config_host.mk.in | 3 + configure.ac | 62 ++++++++++++++++++++++++++++++++- distro-configs/CPLinux-LOKit.conf | 1 solenv/gbuild/platform/com_GCC_defs.mk | 6 ++- 4 files changed, 70 insertions(+), 2 deletions(-)
New commits: commit 2e50b3850ba2074dba41e6ea07c9e7d236af0d6c Author: Caolán McNamara <[email protected]> AuthorDate: Tue Feb 13 15:17:48 2024 +0000 Commit: Caolán McNamara <[email protected]> CommitDate: Fri Apr 19 21:01:53 2024 +0200 add --enable-hardening-flags to enable compiler hardening flags distros typically have their own set via C[XX]FLAGS, so make this an optional argument some notes on the options: -Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=2 https://www.redhat.com/en/blog/enhance-application-security-fortifysource (I see Fedora has recently bumped to to 3 since Jan 2024 https://fedoraproject.org/wiki/Changes/Add_FORTIFY_SOURCE%3D3_to_distribution_build_flags but here use 2 for now instead) -Wp,-D_GLIBCXX_ASSERTIONS https://fedoraproject.org/wiki/Changes/HardeningFlags28 -fstack-protector-strong (We already apply this by default) -fstack-clash-protection https://fedoraproject.org/wiki/Changes/HardeningFlags28 -fcf-protection https://fedoraproject.org/wiki/Changes/HardeningFlags28 https://cgit.freedesktop.org/libreoffice/core/commit/?id=af55dc3891f7950d392175004b2090cb0e54828e and record the compiler flags in debuginfo -grecord-gcc-switches Change-Id: Ib05387bad8324b188bd4ed0ee327d6a7cf83973b Reviewed-on: https://gerrit.libreoffice.org/c/core/+/163312 Tested-by: Jenkins CollaboraOffice <[email protected]> Reviewed-by: Andras Timar <[email protected]> (cherry picked from commit 33483058f6e27f39633114721f7329c90571101d) Reviewed-on: https://gerrit.libreoffice.org/c/core/+/166289 Tested-by: Jenkins Reviewed-by: Caolán McNamara <[email protected]> diff --git a/config_host.mk.in b/config_host.mk.in index 00dc7aa1f898..1d5a83add0c0 100644 --- a/config_host.mk.in +++ b/config_host.mk.in @@ -179,6 +179,9 @@ export ENABLE_GTK3=@ENABLE_GTK3@ export ENABLE_GTK4=@ENABLE_GTK4@ export ENABLE_GTKTILEDVIEWER=@ENABLE_GTKTILEDVIEWER@ export DISABLE_GUI=@DISABLE_GUI@ +export ENABLE_HARDENING_FLAGS=@ENABLE_HARDENING_FLAGS@ +export HARDENING_CFLAGS=@HARDENING_CFLAGS@ +export HARDENING_OPT_CFLAGS=@HARDENING_OPT_CFLAGS@ export ENABLE_HEADLESS=@ENABLE_HEADLESS@ export ENABLE_HTMLHELP=@ENABLE_HTMLHELP@ export ENABLE_JAVA=@ENABLE_JAVA@ diff --git a/configure.ac b/configure.ac index 4bb5ad4d97da..4d96c1e90cf5 100644 --- a/configure.ac +++ b/configure.ac @@ -1916,6 +1916,13 @@ libo_FUZZ_ARG_ENABLE(release-build, See https://wiki.documentfoundation.org/Development/DevBuild]), ,) +libo_FUZZ_ARG_ENABLE(hardening-flags, + AS_HELP_STRING([--enable-hardening-flags], + [Enable automatically using hardening compiler flags. Distros typically + instead use their default configuration via CXXFLAGS, etc. But this provides a + convenient set of default hardening flags for non-distros]), +,) + AC_ARG_ENABLE(windows-build-signing, AS_HELP_STRING([--enable-windows-build-signing], [Enable signing of windows binaries (*.exe, *.dll)]), @@ -2929,6 +2936,19 @@ fi AC_SUBST(ENABLE_RELEASE_BUILD) AC_SUBST(GET_TASK_ALLOW_ENTITLEMENT) +dnl =================================================================== +dnl Test whether build should auto use hardening compiler flags +dnl =================================================================== +AC_MSG_CHECKING([whether build should auto use hardening compiler flags]) +if test "$enable_hardening_flags" = "" -o "$enable_hardening_flags" = "no"; then + AC_MSG_RESULT([no]) + ENABLE_HARDENING_FLAGS= +else + AC_MSG_RESULT([yes]) + ENABLE_HARDENING_FLAGS=TRUE +fi +AC_SUBST(ENABLE_HARDENING_FLAGS) + AC_MSG_CHECKING([whether to build a Community flavor]) if test -z "$enable_community_flavor" -o "$enable_community_flavor" = "yes"; then AC_DEFINE(HAVE_FEATURE_COMMUNITY_FLAVOR) @@ -7381,13 +7401,51 @@ dnl =================================================================== dnl GCC features dnl =================================================================== HAVE_GCC_STACK_CLASH_PROTECTION= +HARDENING_CFLAGS= +HARDENING_OPT_CFLAGS= if test "$GCC" = "yes" -o "$COM_IS_CLANG" = TRUE; then + AC_MSG_CHECKING([whether $CC_BASE supports -grecord-gcc-switches]) + save_CFLAGS=$CFLAGS + CFLAGS="$CFLAGS -Werror -grecord-gcc-switches" + AC_LINK_IFELSE( + [AC_LANG_PROGRAM(, [[return 0;]])], + [AC_MSG_RESULT([yes]); HARDENING_CFLAGS="$HARDENING_CFLAGS -grecord-gcc-switches"], + [AC_MSG_RESULT([no])]) + CFLAGS=$save_CFLAGS + + AC_MSG_CHECKING([whether $CC_BASE supports -D_FORTIFY_SOURCE=2]) + save_CFLAGS=$CFLAGS + CFLAGS="$CFLAGS -Werror -Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=2" + AC_LINK_IFELSE( + [AC_LANG_PROGRAM(, [[#include <string.h> return 0;]])], + [AC_MSG_RESULT([yes]); HARDENING_OPT_CFLAGS="$HARDENING_OPT_CFLAGS -Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=2"], + [AC_MSG_RESULT([no])]) + CFLAGS=$save_CFLAGS + + AC_MSG_CHECKING([whether $CC_BASE supports -D_GLIBCXX_ASSERTIONS]) + save_CFLAGS=$CFLAGS + CFLAGS="$CFLAGS -Werror -Wp,-D_GLIBCXX_ASSERTIONS" + AC_LINK_IFELSE( + [AC_LANG_PROGRAM(, [[return 0;]])], + [AC_MSG_RESULT([yes]); HARDENING_CFLAGS="$HARDENING_CFLAGS -Wp,-D_GLIBCXX_ASSERTIONS"], + [AC_MSG_RESULT([no])]) + CFLAGS=$save_CFLAGS + AC_MSG_CHECKING([whether $CC_BASE supports -fstack-clash-protection]) save_CFLAGS=$CFLAGS CFLAGS="$CFLAGS -Werror -fstack-clash-protection" AC_LINK_IFELSE( [AC_LANG_PROGRAM(, [[return 0;]])], - [AC_MSG_RESULT([yes]); HAVE_GCC_STACK_CLASH_PROTECTION=TRUE], + [AC_MSG_RESULT([yes]); HAVE_GCC_STACK_CLASH_PROTECTION=TRUE; HARDENING_CFLAGS="$HARDENING_CFLAGS -fstack-clash-protection"], + [AC_MSG_RESULT([no])]) + CFLAGS=$save_CFLAGS + + AC_MSG_CHECKING([whether $CC_BASE supports -fcf-protection]) + save_CFLAGS=$CFLAGS + CFLAGS="$CFLAGS -Werror -fcf-protection" + AC_LINK_IFELSE( + [AC_LANG_PROGRAM(, [[return 0;]])], + [AC_MSG_RESULT([yes]); HARDENING_CFLAGS="$HARDENING_CFLAGS -fcf-protection"], [AC_MSG_RESULT([no])]) CFLAGS=$save_CFLAGS @@ -7541,6 +7599,8 @@ fi AC_SUBST(HAVE_GCC_AVX) AC_SUBST(HAVE_GCC_BUILTIN_ATOMIC) AC_SUBST(HAVE_GCC_STACK_CLASH_PROTECTION) +AC_SUBST(HARDENING_CFLAGS) +AC_SUBST(HARDENING_OPT_CFLAGS) dnl =================================================================== dnl Identify the C++ library diff --git a/distro-configs/CPLinux-LOKit.conf b/distro-configs/CPLinux-LOKit.conf index f545bb4b8199..0d879e5c99ae 100644 --- a/distro-configs/CPLinux-LOKit.conf +++ b/distro-configs/CPLinux-LOKit.conf @@ -1,3 +1,4 @@ +--enable-hardening-flags --enable-mpl-subset --with-vendor=Collabora --disable-community-flavor diff --git a/solenv/gbuild/platform/com_GCC_defs.mk b/solenv/gbuild/platform/com_GCC_defs.mk index e8bf170bd454..903424972824 100644 --- a/solenv/gbuild/platform/com_GCC_defs.mk +++ b/solenv/gbuild/platform/com_GCC_defs.mk @@ -38,7 +38,9 @@ endif gb_COMPILER_SETUP := ifeq ($(strip $(gb_COMPILEROPTFLAGS)),) -gb_COMPILEROPTFLAGS := -O2 +gb_COMPILEROPTFLAGS := \ + -O2 -mtune=generic \ + $(if $(HARDENING_OPT_CFLAGS),$(HARDENING_OPT_CFLAGS)) endif gb_AFLAGS := $(AFLAGS) @@ -74,6 +76,7 @@ gb_CFLAGS_COMMON := \ -fmessage-length=0 \ -fno-common \ -pipe \ + $(if $(ENABLE_HARDENING_FLAGS),$(HARDENING_CFLAGS)) \ $(if $(filter EMSCRIPTEN,$(OS)),-fno-stack-protector,-fstack-protector-strong) \ gb_CXXFLAGS_COMMON := \ @@ -90,6 +93,7 @@ gb_CXXFLAGS_COMMON := \ -fmessage-length=0 \ -fno-common \ -pipe \ + $(if $(ENABLE_HARDENING_FLAGS),$(HARDENING_CFLAGS)) \ $(if $(filter EMSCRIPTEN,$(OS)),-fno-stack-protector,-fstack-protector-strong) \ ifeq ($(HAVE_WDEPRECATED_COPY_DTOR),TRUE)
