From 2e50b3850ba2074dba41e6ea07c9e7d236af0d6c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolan.mcnamara@collabora.com>
Date: Tue, 13 Feb 2024 15:17:48 +0000
Subject: [PATCH] add --enable-hardening-flags to enable compiler hardening
 flags
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

distros typically have their own set via C[XX]FLAGS, so make
this an optional argument

some notes on the options:

-Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=2
https://www.redhat.com/en/blog/enhance-application-security-fortifysource
(I see Fedora has recently bumped to to 3 since Jan 2024
https://fedoraproject.org/wiki/Changes/Add_FORTIFY_SOURCE%3D3_to_distribution_build_flags
but here use 2 for now instead)

-Wp,-D_GLIBCXX_ASSERTIONS
https://fedoraproject.org/wiki/Changes/HardeningFlags28

-fstack-protector-strong
(We already apply this by default)

-fstack-clash-protection
https://fedoraproject.org/wiki/Changes/HardeningFlags28

-fcf-protection
https://fedoraproject.org/wiki/Changes/HardeningFlags28
https://cgit.freedesktop.org/libreoffice/core/commit/?id=af55dc3891f7950d392175004b2090cb0e54828e

and record the compiler flags in debuginfo
-grecord-gcc-switches

Change-Id: Ib05387bad8324b188bd4ed0ee327d6a7cf83973b
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/163312
Tested-by: Jenkins CollaboraOffice <jenkinscollaboraoffice@gmail.com>
Reviewed-by: Andras Timar <andras.timar@collabora.com>
(cherry picked from commit 33483058f6e27f39633114721f7329c90571101d)
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/166289
Tested-by: Jenkins
Reviewed-by: Caolán McNamara <caolan.mcnamara@collabora.com>
---
 config_host.mk.in                      |  3 ++
 configure.ac                           | 62 +++++++++++++++++++++++++-
 distro-configs/CPLinux-LOKit.conf      |  1 +
 solenv/gbuild/platform/com_GCC_defs.mk |  6 ++-
 4 files changed, 70 insertions(+), 2 deletions(-)

diff --git a/config_host.mk.in b/config_host.mk.in
index 00dc7aa1f898..1d5a83add0c0 100644
--- a/config_host.mk.in
+++ b/config_host.mk.in
@@ -179,6 +179,9 @@ export ENABLE_GTK3=@ENABLE_GTK3@
 export ENABLE_GTK4=@ENABLE_GTK4@
 export ENABLE_GTKTILEDVIEWER=@ENABLE_GTKTILEDVIEWER@
 export DISABLE_GUI=@DISABLE_GUI@
+export ENABLE_HARDENING_FLAGS=@ENABLE_HARDENING_FLAGS@
+export HARDENING_CFLAGS=@HARDENING_CFLAGS@
+export HARDENING_OPT_CFLAGS=@HARDENING_OPT_CFLAGS@
 export ENABLE_HEADLESS=@ENABLE_HEADLESS@
 export ENABLE_HTMLHELP=@ENABLE_HTMLHELP@
 export ENABLE_JAVA=@ENABLE_JAVA@
diff --git a/configure.ac b/configure.ac
index 4bb5ad4d97da..4d96c1e90cf5 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1916,6 +1916,13 @@ libo_FUZZ_ARG_ENABLE(release-build,
          See https://wiki.documentfoundation.org/Development/DevBuild]),
 ,)
 
+libo_FUZZ_ARG_ENABLE(hardening-flags,
+    AS_HELP_STRING([--enable-hardening-flags],
+        [Enable automatically using hardening compiler flags. Distros typically
+         instead use their default configuration via CXXFLAGS, etc. But this provides a
+         convenient set of default hardening flags for non-distros]),
+,)
+
 AC_ARG_ENABLE(windows-build-signing,
     AS_HELP_STRING([--enable-windows-build-signing],
         [Enable signing of windows binaries (*.exe, *.dll)]),
@@ -2929,6 +2936,19 @@ fi
 AC_SUBST(ENABLE_RELEASE_BUILD)
 AC_SUBST(GET_TASK_ALLOW_ENTITLEMENT)
 
+dnl ===================================================================
+dnl Test whether build should auto use hardening compiler flags
+dnl ===================================================================
+AC_MSG_CHECKING([whether build should auto use hardening compiler flags])
+if test "$enable_hardening_flags" = "" -o "$enable_hardening_flags" = "no"; then
+    AC_MSG_RESULT([no])
+    ENABLE_HARDENING_FLAGS=
+else
+    AC_MSG_RESULT([yes])
+    ENABLE_HARDENING_FLAGS=TRUE
+fi
+AC_SUBST(ENABLE_HARDENING_FLAGS)
+
 AC_MSG_CHECKING([whether to build a Community flavor])
 if test -z "$enable_community_flavor" -o "$enable_community_flavor" = "yes"; then
     AC_DEFINE(HAVE_FEATURE_COMMUNITY_FLAVOR)
@@ -7381,13 +7401,51 @@ dnl ===================================================================
 dnl GCC features
 dnl ===================================================================
 HAVE_GCC_STACK_CLASH_PROTECTION=
+HARDENING_CFLAGS=
+HARDENING_OPT_CFLAGS=
 if test "$GCC" = "yes" -o "$COM_IS_CLANG" = TRUE; then
+    AC_MSG_CHECKING([whether $CC_BASE supports -grecord-gcc-switches])
+    save_CFLAGS=$CFLAGS
+    CFLAGS="$CFLAGS -Werror -grecord-gcc-switches"
+    AC_LINK_IFELSE(
+        [AC_LANG_PROGRAM(, [[return 0;]])],
+        [AC_MSG_RESULT([yes]); HARDENING_CFLAGS="$HARDENING_CFLAGS -grecord-gcc-switches"],
+        [AC_MSG_RESULT([no])])
+    CFLAGS=$save_CFLAGS
+
+    AC_MSG_CHECKING([whether $CC_BASE supports -D_FORTIFY_SOURCE=2])
+    save_CFLAGS=$CFLAGS
+    CFLAGS="$CFLAGS -Werror -Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=2"
+    AC_LINK_IFELSE(
+        [AC_LANG_PROGRAM(, [[#include <string.h> return 0;]])],
+        [AC_MSG_RESULT([yes]); HARDENING_OPT_CFLAGS="$HARDENING_OPT_CFLAGS -Wp,-U_FORTIFY_SOURCE,-D_FORTIFY_SOURCE=2"],
+        [AC_MSG_RESULT([no])])
+    CFLAGS=$save_CFLAGS
+
+    AC_MSG_CHECKING([whether $CC_BASE supports -D_GLIBCXX_ASSERTIONS])
+    save_CFLAGS=$CFLAGS
+    CFLAGS="$CFLAGS -Werror -Wp,-D_GLIBCXX_ASSERTIONS"
+    AC_LINK_IFELSE(
+        [AC_LANG_PROGRAM(, [[return 0;]])],
+        [AC_MSG_RESULT([yes]); HARDENING_CFLAGS="$HARDENING_CFLAGS -Wp,-D_GLIBCXX_ASSERTIONS"],
+        [AC_MSG_RESULT([no])])
+    CFLAGS=$save_CFLAGS
+
     AC_MSG_CHECKING([whether $CC_BASE supports -fstack-clash-protection])
     save_CFLAGS=$CFLAGS
     CFLAGS="$CFLAGS -Werror -fstack-clash-protection"
     AC_LINK_IFELSE(
         [AC_LANG_PROGRAM(, [[return 0;]])],
-        [AC_MSG_RESULT([yes]); HAVE_GCC_STACK_CLASH_PROTECTION=TRUE],
+        [AC_MSG_RESULT([yes]); HAVE_GCC_STACK_CLASH_PROTECTION=TRUE; HARDENING_CFLAGS="$HARDENING_CFLAGS -fstack-clash-protection"],
+        [AC_MSG_RESULT([no])])
+    CFLAGS=$save_CFLAGS
+
+    AC_MSG_CHECKING([whether $CC_BASE supports -fcf-protection])
+    save_CFLAGS=$CFLAGS
+    CFLAGS="$CFLAGS -Werror -fcf-protection"
+    AC_LINK_IFELSE(
+        [AC_LANG_PROGRAM(, [[return 0;]])],
+        [AC_MSG_RESULT([yes]); HARDENING_CFLAGS="$HARDENING_CFLAGS -fcf-protection"],
         [AC_MSG_RESULT([no])])
     CFLAGS=$save_CFLAGS
 
@@ -7541,6 +7599,8 @@ fi
 AC_SUBST(HAVE_GCC_AVX)
 AC_SUBST(HAVE_GCC_BUILTIN_ATOMIC)
 AC_SUBST(HAVE_GCC_STACK_CLASH_PROTECTION)
+AC_SUBST(HARDENING_CFLAGS)
+AC_SUBST(HARDENING_OPT_CFLAGS)
 
 dnl ===================================================================
 dnl Identify the C++ library
diff --git a/distro-configs/CPLinux-LOKit.conf b/distro-configs/CPLinux-LOKit.conf
index f545bb4b8199..0d879e5c99ae 100644
--- a/distro-configs/CPLinux-LOKit.conf
+++ b/distro-configs/CPLinux-LOKit.conf
@@ -1,3 +1,4 @@
+--enable-hardening-flags
 --enable-mpl-subset
 --with-vendor=Collabora
 --disable-community-flavor
diff --git a/solenv/gbuild/platform/com_GCC_defs.mk b/solenv/gbuild/platform/com_GCC_defs.mk
index e8bf170bd454..903424972824 100644
--- a/solenv/gbuild/platform/com_GCC_defs.mk
+++ b/solenv/gbuild/platform/com_GCC_defs.mk
@@ -38,7 +38,9 @@ endif
 gb_COMPILER_SETUP :=
 
 ifeq ($(strip $(gb_COMPILEROPTFLAGS)),)
-gb_COMPILEROPTFLAGS := -O2
+gb_COMPILEROPTFLAGS := \
+	-O2 -mtune=generic \
+	$(if $(HARDENING_OPT_CFLAGS),$(HARDENING_OPT_CFLAGS))
 endif
 
 gb_AFLAGS := $(AFLAGS)
@@ -74,6 +76,7 @@ gb_CFLAGS_COMMON := \
 	-fmessage-length=0 \
 	-fno-common \
 	-pipe \
+	$(if $(ENABLE_HARDENING_FLAGS),$(HARDENING_CFLAGS)) \
 	$(if $(filter EMSCRIPTEN,$(OS)),-fno-stack-protector,-fstack-protector-strong) \
 
 gb_CXXFLAGS_COMMON := \
@@ -90,6 +93,7 @@ gb_CXXFLAGS_COMMON := \
 	-fmessage-length=0 \
 	-fno-common \
 	-pipe \
+	$(if $(ENABLE_HARDENING_FLAGS),$(HARDENING_CFLAGS)) \
 	$(if $(filter EMSCRIPTEN,$(OS)),-fno-stack-protector,-fstack-protector-strong) \
 
 ifeq ($(HAVE_WDEPRECATED_COPY_DTOR),TRUE)