2
0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-22 10:10:06 +00:00

fix: nil: ignore hardening flags on plain builds

The 'plain' optimization level doesn't add any flags and gives the
control to the packager. Similarly, avoid any hardening flags in this
level.

Necessary flags such as `-fno-delete-null-pointer-checks` and
`-fno-strict-aliasing` are still included.

Merge branch 'aydin/plain-build' into 'main'

See merge request isc-projects/bind9!10673
This commit is contained in:
Aydın Mercan 2025-07-01 23:49:47 +03:00
commit e5a4b46fa3
2 changed files with 43 additions and 23 deletions

View File

@ -156,3 +156,12 @@ installed. These can be downloaded from
https://developer.apple.com/xcode/resources/ or, if Xcode is already
installed, simply run ``xcode-select --install``. (Note that an Apple ID
may be required to access the download page.)
Packager Builds
~~~~~~~~~~~~~~~
Packagers are recommended to use the ``plain`` optimization level or the
``plain`` build type when setting up the build directory. This will also
disable the default hardening flags and any such flag must be set with
``CFLAGS``. The top ``meson.build`` file in the source tree can be
inspected for recommended flags.

View File

@ -43,6 +43,7 @@ endif
developer_mode = get_option('developer').enabled()
c_std = get_option('c_std')
optimization = get_option('optimization')
sanitizer = get_option('b_sanitize')
trace_logging = get_option('trace-logging')
@ -148,27 +149,14 @@ add_project_arguments(
'-Werror=strict-prototypes',
'-Werror=vla',
'-fcf-protection=full',
'-fdiagnostics-show-option',
'-fno-delete-null-pointer-checks',
'-fno-strict-aliasing',
'-fstack-clash-protection',
'-fstack-protector-strong',
'-fstrict-flex-arrays=3',
),
language: 'c',
)
add_project_link_arguments(
cc.get_supported_link_arguments(
'-Wl,-z,noexecstack',
'-Wl,-z,now',
'-Wl,-z,relro',
'-Wl,-z,separate-code',
),
language: 'c',
)
if developer_mode
add_project_arguments('-Werror', language: 'c')
endif
@ -183,19 +171,42 @@ int main(void) {
}
'''
if not (get_option('optimization') == '0' or get_option('buildtype') == 'plain')
if cc.compiles(
fortify_test,
args: ['-Werror=cpp', '-U_FORTIFY_SOURCE', '-D_FORTIFY_SOURCE=3'],
name: 'usage of _FORTIFY_SOURCE=3',
)
add_project_arguments('-U_FORTIFY_SOURCE', '-D_FORTIFY_SOURCE=3', language: 'c')
else
add_project_arguments('-U_FORTIFY_SOURCE', '-D_FORTIFY_SOURCE=2', language: 'c')
if optimization != 'plain'
if optimization != '0'
if cc.compiles(
fortify_test,
args: ['-Werror=cpp', '-U_FORTIFY_SOURCE', '-D_FORTIFY_SOURCE=3'],
name: 'usage of _FORTIFY_SOURCE=3',
)
add_project_arguments('-U_FORTIFY_SOURCE', '-D_FORTIFY_SOURCE=3', language: 'c')
else
add_project_arguments('-U_FORTIFY_SOURCE', '-D_FORTIFY_SOURCE=2', language: 'c')
endif
endif
add_project_arguments(
cc.get_supported_arguments(
'-fcf-protection=full',
'-fstack-clash-protection',
'-fstack-protector-strong',
'-mbranch-protection=standard',
),
language: 'c',
)
add_project_link_arguments(
cc.get_supported_link_arguments(
'-Wl,-z,noexecstack',
'-Wl,-z,now',
'-Wl,-z,relro',
'-Wl,-z,separate-code',
),
language: 'c',
)
endif
if host_machine.system() == 'x86'
if host_machine.cpu_family() == 'x86'
add_project_arguments(
cc.get_supported_arguments(
'-Wno-psabi',