config_host.mk.in | 3 + configure.ac | 62 ++++++++++++++++++++++++++++++++- distro-configs/CPLinux-LOKit.conf | 1 distro-configs/CPLinux.conf | 1 solenv/gbuild/platform/com_GCC_defs.mk | 6 ++- 5 files changed, 71 insertions(+), 2 deletions(-)
New commits: commit 33483058f6e27f39633114721f7329c90571101d Author: Caolán McNamara <[email protected]> AuthorDate: Tue Feb 13 15:17:48 2024 +0000 Commit: Caolán McNamara <[email protected]> CommitDate: Thu Apr 18 14:34:09 2024 +0200 add --enable-hardening-flags to enable compiler hardening flags distros typically have their own set via C[XX]FLAGS, so make this an optional argument Change-Id: Ib05387bad8324b188bd4ed0ee327d6a7cf83973b Reviewed-on: https://gerrit.libreoffice.org/c/core/+/163312 Tested-by: Jenkins CollaboraOffice <[email protected]> Reviewed-by: Andras Timar <[email protected]> diff --git a/config_host.mk.in b/config_host.mk.in index 2a1691a09c8e..df9aa13a925e 100644 --- a/config_host.mk.in +++ b/config_host.mk.in @@ -180,6 +180,9 @@ export ENABLE_GTK3=@ENABLE_GTK3@ export ENABLE_GTK4=@ENABLE_GTK4@ export ENABLE_GTKTILEDVIEWER=@ENABLE_GTKTILEDVIEWER@ export DISABLE_GUI=@DISABLE_GUI@ +export ENABLE_HARDENING_FLAGS=@ENABLE_HARDENING_FLAGS@ +export HARDENING_CFLAGS=@HARDENING_CFLAGS@ +export HARDENING_OPT_CFLAGS=@HARDENING_OPT_CFLAGS@ export ENABLE_HEADLESS=@ENABLE_HEADLESS@ export ENABLE_HTMLHELP=@ENABLE_HTMLHELP@ export ENABLE_JAVA=@ENABLE_JAVA@ diff --git a/configure.ac b/configure.ac index 24daca98d8a2..507f473c34a3 100644 --- a/configure.ac +++ b/configure.ac @@ -1910,6 +1910,13 @@ libo_FUZZ_ARG_ENABLE(release-build, See https://wiki.documentfoundation.org/Development/DevBuild]), ,) +libo_FUZZ_ARG_ENABLE(hardening-flags, + AS_HELP_STRING([--enable-hardening-flags], + [Enable automatically using hardening compiler flags. Distros should typically + use their default configuration via CXXFLAGS, etc. But this provides a + convenient default set of hardening flags]), +,) + AC_ARG_ENABLE(windows-build-signing, AS_HELP_STRING([--enable-windows-build-signing], [Enable signing of windows binaries (*.exe, *.dll)]), @@ -2931,6 +2938,19 @@ fi AC_SUBST(ENABLE_RELEASE_BUILD) AC_SUBST(GET_TASK_ALLOW_ENTITLEMENT) +dnl =================================================================== +dnl Test whether build should auto use hardening compiler flags +dnl =================================================================== +AC_MSG_CHECKING([whether build should auto use hardening compiler flags]) +if test "$enable_hardening_flags" = "" -o "$enable_hardening_flags" = "no"; then + AC_MSG_RESULT([no]) + ENABLE_HARDENING_FLAGS= +else + AC_MSG_RESULT([yes]) + ENABLE_HARDENING_FLAGS=TRUE +fi +AC_SUBST(ENABLE_HARDENING_FLAGS) + AC_MSG_CHECKING([whether to build a Community flavor]) if test -z "$enable_community_flavor" -o "$enable_community_flavor" = "yes"; then AC_DEFINE(HAVE_FEATURE_COMMUNITY_FLAVOR) @@ -7356,13 +7376,51 @@ dnl =================================================================== dnl GCC features dnl =================================================================== HAVE_GCC_STACK_CLASH_PROTECTION= +HARDENING_CFLAGS= +HARDENING_OPT_CFLAGS= if test "$GCC" = "yes" -o "$COM_IS_CLANG" = TRUE; then + AC_MSG_CHECKING([whether $CC_BASE supports -grecord-gcc-switches]) + save_CFLAGS=$CFLAGS + CFLAGS="$CFLAGS -Werror -grecord-gcc-switches" + AC_LINK_IFELSE( + [AC_LANG_PROGRAM(, [[return 0;]])], + [AC_MSG_RESULT([yes]); HARDENING_CFLAGS="$HARDENING_CFLAGS -grecord-gcc-switches"], + [AC_MSG_RESULT([no])]) + CFLAGS=$save_CFLAGS + + AC_MSG_CHECKING([whether $CC_BASE supports -D_FORTIFY_SOURCE=2]) + save_CFLAGS=$CFLAGS + CFLAGS="$CFLAGS -Werror -Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=2" + AC_LINK_IFELSE( + [AC_LANG_PROGRAM(, [[return 0;]])], + [AC_MSG_RESULT([yes]); HARDENING_OPT_CFLAGS="$HARDENING_OPT_CFLAGS -Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=2"], + [AC_MSG_RESULT([no])]) + CFLAGS=$save_CFLAGS + + AC_MSG_CHECKING([whether $CC_BASE supports -D_GLIBCXX_ASSERTIONS]) + save_CFLAGS=$CFLAGS + CFLAGS="$CFLAGS -Werror -Wp,-D_GLIBCXX_ASSERTIONS" + AC_LINK_IFELSE( + [AC_LANG_PROGRAM(, [[return 0;]])], + [AC_MSG_RESULT([yes]); HARDENING_CFLAGS="$HARDENING_CFLAGS -Wp,-D_GLIBCXX_ASSERTIONS"], + [AC_MSG_RESULT([no])]) + CFLAGS=$save_CFLAGS + AC_MSG_CHECKING([whether $CC_BASE supports -fstack-clash-protection]) save_CFLAGS=$CFLAGS CFLAGS="$CFLAGS -Werror -fstack-clash-protection" AC_LINK_IFELSE( [AC_LANG_PROGRAM(, [[return 0;]])], - [AC_MSG_RESULT([yes]); HAVE_GCC_STACK_CLASH_PROTECTION=TRUE], + [AC_MSG_RESULT([yes]); HAVE_GCC_STACK_CLASH_PROTECTION=TRUE; HARDENING_CFLAGS="$HARDENING_CFLAGS -fstack-clash-protection"], + [AC_MSG_RESULT([no])]) + CFLAGS=$save_CFLAGS + + AC_MSG_CHECKING([whether $CC_BASE supports -fcf-protection]) + save_CFLAGS=$CFLAGS + CFLAGS="$CFLAGS -Werror -fcf-protection" + AC_LINK_IFELSE( + [AC_LANG_PROGRAM(, [[return 0;]])], + [AC_MSG_RESULT([yes]); HARDENING_CFLAGS="$HARDENING_CFLAGS -fcf-protection"], [AC_MSG_RESULT([no])]) CFLAGS=$save_CFLAGS @@ -7516,6 +7574,8 @@ fi AC_SUBST(HAVE_GCC_AVX) AC_SUBST(HAVE_GCC_BUILTIN_ATOMIC) AC_SUBST(HAVE_GCC_STACK_CLASH_PROTECTION) +AC_SUBST(HARDENING_CFLAGS) +AC_SUBST(HARDENING_OPT_CFLAGS) dnl =================================================================== dnl Identify the C++ library diff --git a/distro-configs/CPLinux-LOKit.conf b/distro-configs/CPLinux-LOKit.conf index c82c9fc549ad..1bc39d0c9152 100644 --- a/distro-configs/CPLinux-LOKit.conf +++ b/distro-configs/CPLinux-LOKit.conf @@ -1,3 +1,4 @@ +--enable-hardening-flags --enable-mpl-subset --with-vendor=Collabora --disable-community-flavor diff --git a/distro-configs/CPLinux.conf b/distro-configs/CPLinux.conf index 25ec8dc87f68..370d564309fb 100644 --- a/distro-configs/CPLinux.conf +++ b/distro-configs/CPLinux.conf @@ -1,6 +1,7 @@ --with-vendor=Collabora --disable-community-flavor --with-branding=icon-themes/galaxy/brand_cp +--enable-hardening-flags --with-system-dicts --with-myspell-dicts --with-system-zlib diff --git a/solenv/gbuild/platform/com_GCC_defs.mk b/solenv/gbuild/platform/com_GCC_defs.mk index 7ea7a16461e3..b064a75d38b9 100644 --- a/solenv/gbuild/platform/com_GCC_defs.mk +++ b/solenv/gbuild/platform/com_GCC_defs.mk @@ -38,7 +38,9 @@ endif gb_COMPILER_SETUP := ifeq ($(strip $(gb_COMPILEROPTFLAGS)),) -gb_COMPILEROPTFLAGS := -O2 +gb_COMPILEROPTFLAGS := \ + -O2 -mtune=generic \ + $(if $(HARDENING_OPT_CFLAGS),$(HARDENING_OPT_CFLAGS)) endif gb_AFLAGS := $(AFLAGS) @@ -75,6 +77,7 @@ gb_CFLAGS_COMMON := \ -fmessage-length=0 \ -fno-common \ -pipe \ + $(if $(ENABLE_HARDENING_FLAGS),$(HARDENING_CFLAGS)) \ $(if $(filter EMSCRIPTEN,$(OS)),-fno-stack-protector,-fstack-protector-strong) \ gb_CXXFLAGS_COMMON := \ @@ -91,6 +94,7 @@ gb_CXXFLAGS_COMMON := \ -fmessage-length=0 \ -fno-common \ -pipe \ + $(if $(ENABLE_HARDENING_FLAGS),$(HARDENING_CFLAGS)) \ $(if $(filter EMSCRIPTEN,$(OS)),-fno-stack-protector,-fstack-protector-strong) \ ifeq ($(HAVE_WDEPRECATED_COPY_DTOR),TRUE)
