From mboxrd@z Thu Jan 1 00:00:00 1970 From: Stefano Brivio To: passt-dev@passt.top Subject: [PATCH 11/24] Makefile: Enable a few hardening flags Date: Fri, 25 Mar 2022 23:52:47 +0100 Message-ID: <20220325225300.2803584-12-sbrivio@redhat.com> In-Reply-To: <20220325225300.2803584-1-sbrivio@redhat.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7394568211631242895==" --===============7394568211631242895== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable They don't have a measurable performance impact and make things a bit safer. Signed-off-by: Stefano Brivio --- Makefile | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/Makefile b/Makefile index a2640ff..de3175d 100644 --- a/Makefile +++ b/Makefile @@ -24,6 +24,7 @@ AUDIT_ARCH :=3D $(shell echo $(AUDIT_ARCH) | sed 's/PPC64/P= PC/') AUDIT_ARCH :=3D $(shell echo $(AUDIT_ARCH) | sed 's/PPCLE/PPC64LE/') =20 CFLAGS +=3D -Wall -Wextra -pedantic -std=3Dc99 -D_XOPEN_SOURCE=3D700 -D_GNU_= SOURCE +CFLAGS +=3D -D_FORTIFY_SOURCE=3D2 -O2 -pie -fPIE CFLAGS +=3D -DPAGE_SIZE=3D$(shell getconf PAGE_SIZE) CFLAGS +=3D -DNETNS_RUN_DIR=3D\"/run/netns\" CFLAGS +=3D -DPASST_AUDIT_ARCH=3DAUDIT_ARCH_$(AUDIT_ARCH) @@ -64,6 +65,10 @@ ifeq ($(shell printf "$(C)" | $(CC) -S -xc - -o - >/dev/nu= ll 2>&1; echo $$?),0) CFLAGS +=3D -DHAS_GETRANDOM endif =20 +ifeq ($(shell :|$(CC) -fstack-protector-strong -S -xc - >/dev/null 2>&1; ech= o $$?),0) + CFLAGS +=3D -fstack-protector-strong +endif + prefix ?=3D /usr/local =20 ifeq ($(TARGET_ARCH),X86_64) @@ -87,7 +92,8 @@ passt: $(filter-out qrap.c,$(wildcard *.c)) \ passt.avx2: CFLAGS +=3D -Ofast -mavx2 -ftree-vectorize -funroll-loops passt.avx2: $(filter-out qrap.c,$(wildcard *.c)) \ $(filter-out qrap.h,$(wildcard *.h)) seccomp.h - $(CC) $(CFLAGS) $(filter-out qrap.c,$(wildcard *.c)) -o passt.avx2 + $(CC) $(filter-out -O2,$(CFLAGS)) $(filter-out qrap.c,$(wildcard *.c)) \ + -o passt.avx2 =20 passt.avx2: passt =20 @@ -227,7 +233,7 @@ clang-tidy: $(wildcard *.c) $(wildcard *.h) -readability-function-cognitive-complexity,\ -altera-struct-pack-align,\ -concurrency-mt-unsafe \ - --warnings-as-errors=3D* $(wildcard *.c) -- $(CFLAGS) + --warnings-as-errors=3D* $(wildcard *.c) -- $(filter-out -pie,$(CFLAGS)) =20 ifeq ($(shell $(CC) -v 2>&1 | grep -c "gcc version"),1) TARGET :=3D $(shell ${CC} -v 2>&1 | sed -n 's/Target: \(.*\)/\1/p') --=20 2.35.1 --===============7394568211631242895==--