cmake: add extra security compiler options
Introduce cmake option ENABLE_HARDENING, which is TRUE by default for non-debug regular and static builds, excluding AArch64 and FreeBSD. It passess compiler flags that harden Tarantool (including the bundled libraries) against memory corruption attacks. The following flags are passed: * -Wformat - Check calls to printf and scanf, etc., to make sure that the arguments supplied have types appropriate to the format string specified. * -Wformat-security -Werror=format-security - Warn about uses of format functions that represent possible security problems. And make the warning into an error. * -fstack-protector-strong - Emit extra code to check for buffer overflows, such as stack smashing attacks. * -fPIC -pie - Generate position-independent code (PIC). It allows to take advantage of the Address Space Layout Randomization (ASLR). * -z relro -z now - Resolve all dynamically linked functions at the beginning of the execution, and then make the GOT read-only. Also do not disable hardening for Debian and RPM-based Linux distros. Closes #5372 Closes #7536 NO_DOC=build NO_TEST=build
Showing
- CMakeLists.txt 25 additions, 4 deletionsCMakeLists.txt
- changelogs/unreleased/gh-7536-add-cmake-enable_hardening-option.md 4 additions, 0 deletions...s/unreleased/gh-7536-add-cmake-enable_hardening-option.md
- cmake/BuildAres.cmake 2 additions, 2 deletionscmake/BuildAres.cmake
- cmake/BuildLibCURL.cmake 7 additions, 4 deletionscmake/BuildLibCURL.cmake
- cmake/BuildLibUnwind.cmake 2 additions, 2 deletionscmake/BuildLibUnwind.cmake
- cmake/BuildNghttp2.cmake 2 additions, 2 deletionscmake/BuildNghttp2.cmake
- debian/rules 0 additions, 1 deletiondebian/rules
- rpm/tarantool.spec 0 additions, 3 deletionsrpm/tarantool.spec
- static-build/CMakeLists.txt 23 additions, 0 deletionsstatic-build/CMakeLists.txt
Loading