htpp

htrdr-image post-processing
git clone git://git.meso-star.fr/htpp.git
Log | Files | Refs | README | LICENSE
commit 2b7d7a60693067f4fe8a881662b01c96e5a0fd34
parent 2f3c8c3a36052316b1aa0cbde68ee8877c52524a
Author: Vincent Forest <vincent.forest@meso-star.com>
Date:   Mon, 25 Sep 2023 11:50:54 +0200

Make generated binaries safer and more robust

Define the CFLAGS_HARDENED and LDFLAGS_HARDENED macros, which list
compiler and linker options that activate various hardening features
aimed at increasing the security and robustness of generated binaries.

The link editor options have all been available since at least ld 2.25.
So you don't have to worry about compatibility issues.

The compiler options are in fact some of those that will be enabled by
the -fhardened option to be introduced in GCC 14. In the following, we
list them and indicate the version of GCC from which they are
documented in the manual, i.e. from which version of GCC they would
appear to be available:

  -D_FORTIFY_SOURCE [GCC 5.5]
  -fcf-protection options [GCC 8.5]
  -fPIE [GCC 4.7.4]
  -fstack-protector-strong [GCC 6.5]
  -fstack-clash-protection [GCC 8.5]
  -ftrivial-auto-var-init [GCC 12.3]

The latter, -ftrivial-auto-var-init, is too recent. To avoid any
compatibility problems, we haven't activated it yet.

Diffstat:

Mconfig.mk | 15+++++++++++++--


1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/config.mk b/config.mk
@@ -46,11 +46,20 @@ WFLAGS =\
  -Wmissing-prototypes\
  -Wshadow
 
+# Increase security/robustness of the generated binaries
+CFLAGS_HARDENED =\
+ -D_FORTIFY_SOURCES=2\
+ -fcf-protection=full\
+ -fPIE\
+ -fstack-clash-protection\
+ -fstack-protector-strong
+
 CFLAGS_COMMON =\
  -std=c89\
  -pedantic\
  -fvisibility=hidden\
  -fstrict-aliasing\
+ $(CFLAGS_HARDENED)\
  $(WFLAGS)
 
 CFLAGS_RELEASE = -O2 -DNDEBUG $(CFLAGS_COMMON)
@@ -60,6 +69,8 @@ CFLAGS = $(CFLAGS_$(BUILD_TYPE))
 ################################################################################
 # Linker options
 ################################################################################
-LDFLAGS_DEBUG =
-LDFLAGS_RELEASE = -s
+LDFLAGS_HARDENED = -pie -Wl,-z,relro,-z,now
+
+LDFLAGS_DEBUG = $(LDFLAGS_HARDENED)
+LDFLAGS_RELEASE = -s $(LDFLAGS_HARDENED)
 LDFLAGS = $(LDFLAGS_$(BUILD_TYPE))