Add hardening flags to our compile.

This makes us fully position independant and have a noexec stack. There's a small chance that the former part of that can interfere with gdb/corefiles/stackdumps, but we'll handle that if it becomes a problem.
Dukeke · Dec 2, 2017 · f578806 · f578806
1 parent 482ac38
commit f578806
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 2 deletions.
diff --git a/Makefile b/Makefile
@@ -71,6 +71,13 @@ ACTORCOMPILER := bin/actorcompiler.exe
 
 # UNSTRIPPED := 1
 
+HARDENING_FLAGS := -fstack-protector-all -Wstack-protector --param ssp-buffer-size=4 -fPIC -Wl,-z,noexecstack -Wl,-z,relro -Wl,-z,now
+# TODO(alexmiller): boost 1.52.0 prevents us from using most of these with -Werror.
+# Reassess after boost has been upgraded to >1.52.0.
+#WARNING_FLAGS ?= -Wall -Wextra -Wformat-security -Wconversion -Wsign-conversion -Werror
+
+CFLAGS += ${HARDENING_FLAGS} ${WARNING_FLAGS}
+
 # Normal optimization level
 CFLAGS += -O2
 
@@ -84,7 +91,7 @@ CFLAGS += -g
 # valgrind-compatibile builds are enabled by uncommenting lines in valgind.mk
 
 CXXFLAGS += -Wno-deprecated
-LDFLAGS :=
+LDFLAGS := ${HARDENING_FLAGS}
 LIBS :=
 STATIC_LIBS :=
 

diff --git a/build/link-wrapper.sh b/build/link-wrapper.sh
@@ -15,7 +15,7 @@ case $1 in
 		OPTIONS="$OPTIONS -Wl,-dylib_install_name -Wl,$( basename $3 )"
 	    fi
 	else
-	    OPTIONS=
+	    OPTIONS="$OPTIONS -pie -fPIE"
 	fi
 
 	OPTIONS=$( eval echo "$OPTIONS $LDFLAGS \$$2_LDFLAGS \$$2_OBJECTS \$$2_LIBS \$$2_STATIC_LIBS_REAL -o $3" )