Make generated binaries safer and more robust - star-uvm - Spatial structuring of unstructured volumetric meshes

commit e069e3da6b6345e916a941185b820851ecb9a3a0
parent 93c9500b098375c9912a61a8b6c44ec6c61fbcde
Author: Vincent Forest <vincent.forest@meso-star.com>
Date:   Wed, 11 Oct 2023 16:38:38 +0200

 Make generated binaries safer and more robust

 Define the CFLAGS_HARDENED and LDFLAGS_HARDENED macros, which list
 compiler and linker options that activate various hardening features
 aimed at increasing the security and robustness of generated binaries.

 The link editor options have all been available since at least ld 2.25.
 So you don't have to worry about compatibility issues.

 The compiler options are in fact some of those that will be enabled by
 the -fhardened option to be introduced in GCC 14. In the following, we
 list them and indicate the version of GCC from which they are documented
 in the manual, i.e. from which version of GCC they would appear to be
 available:

   -D_FORTIFY_SOURCE [GCC 5.5]
   -fcf-protection options [GCC 8.5]
   -fstack-protector-strong [GCC 6.5]
   -fstack-clash-protection [GCC 8.5]
   -ftrivial-auto-var-init [GCC 12.3]

 The latter, -ftrivial-auto-var-init, is too recent. To avoid any
 compatibility problems, we haven't activated it yet.

Diffstat:
M Makefile  | 18 +++++++++---------
M config.mk  | 17 +++++++++++++++--

2 files changed, 24 insertions(+), 11 deletions(-)
diff --git a/Makefile b/Makefile
@@ -45,7 +45,7 @@ build_library: .config $(DEP)
 $(DEP) $(OBJ): config.mk
 
 $(LIBNAME_SHARED): $(OBJ)
-	$(CC) -std=c99 $(CFLAGS) $(DPDC_CFLAGS) -o $@ $(OBJ) $(LDFLAGS) $(SOFLAGS) $(DPDC_LIBS)
+	$(CC) -std=c99 $(CFLAGS_SO) $(DPDC_CFLAGS) -o $@ $(OBJ) $(LDFLAGS_SO) $(DPDC_LIBS)
 
 $(LIBNAME_STATIC): libsuvm.o
 	$(AR) -rc $@ $?
@@ -64,10 +64,10 @@ libsuvm.o: $(OBJ)
 
 .SUFFIXES: .c .d .o
 .c.d:
-	@$(CC) -std=c99 $(CFLAGS) $(DPDC_CFLAGS) -MM -MT "$(@:.d=.o) $@" $< -MF $@
+	@$(CC) -std=c99 $(CFLAGS_SO) $(DPDC_CFLAGS) -MM -MT "$(@:.d=.o) $@" $< -MF $@
 
 .c.o:
-	$(CC) -std=c99 $(CFLAGS) $(DPDC_CFLAGS) -DSUVM_SHARED_BUILD -c $< -o $@
+	$(CC) -std=c99 $(CFLAGS_SO) $(DPDC_CFLAGS) -DSUVM_SHARED_BUILD -c $< -o $@
 
 ################################################################################
 # Installation
@@ -151,24 +151,24 @@ clean_test:
 	$(SHELL) make.sh clean_test $(TEST_SRC) src/suvm_voxelize.c
 
 $(TEST_DEP): config.mk suvm-local.pc
-	@$(CC) -std=c89 $(CFLAGS) $(RSYS_CFLAGS) $(SUVM_CFLAGS) \
+	@$(CC) -std=c89 $(CFLAGS_EXE) $(RSYS_CFLAGS) $(SUVM_CFLAGS) \
 	-MM -MT "$(@:.d=.o) $@" $(@:.d=.c) -MF $@
 
 src/suvm_voxelize.d: config.mk suvm-local.pc
-	@$(CC) -std=c89 $(CFLAGS) $(RSYS_CFLAGS) $(SUVM_CFLAGS) $(SMSH_CFLAGS) \
+	@$(CC) -std=c89 $(CFLAGS_EXE) $(RSYS_CFLAGS) $(SUVM_CFLAGS) $(SMSH_CFLAGS) \
 	-MM -MT "$(@:.d=.o) $@" $(@:.d=.c) -MF $@
 
 $(TEST_OBJ): config.mk suvm-local.pc
-	$(CC) -std=c89 $(CFLAGS) $(RSYS_CFLAGS) $(SUVM_CFLAGS) -c $(@:.o=.c) -o $@
+	$(CC) -std=c89 $(CFLAGS_EXE) $(RSYS_CFLAGS) $(SUVM_CFLAGS) -c $(@:.o=.c) -o $@
 
 src/suvm_voxelize.o: config.mk suvm-local.pc
-	$(CC) -std=c89 $(CFLAGS) $(RSYS_CFLAGS) $(SUVM_CFLAGS) $(SMSH_CFLAGS) -c $(@:.o=.c) -o $@
+	$(CC) -std=c89 $(CFLAGS_EXE) $(RSYS_CFLAGS) $(SUVM_CFLAGS) $(SMSH_CFLAGS) -c $(@:.o=.c) -o $@
 
 test_suvm_device \
 test_suvm_volume \
 test_suvm_primitive_intersection \
 : config.mk suvm-local.pc
-	$(CC) -o $@ src/$@.o $(RSYS_LIBS) $(SUVM_LIBS) -lm
+	$(CC) $(CFLAGS_EXE) -o $@ src/$@.o $(LDFLAGS_EXE) $(RSYS_LIBS) $(SUVM_LIBS) -lm
 
 suvm_voxelize: config.mk suvm-local.pc
-	$(CC) -o $@ src/$@.o $(RSYS_LIBS) $(SUVM_LIBS) $(SMSH_LIBS) -lm
+	$(CC) $(CFLAGS_EXE) -o $@ src/$@.o $(LDFLAGS_EXE) $(RSYS_LIBS) $(SUVM_LIBS) $(SMSH_LIBS) -lm
diff --git a/config.mk b/config.mk
@@ -51,21 +51,34 @@ WFLAGS =\
  -Wmissing-prototypes\
  -Wshadow
 
+CFLAGS_HARDENED =\
+ -D_FORTIFY_SOURCES=2\
+ -fcf-protection=full\
+ -fstack-clash-protection\
+ -fstack-protector-strong
+
 CFLAGS_COMMON =\
  -pedantic\
  -fPIC\
  -fvisibility=hidden\
  -fstrict-aliasing\
+ $(CFLAGS_HARDENED)\
  $(WFLAGS)
 
 CFLAGS_RELEASE = -O2 -DNDEBUG $(CFLAGS_COMMON)
 CFLAGS_DEBUG = -g $(CFLAGS_COMMON)
-CFLAGS = $(CFLAGS_$(BUILD_TYPE))
+CFLAGS_SO = $(CFLAGS_$(BUILD_TYPE)) -fPIC
+CFLAGS_EXE = $(CFLAGS_$(BUILD_TYPE)) -fPIE
 
 ################################################################################
 # Linker options
 ################################################################################
-SOFLAGS = -shared -Wl,--no-undefined
+LDFLAGS_HARDENED = -Wl,-z,relro,-z,now
+LDFLAGS_DEBUG = $(LDFLAGS_HARDENED)
+LDFLAGS_RELEASE = -s $(LDFLAGS_HARDENED)
+
+LDFLAGS_SO = $(LDFLAGS_$(BUILD_TYPE)) -shared -Wl,--no-undefined
+LDFLAGS_EXE = $(LDFLAGS_$(BUILD_TYPE)) -pie
 
 OCPFLAGS_DEBUG = --localize-hidden
 OCPFLAGS_RELEASE = --localize-hidden --strip-unneeded

	star-uvm Spatial structuring of unstructured volumetric meshes
	git clone git://git.meso-star.fr/star-uvm.git
	Log \| Files \| Refs \| README \| LICENSE

M	Makefile	\|	18	+++++++++---------
M	config.mk	\|	17	+++++++++++++++--