diff --git a/config_host.mk.in b/config_host.mk.in index 00dc7aa1f898..1d5a83add0c0 100644 --- a/config_host.mk.in +++ b/config_host.mk.in @@ -179,6 +179,9 @@ export ENABLE_GTK3=@ENABLE_GTK3@ export ENABLE_GTK4=@ENABLE_GTK4@ export ENABLE_GTKTILEDVIEWER=@ENABLE_GTKTILEDVIEWER@ export DISABLE_GUI=@DISABLE_GUI@ +export ENABLE_HARDENING_FLAGS=@ENABLE_HARDENING_FLAGS@ +export HARDENING_CFLAGS=@HARDENING_CFLAGS@ +export HARDENING_OPT_CFLAGS=@HARDENING_OPT_CFLAGS@ export ENABLE_HEADLESS=@ENABLE_HEADLESS@ export ENABLE_HTMLHELP=@ENABLE_HTMLHELP@ export ENABLE_JAVA=@ENABLE_JAVA@ diff --git a/configure.ac b/configure.ac index 4bb5ad4d97da..4d96c1e90cf5 100644 --- a/configure.ac +++ b/configure.ac @@ -1916,6 +1916,13 @@ libo_FUZZ_ARG_ENABLE(release-build, See https://wiki.documentfoundation.org/Development/DevBuild]), ,) +libo_FUZZ_ARG_ENABLE(hardening-flags, + AS_HELP_STRING([--enable-hardening-flags], + [Enable automatically using hardening compiler flags. Distros typically + instead use their default configuration via CXXFLAGS, etc. But this provides a + convenient set of default hardening flags for non-distros]), +,) + AC_ARG_ENABLE(windows-build-signing, AS_HELP_STRING([--enable-windows-build-signing], [Enable signing of windows binaries (*.exe, *.dll)]), @@ -2929,6 +2936,19 @@ fi AC_SUBST(ENABLE_RELEASE_BUILD) AC_SUBST(GET_TASK_ALLOW_ENTITLEMENT) +dnl =================================================================== +dnl Test whether build should auto use hardening compiler flags +dnl =================================================================== +AC_MSG_CHECKING([whether build should auto use hardening compiler flags]) +if test "$enable_hardening_flags" = "" -o "$enable_hardening_flags" = "no"; then + AC_MSG_RESULT([no]) + ENABLE_HARDENING_FLAGS= +else + AC_MSG_RESULT([yes]) + ENABLE_HARDENING_FLAGS=TRUE +fi +AC_SUBST(ENABLE_HARDENING_FLAGS) + AC_MSG_CHECKING([whether to build a Community flavor]) if test -z "$enable_community_flavor" -o "$enable_community_flavor" = "yes"; then AC_DEFINE(HAVE_FEATURE_COMMUNITY_FLAVOR) @@ -7381,13 +7401,51 @@ dnl =================================================================== dnl GCC features dnl =================================================================== HAVE_GCC_STACK_CLASH_PROTECTION= +HARDENING_CFLAGS= +HARDENING_OPT_CFLAGS= if test "$GCC" = "yes" -o "$COM_IS_CLANG" = TRUE; then + AC_MSG_CHECKING([whether $CC_BASE supports -grecord-gcc-switches]) + save_CFLAGS=$CFLAGS + CFLAGS="$CFLAGS -Werror -grecord-gcc-switches" + AC_LINK_IFELSE( + [AC_LANG_PROGRAM(, [[return 0;]])], + [AC_MSG_RESULT([yes]); HARDENING_CFLAGS="$HARDENING_CFLAGS -grecord-gcc-switches"], + [AC_MSG_RESULT([no])]) + CFLAGS=$save_CFLAGS + + AC_MSG_CHECKING([whether $CC_BASE supports -D_FORTIFY_SOURCE=2]) + save_CFLAGS=$CFLAGS + CFLAGS="$CFLAGS -Werror -Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=2" + AC_LINK_IFELSE( + [AC_LANG_PROGRAM(, [[#include return 0;]])], + [AC_MSG_RESULT([yes]); HARDENING_OPT_CFLAGS="$HARDENING_OPT_CFLAGS -Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=2"], + [AC_MSG_RESULT([no])]) + CFLAGS=$save_CFLAGS + + AC_MSG_CHECKING([whether $CC_BASE supports -D_GLIBCXX_ASSERTIONS]) + save_CFLAGS=$CFLAGS + CFLAGS="$CFLAGS -Werror -Wp,-D_GLIBCXX_ASSERTIONS" + AC_LINK_IFELSE( + [AC_LANG_PROGRAM(, [[return 0;]])], + [AC_MSG_RESULT([yes]); HARDENING_CFLAGS="$HARDENING_CFLAGS -Wp,-D_GLIBCXX_ASSERTIONS"], + [AC_MSG_RESULT([no])]) + CFLAGS=$save_CFLAGS + AC_MSG_CHECKING([whether $CC_BASE supports -fstack-clash-protection]) save_CFLAGS=$CFLAGS CFLAGS="$CFLAGS -Werror -fstack-clash-protection" AC_LINK_IFELSE( [AC_LANG_PROGRAM(, [[return 0;]])], - [AC_MSG_RESULT([yes]); HAVE_GCC_STACK_CLASH_PROTECTION=TRUE], + [AC_MSG_RESULT([yes]); HAVE_GCC_STACK_CLASH_PROTECTION=TRUE; HARDENING_CFLAGS="$HARDENING_CFLAGS -fstack-clash-protection"], + [AC_MSG_RESULT([no])]) + CFLAGS=$save_CFLAGS + + AC_MSG_CHECKING([whether $CC_BASE supports -fcf-protection]) + save_CFLAGS=$CFLAGS + CFLAGS="$CFLAGS -Werror -fcf-protection" + AC_LINK_IFELSE( + [AC_LANG_PROGRAM(, [[return 0;]])], + [AC_MSG_RESULT([yes]); HARDENING_CFLAGS="$HARDENING_CFLAGS -fcf-protection"], [AC_MSG_RESULT([no])]) CFLAGS=$save_CFLAGS @@ -7541,6 +7599,8 @@ fi AC_SUBST(HAVE_GCC_AVX) AC_SUBST(HAVE_GCC_BUILTIN_ATOMIC) AC_SUBST(HAVE_GCC_STACK_CLASH_PROTECTION) +AC_SUBST(HARDENING_CFLAGS) +AC_SUBST(HARDENING_OPT_CFLAGS) dnl =================================================================== dnl Identify the C++ library diff --git a/distro-configs/CPLinux-LOKit.conf b/distro-configs/CPLinux-LOKit.conf index f545bb4b8199..0d879e5c99ae 100644 --- a/distro-configs/CPLinux-LOKit.conf +++ b/distro-configs/CPLinux-LOKit.conf @@ -1,3 +1,4 @@ +--enable-hardening-flags --enable-mpl-subset --with-vendor=Collabora --disable-community-flavor diff --git a/solenv/gbuild/platform/com_GCC_defs.mk b/solenv/gbuild/platform/com_GCC_defs.mk index e8bf170bd454..903424972824 100644 --- a/solenv/gbuild/platform/com_GCC_defs.mk +++ b/solenv/gbuild/platform/com_GCC_defs.mk @@ -38,7 +38,9 @@ endif gb_COMPILER_SETUP := ifeq ($(strip $(gb_COMPILEROPTFLAGS)),) -gb_COMPILEROPTFLAGS := -O2 +gb_COMPILEROPTFLAGS := \ + -O2 -mtune=generic \ + $(if $(HARDENING_OPT_CFLAGS),$(HARDENING_OPT_CFLAGS)) endif gb_AFLAGS := $(AFLAGS) @@ -74,6 +76,7 @@ gb_CFLAGS_COMMON := \ -fmessage-length=0 \ -fno-common \ -pipe \ + $(if $(ENABLE_HARDENING_FLAGS),$(HARDENING_CFLAGS)) \ $(if $(filter EMSCRIPTEN,$(OS)),-fno-stack-protector,-fstack-protector-strong) \ gb_CXXFLAGS_COMMON := \ @@ -90,6 +93,7 @@ gb_CXXFLAGS_COMMON := \ -fmessage-length=0 \ -fno-common \ -pipe \ + $(if $(ENABLE_HARDENING_FLAGS),$(HARDENING_CFLAGS)) \ $(if $(filter EMSCRIPTEN,$(OS)),-fno-stack-protector,-fstack-protector-strong) \ ifeq ($(HAVE_WDEPRECATED_COPY_DTOR),TRUE)