Skip to content

Commit

Permalink
(PA-6383) add PIE compile flags to runtimes with platform support
Browse files Browse the repository at this point in the history
  • Loading branch information
@h0tw1r3
h0tw1r3 committed Apr 18, 2024
1 parent f4f021c commit 45bd847
Show file tree
Hide file tree
Showing 4 changed files with 40 additions and 0 deletions.
10 changes: 10 additions & 0 deletions configs/projects/_shared-client-tools-runtime.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -96,6 +96,16 @@
proj.setting(:cppflags, "-I#{proj.includedir} -I/opt/pl-build-tools/include")
proj.setting(:cflags, "#{proj.cppflags}")
proj.setting(:ldflags, "-L#{proj.libdir} -L/opt/pl-build-tools/lib -Wl,-rpath=#{proj.libdir}")

# Harden Linux ELF binaries by compiling with PIE (Position Independent Executables) support,
# stack canary and full RELRO.
# We only do this on platforms that use their default OS toolchain since pl-gcc versions
# are too old to support these flags.
if (platform.is_sles? && platform.os_version.to_i >= 15) || (platform.is_el? && platform.os_version.to_i >= 8) || platform.is_debian? || (platform.is_ubuntu? && platform.os_version.to_i >= 20) || platform.is_fedora?
proj.setting(:cppflags, "-I#{proj.includedir} -D_FORTIFY_SOURCE=2")
proj.setting(:cflags, '-fstack-protector-strong -fno-plt -O2')
proj.setting(:ldflags, "-L#{proj.libdir} -Wl,-rpath=#{proj.libdir},-z,relro,-z,now")
end
end

# What to build?
Expand Down
10 changes: 10 additions & 0 deletions configs/projects/_shared-pe-installer-runtime.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,16 @@
proj.setting(:cflags, "#{proj.cppflags}")
proj.setting(:ldflags, "-L#{proj.libdir} -L/opt/pl-build-tools/lib -Wl,-rpath=#{proj.libdir}")

# Harden Linux ELF binaries by compiling with PIE (Position Independent Executables) support,
# stack canary and full RELRO.
# We only do this on platforms that use their default OS toolchain since pl-gcc versions
# are too old to support these flags.
if (platform.is_sles? && platform.os_version.to_i >= 15) || (platform.is_el? && platform.os_version.to_i >= 8) || platform.is_debian? || (platform.is_ubuntu? && platform.os_version.to_i >= 20) || platform.is_fedora?
proj.setting(:cppflags, "-I#{proj.includedir} -D_FORTIFY_SOURCE=2")
proj.setting(:cflags, '-fstack-protector-strong -fno-plt -O2')
proj.setting(:ldflags, "-L#{proj.libdir} -Wl,-rpath=#{proj.libdir},-z,relro,-z,now")
end

# These flags are applied in addition to the defaults in configs/component/openssl.rb.
proj.setting(:openssl_extra_configure_flags, [
'no-dtls',
Expand Down
10 changes: 10 additions & 0 deletions configs/projects/bolt-runtime.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,16 @@
proj.setting(:cflags, "#{proj.cppflags}")
proj.setting(:ldflags, "-L#{proj.libdir} -L/opt/pl-build-tools/lib -Wl,-rpath=#{proj.libdir}")

# Harden Linux ELF binaries by compiling with PIE (Position Independent Executables) support,
# stack canary and full RELRO.
# We only do this on platforms that use their default OS toolchain since pl-gcc versions
# are too old to support these flags.
if (platform.is_sles? && platform.os_version.to_i >= 15) || (platform.is_el? && platform.os_version.to_i >= 8) || platform.is_debian? || (platform.is_ubuntu? && platform.os_version.to_i >= 20) || platform.is_fedora?
proj.setting(:cppflags, "-I#{proj.includedir} -D_FORTIFY_SOURCE=2")
proj.setting(:cflags, '-fstack-protector-strong -fno-plt -O2')
proj.setting(:ldflags, "-L#{proj.libdir} -Wl,-rpath=#{proj.libdir},-z,relro,-z,now")
end

# Platform specific overrides or settings, which may override the defaults
if platform.is_windows?
arch = platform.architecture == "x64" ? "64" : "32"
Expand Down
10 changes: 10 additions & 0 deletions configs/projects/pdk-runtime.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -117,6 +117,16 @@
proj.setting(:cflags, proj.cppflags.to_s)
proj.setting(:ldflags, "-L#{proj.libdir} -L/opt/pl-build-tools/lib -Wl,-rpath=#{proj.libdir}")

# Harden Linux ELF binaries by compiling with PIE (Position Independent Executables) support,
# stack canary and full RELRO.
# We only do this on platforms that use their default OS toolchain since pl-gcc versions
# are too old to support these flags.
if (platform.is_sles? && platform.os_version.to_i >= 15) || (platform.is_el? && platform.os_version.to_i >= 8) || platform.is_debian? || (platform.is_ubuntu? && platform.os_version.to_i >= 20) || platform.is_fedora?
proj.setting(:cppflags, "-I#{proj.includedir} -D_FORTIFY_SOURCE=2")
proj.setting(:cflags, '-fstack-protector-strong -fno-plt -O2')
proj.setting(:ldflags, "-L#{proj.libdir} -Wl,-rpath=#{proj.libdir},-z,relro,-z,now")
end

if platform.is_windows?
proj.setting(:gcc_root, 'C:/tools/mingw64')
proj.setting(:gcc_bindir, "#{proj.gcc_root}/bin")
Expand Down

0 comments on commit 45bd847

Please sign in to comment.