MCOL-1378 Add more hardening flags

More modern stack and bounds protection flags. Most won't activate until GCC 8 is used but it makes us ready for that.
2026-01-06 08:21:10 +03:00 · 2018-06-22 21:28:25 +01:00
parent 2204c4bd44
commit e248920ad0
1 changed files with 6 additions and 2 deletions
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -111,8 +111,8 @@ endif()

 INCLUDE(check_compiler_flag.cmake)

-MY_CHECK_AND_SET_COMPILER_FLAG("-g -O3 -fno-omit-frame-pointer -fno-strict-aliasing -Wall -fno-tree-vectorize -DDBUG_OFF -DHAVE_CONFIG_H" RELEASE RELWITHDEBINFO MINSIZEREL)
-MY_CHECK_AND_SET_COMPILER_FLAG("-ggdb3 -fno-omit-frame-pointer -fno-tree-vectorize -DSAFE_MUTEX -DSAFEMALLOC -DENABLED_DEBUG_SYNC -O0 -Wall -D_DEBUG -DHAVE_CONFIG_H" DEBUG)
+MY_CHECK_AND_SET_COMPILER_FLAG("-g -O3 -fno-omit-frame-pointer -fno-strict-aliasing -Wall -fno-tree-vectorize -D_GLIBCXX_ASSERTIONS -DDBUG_OFF -DHAVE_CONFIG_H" RELEASE RELWITHDEBINFO MINSIZEREL)
+MY_CHECK_AND_SET_COMPILER_FLAG("-ggdb3 -fno-omit-frame-pointer -fno-tree-vectorize -D_GLIBCXX_ASSERTIONS -DSAFE_MUTEX -DSAFEMALLOC -DENABLED_DEBUG_SYNC -O0 -Wall -D_DEBUG -DHAVE_CONFIG_H" DEBUG)

 # enable security hardening features, like most distributions do
 # in our benchmarks that costs about ~1% of performance, depending on the load
@@ -128,6 +128,10 @@ IF(SECURITY_HARDENED)
  MY_CHECK_AND_SET_COMPILER_FLAG("-Wl,-z,relro,-z,now")
  MY_CHECK_AND_SET_COMPILER_FLAG("-fstack-protector --param=ssp-buffer-size=4")
  MY_CHECK_AND_SET_COMPILER_FLAG("-D_FORTIFY_SOURCE=2" RELEASE RELWITHDEBINFO)
+  MY_CHECK_AND_SET_COMPILER_FLAG("-fexceptions")
+  MY_CHECK_AND_SET_COMPILER_FLAG("-mcet -fcf-protection")
+  MY_CHECK_AND_SET_COMPILER_FLAG("-fstack-protector-strong")
+  MY_CHECK_AND_SET_COMPILER_FLAG("-fstack-clash-protection")
 ENDIF()

 SET (ENGINE_LDFLAGS    "-Wl,--no-as-needed -Wl,--add-needed")