From 32cead0196bc9adc64a4c2971284ebc36ce17819 Mon Sep 17 00:00:00 2001 From: Christian Menges Date: Mon, 8 Jul 2024 20:33:15 +0200 Subject: [PATCH] build: Set security flags for release builds (#6087) --------- Signed-off-by: Christian Menges --- CMakeLists.txt | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/CMakeLists.txt b/CMakeLists.txt index 0e2a880b277..a73df878ff5 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -110,6 +110,8 @@ option(FLB_RELEASE "Build with release mode (-O2 -g -DNDEBUG)" No) set(FLB_IPO "ReleaseOnly" CACHE STRING "Build with interprocedural optimization") set_property(CACHE FLB_IPO PROPERTY STRINGS "On;Off;ReleaseOnly") option(FLB_SMALL "Optimise for small size" No) +set(FLB_SECURITY "ReleaseOnly" CACHE STRING "Build with security optimizations") +set_property(CACHE FLB_SECURITY PROPERTY STRINGS "On;Off;ReleaseOnly") option(FLB_COVERAGE "Build with code-coverage" No) option(FLB_JEMALLOC "Build with Jemalloc support" No) option(FLB_REGEX "Build with Regex support" Yes) @@ -332,6 +334,21 @@ if(FLB_IPO STREQUAL "On" OR (FLB_IPO STREQUAL "ReleaseOnly" AND FLB_RELEASE)) endif() endif() +# Harden release binary against security vulnerabilities +if(FLB_SECURITY STREQUAL "On" OR (FLB_SECURITY STREQUAL "ReleaseOnly" AND FLB_RELEASE)) + if (NOT MSVC) + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wl,-z,relro,-z,now") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wl,-z,noexecstack") + if(NOT FLB_SMALL) + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -fstack-protector") + # Fortify requires optimization + if(CMAKE_BUILD_TYPE STREQUAL "Release" OR CMAKE_BUILD_TYPE STREQUAL "RelWithDebInfo") + set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -D_FORTIFY_SOURCE=1") + endif() + endif() + endif() +endif() + if(FLB_PARSER) FLB_DEFINITION(FLB_HAVE_PARSER) message(STATUS "Enabling FLB_REGEX since FLB_PARSER requires")