summary refs log tree commit diff
path: root/pkgs/build-support/cc-wrapper/add-hardening
diff options
context:
space:
mode:
Diffstat (limited to 'pkgs/build-support/cc-wrapper/add-hardening')
-rw-r--r--pkgs/build-support/cc-wrapper/add-hardening41
1 files changed, 41 insertions, 0 deletions
diff --git a/pkgs/build-support/cc-wrapper/add-hardening b/pkgs/build-support/cc-wrapper/add-hardening
new file mode 100644
index 000000000000..08fdd52be08a
--- /dev/null
+++ b/pkgs/build-support/cc-wrapper/add-hardening
@@ -0,0 +1,41 @@
+hardeningFlags=(fortify stackprotector pic strictoverflow format relro bindnow)
+hardeningFlags+=("${hardeningEnable[@]}")
+hardeningCFlags=()
+hardeningLDFlags=()
+
+if [[ ! $hardeningDisable == "all" ]]; then
+  for flag in "${hardeningFlags[@]}"
+  do
+    if [[ ! "$hardeningDisable" =~ "$flag" ]]; then
+      case $flag in
+        fortify)
+          hardeningCFlags+=('-O2' '-D_FORTIFY_SOURCE=2')
+          ;;
+        stackprotector)
+          hardeningCFlags+=('-fstack-protector-strong')
+          ;;
+        pie)
+          hardeningCFlags+=('-fPIE' '-pie')
+          ;;
+        pic)
+          hardeningCFlags+=('-fPIC')
+          ;;
+        strictoverflow)
+          hardeningCFlags+=('-fno-strict-overflow')
+          ;;
+        format)
+          hardeningCFlags+=('-Wformat' '-Wformat-security' '-Werror=format-security')
+          ;;
+        relro)
+          hardeningLDFlags+=('-z relro')
+          ;;
+        bindnow)
+          hardeningLDFlags+=('-z now')
+          ;;
+        *)
+          echo "Hardening flag unknown: $flag"
+          ;;
+      esac
+    fi
+  done
+fi
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-06-25 23:01:24 +0000