From 0548e971eeb7fc7ceffaa608f1ece638d6549ec1 Mon Sep 17 00:00:00 2001 From: Daniel Borkmann Date: Fri, 24 May 2013 13:48:50 +0200 Subject: make: add HARDENING build option Add HARDENING=1 build option and move all hardening-related GCC flags into this condition. This allows the user to choose whether or not he wants to have a hardened build with some possible performance tradeoff at load/runtime. Signed-off-by: Daniel Borkmann --- Makefile | 25 +++++++++++++++++-------- 1 file changed, 17 insertions(+), 8 deletions(-) (limited to 'Makefile') diff --git a/Makefile b/Makefile index 2c7852a..b303f77 100644 --- a/Makefile +++ b/Makefile @@ -38,8 +38,8 @@ endif # For packaging purposes, you might want to call your own: # make CFLAGS="" -CFLAGS_DEF = -fstack-protector-all -Wstack-protector -CFLAGS_DEF += --param=ssp-buffer-size=4 +CFLAGS_DEF = -std=gnu99 + ifeq ($(DEBUG), 1) CFLAGS_DEF += -g CFLAGS_DEF += -O2 @@ -47,21 +47,29 @@ else CFLAGS_DEF += -march=native CFLAGS_DEF += -mtune=native CFLAGS_DEF += -O3 - CFLAGS_DEF += -fPIE -pie CFLAGS_DEF += -pipe CFLAGS_DEF += -fomit-frame-pointer +endif + +ifeq ($(HARDENING), 1) + CFLAGS_DEF += -fPIE -pie CFLAGS_DEF += -Wl,-z,relro,-z,now + CFLAGS_DEF += -fstack-protector-all + CFLAGS_DEF += -Wstack-protector + CFLAGS_DEF += --param=ssp-buffer-size=4 + CFLAGS_DEF += -ftrapv + CFLAGS_DEF += -D_FORTIFY_SOURCE=2 + CFLAGS_DEF += -fexceptions endif + CFLAGS_DEF += -fno-strict-aliasing -CFLAGS_DEF += -fexceptions -ftrapv CFLAGS_DEF += -fasynchronous-unwind-tables CFLAGS_DEF += -fno-delete-null-pointer-checks -CFLAGS_DEF += -D_FORTIFY_SOURCE=2 + CFLAGS_DEF += -D_REENTRANT -CFLAGS_DEF += -D_FILE_OFFSET_BITS=64 CFLAGS_DEF += -D_LARGEFILE_SOURCE CFLAGS_DEF += -D_LARGEFILE64_SOURCE -CFLAGS_DEF += -std=gnu99 +CFLAGS_DEF += -D_FILE_OFFSET_BITS=64 WFLAGS_DEF = -Wall WFLAGS_DEF += -Wformat=2 @@ -69,8 +77,8 @@ WFLAGS_DEF += -Wmissing-prototypes WFLAGS_DEF += -Wdeclaration-after-statement WFLAGS_DEF += -Werror-implicit-function-declaration WFLAGS_DEF += -Wstrict-prototypes -WFLAGS_DEF += -Wundef WFLAGS_DEF += -Wimplicit-int +WFLAGS_DEF += -Wundef WFLAGS_EXTRA = -Wno-unused-result WFLAGS_EXTRA += -Wmissing-parameter-type @@ -332,6 +340,7 @@ help: $(Q)echo " help - Show this help" $(Q)echo "$(bold)Available parameters:$(normal)" $(Q)echo " DEBUG=1 - Enable debugging" + $(Q)echo " HARDENING=1 - Enable GCC hardening of executables" $(Q)echo " PREFIX=/path - Install path prefix" $(Q)echo " CROSS_COMPILE=/path-prefix - Kernel-like cross-compiling prefix" $(Q)echo " CROSS_LD_LIBRARY_PATH=/path - Library search path for cross-compiling" -- cgit v1.2.3-54-g00ecf