Dockerfile | 4 | ||||
| -rw-r--r-- | build_external/clean-install.Dockerfile | 4 | ||||
| -rw-r--r-- | configure.ac | 78 | ||||
| -rwxr-xr-x | packaging/makeself/jobs/70-netdata-git.install.sh | 2 |
6 files changed, 86 insertions, 10 deletions
diff --git a/build_external/clean-install-arch-debug.Dockerfile b/build_external/clean-install-arch-debug.Dockerfile index 046b144f65..5a67bfbc39 100644 --- a/build_external/clean-install-arch-debug.Dockerfile +++ b/build_external/clean-install-arch-debug.Dockerfile @@ -45,8 +45,8 @@ RUN rm -rf autom4te.cache RUN rm -rf .git/ RUN find . -type f >/opt/netdata/manifest -RUN CFLAGS="-Og -g -ggdb -Wall -Wextra -Wformat-signedness -fstack-protector-all -DNETDATA_INTERNAL_CHECKS=1\ - -D_FORTIFY_SOURCE=2 -DNETDATA_VERIFY_LOCKS=1 ${EXTRA_CFLAGS}" ./netdata-installer.sh --require-cloud --disable-lto +RUN CFLAGS="-Og -g -ggdb -Wall -Wextra -Wformat-signedness -DNETDATA_INTERNAL_CHECKS=1\ + -DNETDATA_VERIFY_LOCKS=1 ${EXTRA_CFLAGS}" ./netdata-installer.sh --require-cloud --disable-lto RUN ln -sf /dev/stdout /var/log/netdata/access.log RUN ln -sf /dev/stdout /var/log/netdata/debug.log diff --git a/build_external/clean-install-arch-extras.Dockerfile b/build_external/clean-install-arch-extras.Dockerfile index 1d18f7a661..8c6f4fbaa2 100644 --- a/build_external/clean-install-arch-extras.Dockerfile +++ b/build_external/clean-install-arch-extras.Dockerfile @@ -45,8 +45,8 @@ RUN rm -rf autom4te.cache RUN rm -rf .git/ RUN find . -type f >/opt/netdata/manifest -RUN CFLAGS="-Og -g -ggdb -Wall -Wextra -Wformat-signedness -fstack-protector-all -DNETDATA_INTERNAL_CHECKS=1\ - -D_FORTIFY_SOURCE=2 -DNETDATA_VERIFY_LOCKS=1 ${EXTRA_CFLAGS}" ./netdata-installer.sh --require-cloud --disable-lto +RUN CFLAGS="-Og -g -ggdb -Wall -Wextra -Wformat-signedness -DNETDATA_INTERNAL_CHECKS=1\ + -DNETDATA_VERIFY_LOCKS=1 ${EXTRA_CFLAGS}" ./netdata-installer.sh --require-cloud --disable-lto RUN ln -sf /dev/stdout /var/log/netdata/access.log RUN ln -sf /dev/stdout /var/log/netdata/debug.log diff --git a/build_external/clean-install-arch.Dockerfile b/build_external/clean-install-arch.Dockerfile index 92bd2c6758..d4d0d47061 100644 --- a/build_external/clean-install-arch.Dockerfile +++ b/build_external/clean-install-arch.Dockerfile @@ -44,8 +44,8 @@ RUN rm -rf autom4te.cache RUN rm -rf .git/ RUN find . -type f >/opt/netdata/manifest -RUN CFLAGS="-O1 -ggdb -Wall -Wextra -Wformat-signedness -fstack-protector-all -DNETDATA_INTERNAL_CHECKS=1\ - -D_FORTIFY_SOURCE=2 -DNETDATA_VERIFY_LOCKS=1 ${EXTRA_CFLAGS}" ./netdata-installer.sh --disable-lto +RUN CFLAGS="-O1 -ggdb -Wall -Wextra -Wformat-signedness -DNETDATA_INTERNAL_CHECKS=1\ + -DNETDATA_VERIFY_LOCKS=1 ${EXTRA_CFLAGS}" ./netdata-installer.sh --disable-lto RUN ln -sf /dev/stdout /var/log/netdata/access.log RUN ln -sf /dev/stdout /var/log/netdata/debug.log diff --git a/build_external/clean-install.Dockerfile b/build_external/clean-install.Dockerfile index 18586e8974..bf63a5599e 100644 --- a/build_external/clean-install.Dockerfile +++ b/build_external/clean-install.Dockerfile @@ -26,8 +26,8 @@ RUN rm -rf autom4te.cache RUN rm -rf .git/ RUN find . -type f >/opt/netdata/manifest -RUN CFLAGS="-O1 -ggdb -Wall -Wextra -Wformat-signedness -fstack-protector-all -DNETDATA_INTERNAL_CHECKS=1\ - -D_FORTIFY_SOURCE=2 -DNETDATA_VERIFY_LOCKS=1 ${EXTRA_CFLAGS}" ./netdata-installer.sh --disable-lto +RUN CFLAGS="-O1 -ggdb -Wall -Wextra -Wformat-signedness -DNETDATA_INTERNAL_CHECKS=1\ + -DNETDATA_VERIFY_LOCKS=1 ${EXTRA_CFLAGS}" ./netdata-installer.sh --disable-lto RUN ln -sf /dev/stdout /var/log/netdata/access.log RUN ln -sf /dev/stdout /var/log/netdata/debug.log diff --git a/configure.ac b/configure.ac index 7aeb7bedb1..143f0576e1 100644 --- a/configure.ac +++ b/configure.ac @@ -378,6 +378,82 @@ AM_CONDITIONAL([LINUX], [test "${build_target}" = "linux"]) AC_MSG_RESULT([Host OS: ${build_target}]) # ----------------------------------------------------------------------------- +# hardening + +HARDENING_CFLAGS="" + +if ! echo "${originalCFLAGS}" | grep -q '-fstack-protector'; then + AX_CHECK_COMPILE_FLAG( + [-fstack-protector-strong], + [HARDENING_CFLAGS="${HARDENING_CFLAGS} -fstack-protector-strong"], + [AX_CHECK_COMPILE_FLAG( + [-fstack-protector], + [HARDENING_CFLAGS="${HARDENING_CFLAGS} -fstack-protector"], + , + [-Werror], + )], + [-Werror], + ) +fi + +if ! echo "${originalCFLAGS}" | grep -q '-fno-stack-clash-protection'; then + AX_CHECK_COMPILE_FLAG( + [-fstack-clash-protection], + [HARDENING_CFLAGS="${HARDENING_CFLAGS} -fstack-clash-protection"], + , + [-Werror], + ) +fi + +if ! echo "${originalCFLAGS}" | grep -q '-fcf-protection'; then + AX_CHECK_COMPILE_FLAG( + [-fcf-protection=full], + [HARDENING_CFLAGS="${HARDENING_CFLAGS} -fcf-protection=full"], + , + [-Werror], + ) +fi + +if ! echo "${originalCFLAGS}" | grep -q '-mbranch-protection'; then + AX_CHECK_COMPILE_FLAG( + [-mbranch-protection=standard], + [HARDENING_CFLAGS="${HARDENING_CFLAGS} -mbranch-protection=standard"], + , + [-Werror], + ) +fi + +if ! echo "${originalCFLAGS}" | grep -q '-D_FORTIFY_SOURCE'; then + # This complex set of checks is needed because there is no clean + # way to verify _FORTIFY_SOURCE support without having to check for + # the required compiler builtins. + AC_CHECK_DECLS( + [__builtin_constant_p, __builtin_object_size, __builtin___memcpy_chk, __builtin___memmove_chk, __builtin___mempcpy_chk, + __builtin___memset_chk, __builtin___snprintf_chk, __builtin___sprintf_chk, __builtin___stpcpy_chk, __builtin___strcat_chk, + __builtin___strcpy_chk, __builtin___strncat_chk, __builtin___strncpy_chk, __builtin___vsnprintf_chk, __builtin___vsprintf_chk], + [HAVE_FORTIFY_SOURCE=2] + ) + + if test "x${HAVE_FORTIFY_SOURCE}" = "x2"; then + AC_CHECK_DECL( + __builtin_dynamic_object_size, + [AX_CHECK_COMPILE_FLAG( + [-D_FORTIFY_SOURCE=3], + [HARDENING_CFLAGS="${HARDENING_CFLAGS} -D_FORTIFY_SOURCE=3"], + , + [-Werror], + )], + [AX_CHECK_COMPILE_FLAG( + [-D_FORTIFY_SOURCE=2], + [HARDENING_CFLAGS="${HARDENING_CFLAGS} -D_FORTIFY_SOURCE=2"], + , + [-Werror], + )], + ) + fi +fi + +# ----------------------------------------------------------------------------- # backtrace AC_SEARCH_LIBS([backtrace], [execinfo], [AC_DEFINE([HAVE_BACKTRACE], [1], [backtrace availability])]) @@ -1724,7 +1800,7 @@ CFLAGS="${originalCFLAGS} ${OPTIONAL_LTO_CFLAGS} ${OPTIONAL_PROTOBUF_CFLAGS} ${O ${OPTIONAL_LIBCAP_CFLAGS} ${OPTIONAL_IPMIMONITORING_CFLAGS} ${OPTIONAL_CUPS_CFLAGS} ${OPTIONAL_XENSTAT_FLAGS} \ ${OPTIONAL_KINESIS_CFLAGS} ${OPTIONAL_PUBSUB_CFLAGS} ${OPTIONAL_PROMETHEUS_REMOTE_WRITE_CFLAGS} \ ${OPTIONAL_MONGOC_CFLAGS} ${LWS_CFLAGS} ${OPTIONAL_JSONC_STATIC_CFLAGS} ${OPTIONAL_YAML_STATIC_CFLAGS} ${OPTIONAL_BPF_CFLAGS} ${JUDY_CFLAGS} \ - ${OPTIONAL_ACLK_CFLAGS} ${OPTIONAL_ML_CFLAGS} ${OPTIONAL_OS_DEP_CFLAGS} ${HTTPD_CFLAGS}" + ${OPTIONAL_ACLK_CFLAGS} ${OPTIONAL_ML_CFLAGS} ${OPTIONAL_OS_DEP_CFLAGS} ${HTTPD_CFLAGS} ${HARDENING_CFLAGS}" CXXFLAGS="${CFLAGS} ${OPTIONAL_KINESIS_CXXFLAGS} ${CPP_STD_FLAG}" diff --git a/packaging/makeself/jobs/70-netdata-git.install.sh b/packaging/makeself/jobs/70-netdata-git.install.sh index 2448a0c2b9..3c3d44515f 100755 --- a/packaging/makeself/jobs/70-netdata-git.install.sh +++ b/packaging/makeself/jobs/70-netdata-git.install.sh @@ -9,7 +9,7 @@ cd "${NETDATA_SOURCE_PATH}" || exit 1 if [ "${NETDATA_BUILD_WITH_DEBUG}" -eq 0 ]; then export CFLAGS="-static -O2 -I/openssl-static/include -I/libnetfilter-acct-static/include/libnetfilter_acct -I/usr/include/libmnl -pipe" else - export CFLAGS="-static -O1 -pipe -ggdb -Wall -Wextra -Wformat-signedness -fstack-protector-all -D_FORTIFY_SOURCE=2 -DNETDATA_INTERNAL_CHECKS=1 -I/openssl-static/include -I/libnetfilter-acct-static/include/libnetfilter_acct -I/usr/include/libmnl" + export CFLAGS="-static -O1 -pipe -ggdb -Wall -Wextra -Wformat-signedness -DNETDATA_INTERNAL_CHECKS=1 -I/openssl-static/include -I/libnetfilter-acct-static/include/libnetfilter_acct -I/usr/include/libmnl" fi export LDFLAGS="-static -L/openssl-static/lib -L/libnetfilter-acct-static/lib -lnetfilter_acct -L/usr/lib -lmnl" |