Make generated binaries safer and more robust - star-stl - Load STereo Lithography (StL) file format

commit 0e2a7acbc6bf204b343f97c5eb31ac24da4c5240
parent 8a509a6d1ecfaec988340e01186b2f21d121930c
Author: Vincent Forest <vincent.forest@meso-star.com>
Date:   Wed, 18 Oct 2023 16:28:09 +0200

Make generated binaries safer and more robust

Define the CFLAGS_HARDENED and LDFLAGS_HARDENED macros, which list
compiler and linker options that activate various hardening features
aimed at increasing the security and robustness of generated binaries.

The link editor options have all been available since at least ld 2.25.
So you don't have to worry about compatibility issues.

The compiler options are in fact some of those that will be enabled by
the -fhardened option to be introduced in GCC 14. In the following, we
list them and indicate the version of GCC from which they are documented
in the manual, i.e. from which version of GCC they would appear to be
available:

  -D_FORTIFY_SOURCE [GCC 5.5]
  -fcf-protection options [GCC 8.5]
  -fstack-protector-strong [GCC 6.5]
  -fstack-clash-protection [GCC 8.5]
  -ftrivial-auto-var-init [GCC 12.3]

The latter, -ftrivial-auto-var-init, is too recent. To avoid any
compatibility problems, we haven't activated it yet.

Diffstat:
M Makefile  | 37 ++++++++++++++++++-------------------
M config.mk  | 23 +++++++++++++++++------

2 files changed, 35 insertions(+), 25 deletions(-)
diff --git a/Makefile b/Makefile
@@ -40,7 +40,7 @@ build_library: .config $(DEP)
 $(DEP) $(OBJ): config.mk
 
 $(LIBNAME_SHARED): $(OBJ)
-	$(CC) -std=c99 $(CFLAGS) $(RSYS_CFLAGS) -o $@ $(OBJ) $(LDFLAGS) $(SOFLAGS) $(RSYS_LIBS) -lm
+	$(CC) -std=c99 $(CFLAGS_SO) $(RSYS_CFLAGS) -o $@ $(OBJ) $(LDFLAGS_SO) $(RSYS_LIBS) -lm
 
 $(LIBNAME_STATIC): libsstl.o
 	$(AR) -rc $@ $?
@@ -57,35 +57,33 @@ libsstl.o: $(OBJ)
 
 .SUFFIXES: .c .d .o
 .c.d:
-	@$(CC) -std=c99 $(CFLAGS) $(RSYS_CFLAGS) -MM -MT "$(@:.d=.o) $@" $< -MF $@
+	@$(CC) -std=c99 $(CFLAGS_SO) $(RSYS_CFLAGS) -MM -MT "$(@:.d=.o) $@" $< -MF $@
 
 .c.o:
-	$(CC) -std=c99 $(CFLAGS) $(RSYS_CFLAGS) -DSSTL_SHARED_BUILD -c $< -o $@
+	$(CC) -std=c99 $(CFLAGS_SO) $(RSYS_CFLAGS) -DSSTL_SHARED_BUILD -c $< -o $@
 
 ################################################################################
 # Installation
 ################################################################################
 pkg:
-	@echo "Setup sstl.pc"
-	@sed -e 's#@PREFIX@#$(PREFIX)#g' \
-	     -e 's#@VERSION@#$(VERSION)#g' \
-	     -e 's#@RSYS_VERSION@#$(RSYS_VERSION)#g' \
-	     sstl.pc.in > sstl.pc
+	sed -e 's#@PREFIX@#$(PREFIX)#g' \
+	    -e 's#@VERSION@#$(VERSION)#g' \
+	    -e 's#@RSYS_VERSION@#$(RSYS_VERSION)#g' \
+	    sstl.pc.in > sstl.pc
 
 sstl-local.pc: sstl.pc.in
-	@sed -e '1d'\
-	     -e 's#^includedir=.*#includedir=./src/#'\
-	     -e 's#^libdir=.*#libdir=./#'\
-	     -e 's#@VERSION@#$(VERSION)#g'\
-	     -e 's#@RSYS_VERSION@#$(RSYS_VERSION)#g' \
-	     sstl.pc.in > $@
+	sed -e '1d'\
+	    -e 's#^includedir=.*#includedir=./src/#'\
+	    -e 's#^libdir=.*#libdir=./#'\
+	    -e 's#@VERSION@#$(VERSION)#g'\
+	    -e 's#@RSYS_VERSION@#$(RSYS_VERSION)#g' \
+	    sstl.pc.in > $@
 
 install: build_library pkg
 	@$(SHELL) make.sh install "$(DESTDIR)$(PREFIX)/lib" $(LIBNAME)
 	@$(SHELL) make.sh install "$(DESTDIR)$(PREFIX)/lib/pkgconfig" sstl.pc
 	@$(SHELL) make.sh install "$(DESTDIR)$(PREFIX)/include/star" src/sstl.h
-	@$(SHELL) make.sh install "$(DESTDIR)$(PREFIX)/share/doc/star-stl"\
-		COPYING README.md
+	@$(SHELL) make.sh install "$(DESTDIR)$(PREFIX)/share/doc/star-stl" COPYING README.md
 
 uninstall:
 	rm -f $(DESTDIR)$(PREFIX)/lib/$(LIBNAME)
@@ -136,10 +134,11 @@ clean_test:
 	$(SHELL) make.sh clean_test $(TEST_SRC)
 
 $(TEST_DEP): config.mk sstl-local.pc
-	@$(CC) -std=c89 $(CFLAGS) $(RSYS_CFLAGS) $(SSTL_CFLAGS) -MM -MT "$(@:.d=.o) $@" $(@:.d=.c) -MF $@
+	@$(CC) -std=c89 $(CFLAGS_EXE) $(RSYS_CFLAGS) $(SSTL_CFLAGS) \
+	-MM -MT "$(@:.d=.o) $@" $(@:.d=.c) -MF $@
 
 $(TEST_OBJ): config.mk sstl-local.pc
-	$(CC) -std=c89 $(CFLAGS) $(RSYS_CFLAGS) $(SSTL_CFLAGS) -c $(@:.o=.c) -o $@
+	$(CC) -std=c89 $(CFLAGS_EXE) $(RSYS_CFLAGS) $(SSTL_CFLAGS) -c $(@:.o=.c) -o $@
 
 test_sstl test_sstl_load: config.mk sstl-local.pc
-	$(CC) -o $@ src/$@.o $(RSYS_LIBS) $(SSTL_LIBS) -lm
+	$(CC) -std=c89 $(CFLAGS_EXE) -o $@ src/$@.o $(LDFLAGS_EXE) $(RSYS_LIBS) $(SSTL_LIBS) -lm
diff --git a/config.mk b/config.mk
@@ -39,26 +39,37 @@ WFLAGS =\
  -Wmissing-prototypes\
  -Wshadow
 
+CFLAGS_HARDENED =\
+ -D_FORTIFY_SOURCES=2\
+ -fcf-protection=full\
+ -fstack-clash-protection\
+ -fstack-protector-strong
+
 CFLAGS_COMMON=\
  -pedantic\
- -fPIC\
  -fvisibility=hidden\
  -fstrict-aliasing\
+ $(CFLAGS_HARDENED)\
  $(WFLAGS)
 
-CFLAGS_RELEASE = -O2 -DNDEBUG $(CFLAGS_COMMON)
 CFLAGS_DEBUG = -g $(CFLAGS_COMMON)
+CFLAGS_RELEASE = -O2 -DNDEBUG $(CFLAGS_COMMON)
 CFLAGS = $(CFLAGS_$(BUILD_TYPE))
 
+CFLAGS_SO = $(CFLAGS) -fPIC
+CFLAGS_EXE = $(CFLAGS) -fPIE
+
 ################################################################################
 # Linker options
 ################################################################################
-SOFLAGS = -shared -Wl,--no-undefined
-
-LDFLAGS_DEBUG =
-LDFLAGS_RELEASE = -s
+LDFLAGS_HARDENED = -Wl,-z,relro,-z,now
+LDFLAGS_DEBUG = $(LDFLAGS_HARDENED)
+LDFLAGS_RELEASE = -s $(LDFLAGS_HARDENED)
 LDFLAGS = $(LDFLAGS_$(BUILD_TYPE))
 
+LDFLAGS_SO = $(LDFLAGS) -shared -Wl,--no-undefined
+LDFLAGS_EXE = $(LDFLAGS) -pie
+
 OCPFLAGS_DEBUG = --localize-hidden
 OCPFLAGS_RELEASE = --localize-hidden --strip-unneeded
 OCPFLAGS = $(OCPFLAGS_$(BUILD_TYPE))

	star-stl Load STereo Lithography (StL) file format
	git clone git://git.meso-star.fr/star-stl.git
	Log \| Files \| Refs \| README \| LICENSE

M	Makefile	\|	37	++++++++++++++++++-------------------
M	config.mk	\|	23	+++++++++++++++++------