From b15e1e9a5519b9be987203d7d7618077c29392da Mon Sep 17 00:00:00 2001
From: surtur <a_mirre@utb.cz>
Date: Tue, 30 Nov 2021 15:52:17 +0100
Subject: [PATCH] harden executable

* fortify source
* link with "-pie"
* split stack
* set stack-protector to all
---
 CMakeLists.txt | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index fc7bcbc..4cf5c00 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -82,9 +82,9 @@ add_subdirectory(lib/fmt EXCLUDE_FROM_ALL)
       set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -DNDEBUG")
     endif(NOT CMAKE_CXX_FLAGS MATCHES "-DNDEBUG")
 
-    if(NOT CMAKE_CXX_FLAGS MATCHES "-fstack-protector-strong")
-      set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fstack-protector-strong")
-    endif(NOT CMAKE_CXX_FLAGS MATCHES "-fstack-protector-strong")
+    if(NOT CMAKE_CXX_FLAGS MATCHES "-fstack-protector-all")
+      set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fstack-protector-all")
+    endif(NOT CMAKE_CXX_FLAGS MATCHES "-fstack-protector-all")
 
     if(NOT CMAKE_CXX_FLAGS MATCHES "-funwind-tables")
       set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -funwind-tables")
@@ -93,12 +93,21 @@ add_subdirectory(lib/fmt EXCLUDE_FROM_ALL)
     if(NOT CMAKE_CXX_FLAGS MATCHES "-fasynchronous-unwind-tables")
       set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fasynchronous-unwind-tables")
     endif(NOT CMAKE_CXX_FLAGS MATCHES "-fasynchronous-unwind-tables")
+
+    if(NOT CMAKE_CXX_FLAGS MATCHES "-Wp,-D_FORTIFY_SOURCE=2")
+        set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Wp,-D_FORTIFY_SOURCE=2")
+    endif(NOT CMAKE_CXX_FLAGS MATCHES "-Wp,-D_FORTIFY_SOURCE=2")
   endif(CMAKE_BUILD_TYPE MATCHES "Release")
 
+  set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fsplit-stack")
+
+  set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -march=x86-64 -mtune=generic -pipe -fno-plt")
   if(NOT CMAKE_CXX_FLAGS MATCHES "-fPIC")
     set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fPIC")
   endif(NOT CMAKE_CXX_FLAGS MATCHES "-fPIC")
 
+  set(LDFLAGS "${LDFLAGS} -Wl,-O1,–sort-common,–as-needed,-z,relro,-z,now,-pic")
+
   # inspired by https://medium.com/@alasher/colored-c-compiler-output-with-ninja-clang-gcc-10bfe7f2b949
   option (COLORS_FOREVER "Always produce ANSI-colored output (GNU/Clang only)." TRUE)
   if (${COLORS_FOREVER})
@@ -112,6 +121,7 @@ add_subdirectory(lib/fmt EXCLUDE_FROM_ALL)
 
   message(STATUS "Compiler ID: ${CMAKE_CXX_COMPILER_ID}")
   message(STATUS "CMAKE_CXX_FLAGS: ${CMAKE_CXX_FLAGS}")
+  message(STATUS "LDFLAGS: ${LDFLAGS}")
 
   find_program(LLD lld)
   if(LLD)