build: refactor setting hardening compiler flags

Setting hardening compiler flags is used in three places: default build,
static build and enterprise build — refactor it into a separate module.

Follow-up e6abe1c9

NO_CHANGELOG=refactoring
NO_DOC=refactoring
NO_TEST=refactoring

CMakeLists.txt

@@ -70,28 +70,12 @@ include(cmake/atomic.cmake)
 include(cmake/profile.cmake)
 include(cmake/module.cmake)
 include(cmake/thread.cmake)
+include(cmake/hardening.cmake)
 
-# Fuzzers are compiled without PIC support,
-# LuaJIT in FreeBSD doesn't work with PIC (gh-7640),
-# ligomp.a for AArch64 CentOS is compiled without PIC support.
-if (ENABLE_FUZZER OR TARGET_OS_FREEBSD OR ${CMAKE_SYSTEM_PROCESSOR} MATCHES "aarch64")
-    set(ENABLE_HARDENING_DEFAULT FALSE)
-else()
-    set(ENABLE_HARDENING_DEFAULT TRUE)
-endif()
-option(ENABLE_HARDENING "Enable compiler options that harden against memory corruption attacks" ${ENABLE_HARDENING_DEFAULT})
-set(HARDENING_FLAGS " ")
-set(HARDENING_LDFLAGS " ")
-if (ENABLE_HARDENING)
-    set(HARDENING_FLAGS "-Wformat -Wformat-security -Werror=format-security -fstack-protector-strong -fPIC")
-    if (NOT TARGET_OS_DARWIN)
-        set(HARDENING_LDFLAGS "-pie -z relro -z now")
-    endif()
-    add_compile_flags("C;CXX" ${HARDENING_FLAGS})
-    set(DEPENDENCY_CFLAGS "${DEPENDENCY_CFLAGS} ${HARDENING_FLAGS}")
-    set(DEPENDENCY_CXXFLAGS "${DEPENDENCY_CXXFLAGS} ${HARDENING_FLAGS}")
-    set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} ${HARDENING_LDFLAGS}")
-endif()
+add_compile_flags("C;CXX" ${HARDENING_FLAGS})
+set(DEPENDENCY_CFLAGS "${DEPENDENCY_CFLAGS} ${HARDENING_FLAGS}")
+set(DEPENDENCY_CXXFLAGS "${DEPENDENCY_CXXFLAGS} ${HARDENING_FLAGS}")
+set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} ${HARDENING_LDFLAGS}")
 
 set(CMAKE_REQUIRED_DEFINITIONS "-D_GNU_SOURCE")
 

cmake/hardening.cmake

+# Depends on os.cmake and profile.cmake modules.
+# Uses `ENABLE_FUZZER` option and `TARGET_OS_FREEBSD` variable.
+
+# LuaJIT in FreeBSD doesn't work with PIC (gh-7640),
+# ligomp.a for AArch64 CentOS is compiled without PIC support.
+if (ENABLE_FUZZER OR TARGET_OS_FREEBSD OR ${CMAKE_SYSTEM_PROCESSOR} MATCHES "aarch64")
+    set(ENABLE_HARDENING_DEFAULT FALSE)
+else()
+    set(ENABLE_HARDENING_DEFAULT TRUE)
+endif()
+option(ENABLE_HARDENING "Enable compiler options that harden against memory corruption attacks" ${ENABLE_HARDENING_DEFAULT})
+if (ENABLE_HARDENING)
+    set(HARDENING_FLAGS "-Wformat -Wformat-security -Werror=format-security -fstack-protector-strong -fPIC")
+    if (NOT TARGET_OS_DARWIN)
+        set(HARDENING_LDFLAGS "-pie -z relro -z now")
+    endif()
+endif()

static-build/CMakeLists.txt

@@ -7,6 +7,8 @@ cmake_minimum_required(VERSION 3.1)
 # linux machine).
 project(tarantool-static C CXX)
 
+include(CheckLibraryExists)
+include(CheckCSourceCompiles)
 include(FindPackageMessage)
 include(ExternalProject)
 set(LIBICU_VERSION release-71-1/icu4c-71_1)
@@ -24,6 +26,8 @@ set(READLINE_HASH 7e6c1f16aee3244a69aba6e438295ca3)
 set(BACKUP_STORAGE https://distrib.hb.bizmrg.com)
 
 include(../cmake/os.cmake)
+include(../cmake/profile.cmake)
+include(../cmake/hardening.cmake)
 
 # Pass -isysroot=<SDK_PATH> option on Mac OS to a preprocessor and a C
 # compiler to find header files installed with an SDK.
@@ -46,23 +50,9 @@ if (APPLE)
     set(DEPENDENCY_CPPFLAGS "${CMAKE_C_SYSROOT_FLAG} ${CMAKE_OSX_SYSROOT}")
 endif()
 
-# LuaJIT in FreeBSD doesn't work with PIC (gh-7640),
-# ligomp.a for AArch64 CentOS is compiled without PIC support.
-if (TARGET_OS_FREEBSD OR ${CMAKE_SYSTEM_PROCESSOR} MATCHES "aarch64")
-    set(ENABLE_HARDENING_DEFAULT FALSE)
-else()
-    set(ENABLE_HARDENING_DEFAULT TRUE)
-endif()
-option(ENABLE_HARDENING "Enable compiler options that harden against memory corruption attacks" ${ENABLE_HARDENING_DEFAULT})
-if (ENABLE_HARDENING)
-    set(HARDENING_FLAGS "-Wformat -Wformat-security -Werror=format-security -fstack-protector-strong -fPIC")
-    if (NOT TARGET_OS_DARWIN)
-        set(HARDENING_LDFLAGS "-pie -z relro -z now")
-    endif()
-    set(DEPENDENCY_CFLAGS "${DEPENDENCY_CFLAGS} ${HARDENING_FLAGS}")
-    set(DEPENDENCY_CXXFLAGS "${DEPENDENCY_CXXFLAGS} ${HARDENING_FLAGS}")
-    set(DEPENDENCY_LDFLAGS "${DEPENDENCY_LDFLAGS} ${HARDENING_LDFLAGS}")
-endif()
+set(DEPENDENCY_CFLAGS "${DEPENDENCY_CFLAGS} ${HARDENING_FLAGS}")
+set(DEPENDENCY_CXXFLAGS "${DEPENDENCY_CXXFLAGS} ${HARDENING_FLAGS}")
+set(DEPENDENCY_LDFLAGS "${DEPENDENCY_LDFLAGS} ${HARDENING_LDFLAGS}")
 
 # Install all libraries required by tarantool at current build dir