From 8814c668552d49752602fb88ee19871f382345d8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ayd=C4=B1n=20Mercan?= Date: Mon, 30 Jun 2025 12:30:53 +0300 Subject: [PATCH 1/2] ignore hardening flags on plain builds The 'plain' optimization level doesn't add any flags and gives the control to the packager. Similarly, avoid any hardening flags in this level. Necessary flags such as `-fno-delete-null-pointer-checks` and `-fno-strict-aliasing` are still included. --- doc/arm/build.inc.rst | 9 +++++++ meson.build | 55 ++++++++++++++++++++++++++----------------- 2 files changed, 42 insertions(+), 22 deletions(-) diff --git a/doc/arm/build.inc.rst b/doc/arm/build.inc.rst index 64a8010369..5e78871ae7 100644 --- a/doc/arm/build.inc.rst +++ b/doc/arm/build.inc.rst @@ -156,3 +156,12 @@ installed. These can be downloaded from https://developer.apple.com/xcode/resources/ or, if Xcode is already installed, simply run ``xcode-select --install``. (Note that an Apple ID may be required to access the download page.) + +Packager Builds +~~~~~~~~~~~~~~~ + +Packagers are recommended to use the ``plain`` optimization level or the +``plain`` build type when setting up the build directory. This will also +disable the default hardening flags and any such flag must be set with +``CFLAGS``. The top ``meson.build`` file in the source tree can be +inspected for recommended flags. diff --git a/meson.build b/meson.build index 6a1e57fa9a..8536501186 100644 --- a/meson.build +++ b/meson.build @@ -43,6 +43,7 @@ endif developer_mode = get_option('developer').enabled() c_std = get_option('c_std') +optimization = get_option('optimization') sanitizer = get_option('b_sanitize') trace_logging = get_option('trace-logging') @@ -148,27 +149,14 @@ add_project_arguments( '-Werror=strict-prototypes', '-Werror=vla', - '-fcf-protection=full', '-fdiagnostics-show-option', '-fno-delete-null-pointer-checks', '-fno-strict-aliasing', - '-fstack-clash-protection', - '-fstack-protector-strong', '-fstrict-flex-arrays=3', ), language: 'c', ) -add_project_link_arguments( - cc.get_supported_link_arguments( - '-Wl,-z,noexecstack', - '-Wl,-z,now', - '-Wl,-z,relro', - '-Wl,-z,separate-code', - ), - language: 'c', -) - if developer_mode add_project_arguments('-Werror', language: 'c') endif @@ -183,16 +171,39 @@ int main(void) { } ''' -if not (get_option('optimization') == '0' or get_option('buildtype') == 'plain') - if cc.compiles( - fortify_test, - args: ['-Werror=cpp', '-U_FORTIFY_SOURCE', '-D_FORTIFY_SOURCE=3'], - name: 'usage of _FORTIFY_SOURCE=3', - ) - add_project_arguments('-U_FORTIFY_SOURCE', '-D_FORTIFY_SOURCE=3', language: 'c') - else - add_project_arguments('-U_FORTIFY_SOURCE', '-D_FORTIFY_SOURCE=2', language: 'c') +if optimization != 'plain' + if optimization != '0' + if cc.compiles( + fortify_test, + args: ['-Werror=cpp', '-U_FORTIFY_SOURCE', '-D_FORTIFY_SOURCE=3'], + name: 'usage of _FORTIFY_SOURCE=3', + ) + add_project_arguments('-U_FORTIFY_SOURCE', '-D_FORTIFY_SOURCE=3', language: 'c') + else + add_project_arguments('-U_FORTIFY_SOURCE', '-D_FORTIFY_SOURCE=2', language: 'c') + endif endif + + add_project_arguments( + cc.get_supported_arguments( + '-fcf-protection=full', + '-fstack-clash-protection', + '-fstack-protector-strong', + + '-mbranch-protection=standard', + ), + language: 'c', + ) + + add_project_link_arguments( + cc.get_supported_link_arguments( + '-Wl,-z,noexecstack', + '-Wl,-z,now', + '-Wl,-z,relro', + '-Wl,-z,separate-code', + ), + language: 'c', + ) endif if host_machine.system() == 'x86' From 350e81fde8b3256424184db35a487aa04222e03d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ayd=C4=B1n=20Mercan?= Date: Mon, 30 Jun 2025 15:08:53 +0300 Subject: [PATCH 2/2] fix x86 specific flags There was a mistake in the host machine check in meson --- meson.build | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/meson.build b/meson.build index 8536501186..d39fa770f8 100644 --- a/meson.build +++ b/meson.build @@ -206,7 +206,7 @@ if optimization != 'plain' ) endif -if host_machine.system() == 'x86' +if host_machine.cpu_family() == 'x86' add_project_arguments( cc.get_supported_arguments( '-Wno-psabi',