Add option to build wesnoth with hardening options.

(cherry-picked from commit 6c5fc82b1b)

CMakeLists.txt

@@ -253,6 +253,14 @@ if(NOT "${CMAKE_CXX_FLAGS}" STREQUAL "${COMPILER_FLAGS}")
 	)
 endif(NOT "${CMAKE_CXX_FLAGS}" STREQUAL "${COMPILER_FLAGS}")
 
+# check for hardening options
+if(HARDEN)
+	set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fPIE -fstack-protector-strong")
+	set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fPIE -fstack-protector-strong")
+	set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -fPIE -pie -Wl,-z,now,-z,relro")
+	add_definitions(-D_FORTIFY_SOURCE=2)
+endif(HARDEN)
+
 if(UNIX AND NOT CMAKE_COMPILER_IS_GNUCXX)
 	# Assume the compiler is the clang compiler.
 	set(CMAKE_EXE_LINKER_FLAGS "-lstdc++ -lm ${CMAKE_EXE_LINKER_FLAGS}")

SConstruct

@@ -56,6 +56,7 @@ opts.AddVariables(
     BoolVariable('enable_lto', 'Whether to enable Link Time Optimization for build=release', False),
     ('arch', 'What -march option to use for build=release, will default to pentiumpro on Windows', ""),
     ('opt', 'override for the build\'s optimization level', ""),
+    BoolVariable('harden', 'Whether to enable options to harden the executables', False),
     BoolVariable('glibcxx_debug', 'Whether to define _GLIBCXX_DEBUG and _GLIBCXX_DEBUG_PEDANTIC for build=debug', False),
     EnumVariable('profiler', 'profiler to be used for build=profile', "gprof", ["gprof", "gcov", "gperftools", "perf"]),
     EnumVariable('pgo_data', 'whether to generate profiling data for PGO, or use existing profiling data', "", ["", "generate", "use"]),
@@ -499,6 +500,15 @@ for env in [test_env, client_env, env]:
         else:
             env["opt"] = env["opt"]+" "
 
+# #
+# Add options to provide more hardened executables
+# #
+
+        if env['harden']:
+            env.AppendUnique(CCFLAGS = ["-fPIE", "-fstack-protector-strong"])
+            env.AppendUnique(LINKFLAGS = ["-fPIE", "-pie", "-Wl,-z,now,-z,relro"])
+            env.AppendUnique(CPPDEFINES = ["_FORTIFY_SOURCE=2"])
+
 # #
 # Start determining options for debug build
 # #