The page is explaining more about the "order" of these flags. My interest in this page was more to do with the order in which these flags would get 'applied' on to the AM_**flags (and not in the context of C or C++!!) Basically wanted to be sure of any further chance of 'overwriding' of these flags.
Cheers, Mathi. > -----Original Message----- > From: Anders Widell [mailto:[email protected]] > Sent: Friday, December 13, 2013 9:28 PM > To: Mathivanan Naickan Palanivelu > Cc: [email protected] > Subject: Re: [PATCH 1 of 1] build: Add extra GCC hardening compilation flags > [#650] > > It was an interesting page; I haven't read it before. Btw the name CPPFLAGS > could be confusing at first: "CPP" stands for C PreProcessor, not "C Plus > Plus". > So it applies to both C and C++ code. > > regards, > Anders Widell > > 2013-12-13 11:34, Mathivanan Naickan Palanivelu skrev: > > Ack. > > I was going through this link to review this patch. > > http://www.gnu.org/software/automake/manual/html_node/Flag- > Variables-O > > rdering.html > > It might be of interest to you too. > > Basically, I wanted to figure out whether CPP_FLAGS should be passed > > to AM_CPP FLAGS or to AM_CXX FLAGS. > > - Mathi. > > > >> -----Original Message----- > >> From: Anders Widell [mailto:[email protected]] > >> Sent: Monday, December 09, 2013 5:15 PM > >> To: Mathivanan Naickan Palanivelu > >> Cc: [email protected] > >> Subject: [PATCH 1 of 1] build: Add extra GCC hardening compilation > >> flags [#650] > >> > >> 00-README.conf | 2 +- > >> Makefile.common | 4 ++-- > >> README | 16 ++++++++++++---- > >> configure.ac | 18 ++++++++++++++++++ > >> tools/cluster_sim_uml/README | 2 +- > >> 5 files changed, 34 insertions(+), 8 deletions(-) > >> > >> > >> By default, build with the extra hardening flags "-D_FORTIFY_SOURCE=2 > >> -fstack-protector" for improved security and enhanced run-time error > >> detection. The flags can be overridden by setting the environment > >> variable OSAF_HARDEN_FLAGS when building OpenSAF. > >> > >> Note that -D_FORTIFY_SOURCE=2 is only enabled in optimized builds. To > >> reduce the risk that a user accidentally builds without optimization > >> by overriding the default CFLAGS and/or CXXFLAGS, the README files > >> have been updated to recommend passing preprocessor definitions using > >> CPPFLAGS instead of CFLAGS. > >> > >> diff --git a/00-README.conf b/00-README.conf > >> --- a/00-README.conf > >> +++ b/00-README.conf > >> @@ -85,7 +85,7 @@ file does not have to be changed unless: > >> - OpenSAF should run as a different UNIX group and user than the > >> default 'opensaf' > >> group/user. > >> > >> - If OpenSAF was built with the flags "CFLAGS=-DRUNASROOT", then > >> + If OpenSAF was built with the flags "CPPFLAGS=-DRUNASROOT", > >> then > >> change OPENSAF_GROUP and OPENSAF_USER to root i.e. for old > >> (<4.2) behaviour. > >> > >> For any other user, change OPENSAF_GROUP and OPENSAF_USER > >> accordingly diff --git a/Makefile.common b/Makefile.common > >> --- a/Makefile.common > >> +++ b/Makefile.common > >> @@ -12,8 +12,8 @@ AM_CPPFLAGS = \ > >> $(CORE_INCLUDES) \ > >> $(all_includes) > >> > >> -AM_CFLAGS = -Wall -fno-strict-aliasing -Werror -fPIC -AM_CXXFLAGS = > >> -Wall -fno-strict-aliasing -Werror -fPIC - D__STDC_FORMAT_MACROS > >> +AM_CFLAGS = -Wall -fno-strict-aliasing -Werror -fPIC > >> @OSAF_HARDEN_FLAGS@ > >> +AM_CXXFLAGS = -Wall -fno-strict-aliasing -Werror -fPIC - > >> D__STDC_FORMAT_MACROS @OSAF_HARDEN_FLAGS@ > >> AM_LDFLAGS = -ldl -lrt -lpthread > >> > >> # > >> diff --git a/README b/README > >> --- a/README > >> +++ b/README > >> @@ -293,7 +293,7 @@ 1.1.1, 1.1.2 etc. > >> To re-enable the old (pre 4.3) non flat addressing, configure the > >> constant > >> MDS_USE_SUBSLOT_ID=1 at configure time as in: > >> > >> - % ./configure CFLAGS="-DMDS_USE_SUBSLOT_ID=1 ..." > >> + % ./configure CPPFLAGS="-DMDS_USE_SUBSLOT_ID=1 ..." > >> > >> In the non flat scheme, the slot ID is shifted up 4 bits and subslot ID > >> is > >> added in the 4 LSB. The consequence of this is reduced number of @@ > >> -308,7 +308,7 @@ 2) Run as root (optional) > >> If the old (<4.2) behaviour of running all processes as root is desired, > >> use > >> the following configure command: > >> > >> - % ./configure CFLAGS=-DRUNASROOT > >> + % ./configure CPPFLAGS=-DRUNASROOT > >> > >> > >> 3) Configure TIPC importance (optional) @@ -317,13 +317,21 @@ The > >> default TIPC importance is LOW for a > >> In some cases the default importance must be changed if e.g. an > >> application starves the LOW importance communication level. > >> To change the default importance, use the following configure > >> command > >> > >> - % ./configure CFLAGS=-DTIPCIMPORTANCE=level > >> + % ./configure CPPFLAGS=-DTIPCIMPORTANCE=level > >> where level is any of TIPC_LOW_IMPORTANCE, > >> TIPC_MEDIUM_IMPORTANCE or TIPC_HIGH_IMPORTANCE > >> - e.g. configure CFLAGS=-DTIPCIMPORTANCE=TIPC_HIGH_IMPORTANCE > >> + e.g. configure CPPFLAGS=- > DTIPCIMPORTANCE=TIPC_HIGH_IMPORTANCE > >> > >> Note: Giving same importance to AVND & all other Opensaf models is > >> not preferred option. The behavior is unsupported. > >> > >> > >> +4) Configure GCC hardening options (optional) > >> + > >> +By default, the options "-fstack-protector -D_FORTIFY_SOURCE=2" are > >> passed to > >> +GCC for improved security. You can override these options by setting > >> +the OSAF_HARDEN_FLAGS when configuring OpenSAF. For example: > >> + > >> + % ./configure OSAF_HARDEN_FLAGS="-fstack-protector-all - > >> D_FORTIFY_SOURCE=2" > >> + > >> If you are using a released archive (dist tarball) follow the simple > common > >> steps: > >> > >> diff --git a/configure.ac b/configure.ac > >> --- a/configure.ac > >> +++ b/configure.ac > >> @@ -545,6 +545,22 @@ if test "$enable_imm_pbe" = yes; then > >> PKG_CHECK_MODULES([SQLITE3], [sqlite3]) > >> fi > >> > >> +if test -z "$OSAF_HARDEN_FLAGS"; then > >> + # _FORTIFY_SOURCE requires optimization, so only enable it in > >> optimized > >> + # builds, i.e. when -O is present in both CFLAGS and CXXFLAGS. > >> + if echo "${CFLAGS}" | grep -q -- -O; then > >> + if echo "${CXXFLAGS}" | grep -q -- -O; then > >> + OSAF_HARDEN_FLAGS="-D_FORTIFY_SOURCE=2" > >> + fi > >> + fi > >> + # Also check for -O0 (which explicitly disables optimisation) > >> + if echo "${CFLAGS} ${CXXFLAGS}" | grep -q -- -O0; then > >> + OSAF_HARDEN_FLAGS="" > >> + fi > >> + OSAF_HARDEN_FLAGS="${OSAF_HARDEN_FLAGS} -fstack- > >> protector" > >> +fi > >> +AC_SUBST(OSAF_HARDEN_FLAGS) > >> + > >> ############################################# > >> # Checks for header files. > >> ############################################# > >> @@ -925,8 +941,10 @@ echo "" > >> echo " Compiling Options:" > >> echo "${ECHO_T} C Compiler: ${CC}" > >> echo "${ECHO_T} C++ Compiler: ${CXX}" > >> +echo "${ECHO_T} CPPFLAGS: ${CPPFLAGS} ${AM_CPPFLAGS}" > >> echo "${ECHO_T} CFLAGS: ${CFLAGS} ${AM_CFLAGS}" > >> echo "${ECHO_T} CXXFLAGS: ${CXXFLAGS} ${AM_CXXFLAGS}" > >> +echo "${ECHO_T} OSAF_HARDEN_FLAGS: ${OSAF_HARDEN_FLAGS}" > >> echo "${ECHO_T} LDFLAGS: ${LDFLAGS}" > >> echo "${ECHO_T} Enable RPATH: ${enable_rpath}" > >> > >> diff --git a/tools/cluster_sim_uml/README > >> b/tools/cluster_sim_uml/README > >> --- a/tools/cluster_sim_uml/README > >> +++ b/tools/cluster_sim_uml/README > >> @@ -77,7 +77,7 @@ When the UML root file system is generat > >> DESTDIR set to the UML root file system. Make sure you have a default > >> configured Opensaf like this: > >> > >> -$ ./configure CFLAGS=-DRUNASROOT > >> +$ ./configure CPPFLAGS=-DRUNASROOT > >> > >> - Execute './build_uml'. > >> > ------------------------------------------------------------------------------ Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk _______________________________________________ Opensaf-devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/opensaf-devel
