From 0b47b16eb813fe039875ccd47b67c6faa588f1f2 Mon Sep 17 00:00:00 2001
From: Georgiy Lebedev <g.lebedev@tarantool.org>
Date: Sat, 15 Oct 2022 17:59:39 +0300
Subject: [PATCH] build: refactor setting hardening compiler flags
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Setting hardening compiler flags is used in three places: default build,
static build and enterprise build — refactor it into a separate module.
Follow-up e6abe1c
NO_CHANGELOG=refactoring
NO_DOC=refactoring
NO_TEST=refactoring
(cherry picked from commit dd51a2fa39c5991dbb91640c37c0bb15fd800a5a)
---
CMakeLists.txt | 26 +++++---------------------
cmake/hardening.cmake | 17 +++++++++++++++++
static-build/CMakeLists.txt | 24 +++++++-----------------
3 files changed, 29 insertions(+), 38 deletions(-)
create mode 100644 cmake/hardening.cmake
diff --git a/CMakeLists.txt b/CMakeLists.txt
index b8d0bbc120..bd692daf2b 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -70,28 +70,12 @@ include(cmake/atomic.cmake)
include(cmake/profile.cmake)
include(cmake/module.cmake)
include(cmake/thread.cmake)
+include(cmake/hardening.cmake)
-# Fuzzers are compiled without PIC support,
-# LuaJIT in FreeBSD doesn't work with PIC (gh-7640),
-# ligomp.a for AArch64 CentOS is compiled without PIC support.
-if (ENABLE_FUZZER OR TARGET_OS_FREEBSD OR ${CMAKE_SYSTEM_PROCESSOR} MATCHES "aarch64")
- set(ENABLE_HARDENING_DEFAULT FALSE)
-else()
- set(ENABLE_HARDENING_DEFAULT TRUE)
-endif()
-option(ENABLE_HARDENING "Enable compiler options that harden against memory corruption attacks" ${ENABLE_HARDENING_DEFAULT})
-set(HARDENING_FLAGS " ")
-set(HARDENING_LDFLAGS " ")
-if (ENABLE_HARDENING)
- set(HARDENING_FLAGS "-Wformat -Wformat-security -Werror=format-security -fstack-protector-strong -fPIC")
- if (NOT TARGET_OS_DARWIN)
- set(HARDENING_LDFLAGS "-pie -z relro -z now")
- endif()
- add_compile_flags("C;CXX" ${HARDENING_FLAGS})
- set(DEPENDENCY_CFLAGS "${DEPENDENCY_CFLAGS} ${HARDENING_FLAGS}")
- set(DEPENDENCY_CXXFLAGS "${DEPENDENCY_CXXFLAGS} ${HARDENING_FLAGS}")
- set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} ${HARDENING_LDFLAGS}")
-endif()
+add_compile_flags("C;CXX" ${HARDENING_FLAGS})
+set(DEPENDENCY_CFLAGS "${DEPENDENCY_CFLAGS} ${HARDENING_FLAGS}")
+set(DEPENDENCY_CXXFLAGS "${DEPENDENCY_CXXFLAGS} ${HARDENING_FLAGS}")
+set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} ${HARDENING_LDFLAGS}")
set(CMAKE_REQUIRED_DEFINITIONS "-D_GNU_SOURCE")
diff --git a/cmake/hardening.cmake b/cmake/hardening.cmake
new file mode 100644
index 0000000000..1ef30a618b
--- /dev/null
+++ b/cmake/hardening.cmake
@@ -0,0 +1,17 @@
+# Depends on os.cmake and profile.cmake modules.
+# Uses `ENABLE_FUZZER` option and `TARGET_OS_FREEBSD` variable.
+
+# LuaJIT in FreeBSD doesn't work with PIC (gh-7640),
+# ligomp.a for AArch64 CentOS is compiled without PIC support.
+if (ENABLE_FUZZER OR TARGET_OS_FREEBSD OR ${CMAKE_SYSTEM_PROCESSOR} MATCHES "aarch64")
+ set(ENABLE_HARDENING_DEFAULT FALSE)
+else()
+ set(ENABLE_HARDENING_DEFAULT TRUE)
+endif()
+option(ENABLE_HARDENING "Enable compiler options that harden against memory corruption attacks" ${ENABLE_HARDENING_DEFAULT})
+if (ENABLE_HARDENING)
+ set(HARDENING_FLAGS "-Wformat -Wformat-security -Werror=format-security -fstack-protector-strong -fPIC")
+ if (NOT TARGET_OS_DARWIN)
+ set(HARDENING_LDFLAGS "-pie -z relro -z now")
+ endif()
+endif()
diff --git a/static-build/CMakeLists.txt b/static-build/CMakeLists.txt
index 4dd4adc199..4ebcc8e795 100644
--- a/static-build/CMakeLists.txt
+++ b/static-build/CMakeLists.txt
@@ -7,6 +7,8 @@ cmake_minimum_required(VERSION 2.8)
# linux machine).
project(tarantool-static C CXX)
+include(CheckLibraryExists)
+include(CheckCSourceCompiles)
include(FindPackageMessage)
include(ExternalProject)
set(LIBICU_VERSION release-71-1/icu4c-71_1)
@@ -24,6 +26,8 @@ set(READLINE_HASH 7e6c1f16aee3244a69aba6e438295ca3)
set(BACKUP_STORAGE https://distrib.hb.bizmrg.com)
include(../cmake/os.cmake)
+include(../cmake/profile.cmake)
+include(../cmake/hardening.cmake)
# Pass -isysroot=<SDK_PATH> option on Mac OS to a preprocessor and a C
# compiler to find header files installed with an SDK.
@@ -46,23 +50,9 @@ if (APPLE)
set(DEPENDENCY_CPPFLAGS "${CMAKE_C_SYSROOT_FLAG} ${CMAKE_OSX_SYSROOT}")
endif()
-# LuaJIT in FreeBSD doesn't work with PIC (gh-7640),
-# ligomp.a for AArch64 CentOS is compiled without PIC support.
-if (TARGET_OS_FREEBSD OR ${CMAKE_SYSTEM_PROCESSOR} MATCHES "aarch64")
- set(ENABLE_HARDENING_DEFAULT FALSE)
-else()
- set(ENABLE_HARDENING_DEFAULT TRUE)
-endif()
-option(ENABLE_HARDENING "Enable compiler options that harden against memory corruption attacks" ${ENABLE_HARDENING_DEFAULT})
-if (ENABLE_HARDENING)
- set(HARDENING_FLAGS "-Wformat -Wformat-security -Werror=format-security -fstack-protector-strong -fPIC")
- if (NOT TARGET_OS_DARWIN)
- set(HARDENING_LDFLAGS "-pie -z relro -z now")
- endif()
- set(DEPENDENCY_CFLAGS "${DEPENDENCY_CFLAGS} ${HARDENING_FLAGS}")
- set(DEPENDENCY_CXXFLAGS "${DEPENDENCY_CXXFLAGS} ${HARDENING_FLAGS}")
- set(DEPENDENCY_LDFLAGS "${DEPENDENCY_LDFLAGS} ${HARDENING_LDFLAGS}")
-endif()
+set(DEPENDENCY_CFLAGS "${DEPENDENCY_CFLAGS} ${HARDENING_FLAGS}")
+set(DEPENDENCY_CXXFLAGS "${DEPENDENCY_CXXFLAGS} ${HARDENING_FLAGS}")
+set(DEPENDENCY_LDFLAGS "${DEPENDENCY_LDFLAGS} ${HARDENING_LDFLAGS}")
# Install all libraries required by tarantool at current build dir
--
GitLab