harden executable
All checks were successful
continuous-integration/drone/push Build is passing

* fortify source
* link with "-pie"
* split stack
* set stack-protector to all
This commit is contained in:
surtur 2021-11-30 15:52:17 +01:00
parent 0c2a1c6744
commit b15e1e9a55
Signed by: wanderer
GPG Key ID: 19CE1EC1D9E0486D

View File

@ -82,9 +82,9 @@ add_subdirectory(lib/fmt EXCLUDE_FROM_ALL)
set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -DNDEBUG")
endif(NOT CMAKE_CXX_FLAGS MATCHES "-DNDEBUG")
if(NOT CMAKE_CXX_FLAGS MATCHES "-fstack-protector-strong")
set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fstack-protector-strong")
endif(NOT CMAKE_CXX_FLAGS MATCHES "-fstack-protector-strong")
if(NOT CMAKE_CXX_FLAGS MATCHES "-fstack-protector-all")
set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fstack-protector-all")
endif(NOT CMAKE_CXX_FLAGS MATCHES "-fstack-protector-all")
if(NOT CMAKE_CXX_FLAGS MATCHES "-funwind-tables")
set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -funwind-tables")
@ -93,12 +93,21 @@ add_subdirectory(lib/fmt EXCLUDE_FROM_ALL)
if(NOT CMAKE_CXX_FLAGS MATCHES "-fasynchronous-unwind-tables")
set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fasynchronous-unwind-tables")
endif(NOT CMAKE_CXX_FLAGS MATCHES "-fasynchronous-unwind-tables")
if(NOT CMAKE_CXX_FLAGS MATCHES "-Wp,-D_FORTIFY_SOURCE=2")
set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Wp,-D_FORTIFY_SOURCE=2")
endif(NOT CMAKE_CXX_FLAGS MATCHES "-Wp,-D_FORTIFY_SOURCE=2")
endif(CMAKE_BUILD_TYPE MATCHES "Release")
set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsplit-stack")
set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -march=x86-64 -mtune=generic -pipe -fno-plt")
if(NOT CMAKE_CXX_FLAGS MATCHES "-fPIC")
set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fPIC")
endif(NOT CMAKE_CXX_FLAGS MATCHES "-fPIC")
set(LDFLAGS "${LDFLAGS} -Wl,-O1,โ€“sort-common,โ€“as-needed,-z,relro,-z,now,-pic")
# inspired by https://medium.com/@alasher/colored-c-compiler-output-with-ninja-clang-gcc-10bfe7f2b949
option (COLORS_FOREVER "Always produce ANSI-colored output (GNU/Clang only)." TRUE)
if (${COLORS_FOREVER})
@ -112,6 +121,7 @@ add_subdirectory(lib/fmt EXCLUDE_FROM_ALL)
message(STATUS "Compiler ID: ${CMAKE_CXX_COMPILER_ID}")
message(STATUS "CMAKE_CXX_FLAGS: ${CMAKE_CXX_FLAGS}")
message(STATUS "LDFLAGS: ${LDFLAGS}")
find_program(LLD lld)
if(LLD)