[dpkg] 09/14: build: Add compiler hardening support

Sun, 02 Feb 2025 18:39:30 -0800 

This is an automated email from the git hooks/post-receive script.

guillem pushed a commit to branch main
in repository dpkg.

View the commit online:
https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=7c4a3f74d8be80fe95d59b3b9025c30b666e414d

commit 7c4a3f74d8be80fe95d59b3b9025c30b666e414d
Author: Guillem Jover <[email protected]>
AuthorDate: Thu Jan 23 02:44:59 2025 +0100

    build: Add compiler hardening support
---
 configure.ac        |  1 +
 m4/dpkg-compiler.m4 | 30 ++++++++++++++++++++++++++++++
 2 files changed, 31 insertions(+)

diff --git a/configure.ac b/configure.ac
index d39ab471f..af2f7d55d 100644
--- a/configure.ac
+++ b/configure.ac
@@ -237,6 +237,7 @@ DPKG_USE_DISK_PREALLOCATE
 # Checks for the build machinery.
 AC_DEFINE([LIBDPKG_VOLATILE_API], [1], [Acknowledge the volatility of the 
API.])
 DPKG_COMPILER_DIALECT
+DPKG_COMPILER_HARDENING
 DPKG_COMPILER_WARNINGS
 DPKG_COMPILER_SANITIZER
 DPKG_COMPILER_ANALYZER
diff --git a/m4/dpkg-compiler.m4 b/m4/dpkg-compiler.m4
index 6715408b3..4a88ab1d0 100644
--- a/m4/dpkg-compiler.m4
+++ b/m4/dpkg-compiler.m4
@@ -69,6 +69,36 @@ AC_DEFUN([DPKG_COMPILER_DIALECT], [
   ])
 ])
 
+# DPKG_CHECK_COMPILER_HARDENING
+# -----------------------------
+# Add configure option to control the compiler hardening support.
+AC_DEFUN([DPKG_CHECK_COMPILER_HARDENING], [
+  DPKG_CHECK_COMPILER_FLAG([-fcf-protection=full])
+  DPKG_CHECK_COMPILER_FLAG([-fstack-clash-protection])
+  DPKG_CHECK_COMPILER_FLAG([-fstack-protector-strong])
+  DPKG_CHECK_COMPILER_FLAG([-mbranch-protection=standard])
+])
+
+# DPKG_COMPILER_HARDENING
+# -----------------------
+# Add configure option to enable compiler hardening support options.
+AC_DEFUN([DPKG_COMPILER_HARDENING], [
+  AC_ARG_ENABLE([compiler-hardening],
+    [AS_HELP_STRING([--disable-compiler-hardening],
+      [Disable (detected) compiler hardening])],
+    [], [enable_compiler_hardening=yes])
+
+  AS_IF([test "$enable_compiler_hardening" = "yes"], [
+    DPKG_CHECK_COMPILER_HARDENING
+    AC_LANG_PUSH([C++])
+    DPKG_CHECK_COMPILER_HARDENING
+    AC_LANG_POP([C++])
+
+    CFLAGS="$DPKG_COMPILER_CFLAGS $CFLAGS"
+    CXXFLAGS="$DPKG_COMPILER_CXXFLAGS $CXXFLAGS"
+  ])
+])
+
 # DPKG_CHECK_COMPILER_WARNINGS
 # ----------------------------
 # Add configure option to disable additional compiler warnings.

-- 
Dpkg.Org's dpkg

Reply via email to