commit: 1e9b3a08b9243daae1bebd6bac3da939d924df1f Author: Sam James <sam <AT> gentoo <DOT> org> AuthorDate: Mon Jan 2 03:14:09 2023 +0000 Commit: Sam James <sam <AT> gentoo <DOT> org> CommitDate: Mon Jan 2 20:34:17 2023 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1e9b3a08
sys-devel/clang-common: add baseline hardening Add new /etc/clang/gentoo-hardened.cfg which sets hardening options: * -fstack-clash-protection * -fstack-protector-strong * -fPIE (already set by USE=pie on Clang, but this moves it out, as upstream prefer the config method.) * -D_FORTIFY_SOURCE=2 Further, add USE=hardened, which controls adding -D_LIBCPP_ENABLE_ASSERTIONS=1 (analogue to libstdc++'s -D_GLIBCXX_ASSERTIONS) and -D_FORTIFY_SOURCE=3. Bug: https://bugs.gentoo.org/851111 Signed-off-by: Sam James <sam <AT> gentoo.org> ...0.9999.ebuild => clang-common-15.0.6-r1.ebuild} | 45 +++++++++++++++++----- .../clang-common/clang-common-15.0.6.9999.ebuild | 37 +++++++++++++++++- .../clang-common/clang-common-16.0.0.9999.ebuild | 37 +++++++++++++++++- ...d => clang-common-16.0.0_pre20230101-r1.ebuild} | 37 +++++++++++++++++- 4 files changed, 141 insertions(+), 15 deletions(-) diff --git a/sys-devel/clang-common/clang-common-16.0.0.9999.ebuild b/sys-devel/clang-common/clang-common-15.0.6-r1.ebuild similarity index 75% copy from sys-devel/clang-common/clang-common-16.0.0.9999.ebuild copy to sys-devel/clang-common/clang-common-15.0.6-r1.ebuild index e9669ee1adcc..7ec66f0dd663 100644 --- a/sys-devel/clang-common/clang-common-16.0.0.9999.ebuild +++ b/sys-devel/clang-common/clang-common-15.0.6-r1.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2022 Gentoo Authors +# Copyright 1999-2023 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=8 @@ -10,10 +10,10 @@ HOMEPAGE="https://llvm.org/"; LICENSE="Apache-2.0-with-LLVM-exceptions UoI-NCSA" SLOT="0" -KEYWORDS="" +KEYWORDS="~amd64 ~arm ~arm64 ~ppc ~ppc64 ~riscv ~sparc ~x86 ~amd64-linux ~ppc-macos ~x64-macos" IUSE=" default-compiler-rt default-libcxx default-lld llvm-libunwind - stricter + hardened stricter " PDEPEND=" @@ -86,8 +86,41 @@ src_install() { # This file contains flags common to clang, clang++ and clang-cpp. @gentoo-runtimes.cfg @gentoo-gcc-install.cfg + @gentoo-hardened.cfg EOF + # Baseline hardening (bug #851111) + newins - gentoo-hardened.cfg <<-EOF + -fstack-clash-protection + -fstack-protector-strong + -fPIE + -include "${ESYSROOT}/usr/include/gentoo/fortify.h" + EOF + + dodir /usr/include/gentoo + + local fortify_level=$(usex hardened 3 2) + # We have to do this because glibc's headers warn if F_S is set + # without optimization and that would at the very least be very noisy + # during builds and at worst trigger many -Werror builds. + cat >> "${ED}/usr/include/gentoo/fortify.h" <<- EOF || die + #ifndef _FORTIFY_SOURCE + #if defined(__OPTIMIZE__) && __OPTIMIZE__ > 0 + #define _FORTIFY_SOURCE ${fortify_level} + #endif + #endif + EOF + + if use hardened ; then + cat >> "${ED}/etc/clang/gentoo-hardened.cfg" <<-EOF || die + -D_GLIBCXX_ASSERTIONS + + # Analogue to GLIBCXX_ASSERTIONS + # https://libcxx.llvm.org/UsingLibcxx.html#assertions-mode + -D_LIBCPP_ENABLE_ASSERTIONS=1 + EOF + fi + if use stricter; then newins - gentoo-stricter.cfg <<-EOF # This file increases the strictness of older clang versions @@ -97,12 +130,6 @@ src_install() { -Werror=implicit-function-declaration -Werror=implicit-int -Werror=incompatible-function-pointer-types - - # constructs banned by C2x - -Werror=deprecated-non-prototype - - # deprecated but large blast radius - #-Werror=strict-prototypes EOF cat >> "${ED}/etc/clang/gentoo-common.cfg" <<-EOF || die diff --git a/sys-devel/clang-common/clang-common-15.0.6.9999.ebuild b/sys-devel/clang-common/clang-common-15.0.6.9999.ebuild index 3e43f51a0aab..709c93681448 100644 --- a/sys-devel/clang-common/clang-common-15.0.6.9999.ebuild +++ b/sys-devel/clang-common/clang-common-15.0.6.9999.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2022 Gentoo Authors +# Copyright 1999-2023 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=8 @@ -13,7 +13,7 @@ SLOT="0" KEYWORDS="" IUSE=" default-compiler-rt default-libcxx default-lld llvm-libunwind - stricter + hardened stricter " PDEPEND=" @@ -86,8 +86,41 @@ src_install() { # This file contains flags common to clang, clang++ and clang-cpp. @gentoo-runtimes.cfg @gentoo-gcc-install.cfg + @gentoo-hardened.cfg EOF + # Baseline hardening (bug #851111) + newins - gentoo-hardened.cfg <<-EOF + -fstack-clash-protection + -fstack-protector-strong + -fPIE + -include "${ESYSROOT}/usr/include/gentoo/fortify.h" + EOF + + dodir /usr/include/gentoo + + local fortify_level=$(usex hardened 3 2) + # We have to do this because glibc's headers warn if F_S is set + # without optimization and that would at the very least be very noisy + # during builds and at worst trigger many -Werror builds. + cat >> "${ED}/usr/include/gentoo/fortify.h" <<- EOF || die + #ifndef _FORTIFY_SOURCE + #if defined(__OPTIMIZE__) && __OPTIMIZE__ > 0 + #define _FORTIFY_SOURCE ${fortify_level} + #endif + #endif + EOF + + if use hardened ; then + cat >> "${ED}/etc/clang/gentoo-hardened.cfg" <<-EOF || die + -D_GLIBCXX_ASSERTIONS + + # Analogue to GLIBCXX_ASSERTIONS + # https://libcxx.llvm.org/UsingLibcxx.html#assertions-mode + -D_LIBCPP_ENABLE_ASSERTIONS=1 + EOF + fi + if use stricter; then newins - gentoo-stricter.cfg <<-EOF # This file increases the strictness of older clang versions diff --git a/sys-devel/clang-common/clang-common-16.0.0.9999.ebuild b/sys-devel/clang-common/clang-common-16.0.0.9999.ebuild index e9669ee1adcc..1b9640fcebe0 100644 --- a/sys-devel/clang-common/clang-common-16.0.0.9999.ebuild +++ b/sys-devel/clang-common/clang-common-16.0.0.9999.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2022 Gentoo Authors +# Copyright 1999-2023 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=8 @@ -13,7 +13,7 @@ SLOT="0" KEYWORDS="" IUSE=" default-compiler-rt default-libcxx default-lld llvm-libunwind - stricter + hardened stricter " PDEPEND=" @@ -86,8 +86,41 @@ src_install() { # This file contains flags common to clang, clang++ and clang-cpp. @gentoo-runtimes.cfg @gentoo-gcc-install.cfg + @gentoo-hardened.cfg EOF + # Baseline hardening (bug #851111) + newins - gentoo-hardened.cfg <<-EOF + -fstack-clash-protection + -fstack-protector-strong + -fPIE + -include "${ESYSROOT}/usr/include/gentoo/fortify.h" + EOF + + dodir /usr/include/gentoo + + local fortify_level=$(usex hardened 3 2) + # We have to do this because glibc's headers warn if F_S is set + # without optimization and that would at the very least be very noisy + # during builds and at worst trigger many -Werror builds. + cat >> "${ED}/usr/include/gentoo/fortify.h" <<- EOF || die + #ifndef _FORTIFY_SOURCE + #if defined(__OPTIMIZE__) && __OPTIMIZE__ > 0 + #define _FORTIFY_SOURCE ${fortify_level} + #endif + #endif + EOF + + if use hardened ; then + cat >> "${ED}/etc/clang/gentoo-hardened.cfg" <<-EOF || die + -D_GLIBCXX_ASSERTIONS + + # Analogue to GLIBCXX_ASSERTIONS + # https://libcxx.llvm.org/UsingLibcxx.html#assertions-mode + -D_LIBCPP_ENABLE_ASSERTIONS=1 + EOF + fi + if use stricter; then newins - gentoo-stricter.cfg <<-EOF # This file increases the strictness of older clang versions diff --git a/sys-devel/clang-common/clang-common-16.0.0.9999.ebuild b/sys-devel/clang-common/clang-common-16.0.0_pre20230101-r1.ebuild similarity index 77% copy from sys-devel/clang-common/clang-common-16.0.0.9999.ebuild copy to sys-devel/clang-common/clang-common-16.0.0_pre20230101-r1.ebuild index e9669ee1adcc..350245ab982e 100644 --- a/sys-devel/clang-common/clang-common-16.0.0.9999.ebuild +++ b/sys-devel/clang-common/clang-common-16.0.0_pre20230101-r1.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2022 Gentoo Authors +# Copyright 1999-2023 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=8 @@ -13,7 +13,7 @@ SLOT="0" KEYWORDS="" IUSE=" default-compiler-rt default-libcxx default-lld llvm-libunwind - stricter + hardened stricter " PDEPEND=" @@ -86,8 +86,41 @@ src_install() { # This file contains flags common to clang, clang++ and clang-cpp. @gentoo-runtimes.cfg @gentoo-gcc-install.cfg + @gentoo-hardened.cfg EOF + # Baseline hardening (bug #851111) + newins - gentoo-hardened.cfg <<-EOF + -fstack-clash-protection + -fstack-protector-strong + -fPIE + -include "${ESYSROOT}/usr/include/gentoo/fortify.h" + EOF + + dodir /usr/include/gentoo + + local fortify_level=$(usex hardened 3 2) + # We have to do this because glibc's headers warn if F_S is set + # without optimization and that would at the very least be very noisy + # during builds and at worst trigger many -Werror builds. + cat >> "${ED}/usr/include/gentoo/fortify.h" <<- EOF || die + #ifndef _FORTIFY_SOURCE + #if defined(__OPTIMIZE__) && __OPTIMIZE__ > 0 + #define _FORTIFY_SOURCE ${fortify_level} + #endif + #endif + EOF + + if use hardened ; then + cat >> "${ED}/etc/clang/gentoo-hardened.cfg" <<-EOF || die + -D_GLIBCXX_ASSERTIONS + + # Analogue to GLIBCXX_ASSERTIONS + # https://libcxx.llvm.org/UsingLibcxx.html#assertions-mode + -D_LIBCPP_ENABLE_ASSERTIONS=1 + EOF + fi + if use stricter; then newins - gentoo-stricter.cfg <<-EOF # This file increases the strictness of older clang versions
