diff --git a/CMakeLists.txt b/CMakeLists.txt index 1b5d893104f..71943b93b66 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -253,6 +253,14 @@ if(NOT "${CMAKE_CXX_FLAGS}" STREQUAL "${COMPILER_FLAGS}") ) endif(NOT "${CMAKE_CXX_FLAGS}" STREQUAL "${COMPILER_FLAGS}") +# check for hardening options +if(HARDEN) + set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -fPIE -fstack-protector-strong") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fPIE -fstack-protector-strong") + set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} -fPIE -pie -Wl,-z,now,-z,relro") + add_definitions(-D_FORTIFY_SOURCE=2) +endif(HARDEN) + if(UNIX AND NOT CMAKE_COMPILER_IS_GNUCXX) # Assume the compiler is the clang compiler. set(CMAKE_EXE_LINKER_FLAGS "-lstdc++ -lm ${CMAKE_EXE_LINKER_FLAGS}") diff --git a/SConstruct b/SConstruct index 70ed15fd1d8..861a4eab00c 100755 --- a/SConstruct +++ b/SConstruct @@ -56,6 +56,7 @@ opts.AddVariables( BoolVariable('enable_lto', 'Whether to enable Link Time Optimization for build=release', False), ('arch', 'What -march option to use for build=release, will default to pentiumpro on Windows', ""), ('opt', 'override for the build\'s optimization level', ""), + BoolVariable('harden', 'Whether to enable options to harden the executables', False), BoolVariable('glibcxx_debug', 'Whether to define _GLIBCXX_DEBUG and _GLIBCXX_DEBUG_PEDANTIC for build=debug', False), EnumVariable('profiler', 'profiler to be used for build=profile', "gprof", ["gprof", "gcov", "gperftools", "perf"]), EnumVariable('pgo_data', 'whether to generate profiling data for PGO, or use existing profiling data', "", ["", "generate", "use"]), @@ -499,6 +500,15 @@ for env in [test_env, client_env, env]: else: env["opt"] = env["opt"]+" " +# # +# Add options to provide more hardened executables +# # + + if env['harden']: + env.AppendUnique(CCFLAGS = ["-fPIE", "-fstack-protector-strong"]) + env.AppendUnique(LINKFLAGS = ["-fPIE", "-pie", "-Wl,-z,now,-z,relro"]) + env.AppendUnique(CPPDEFINES = ["_FORTIFY_SOURCE=2"]) + # # # Start determining options for debug build # #