Bug 620058 - Add a --enable-hardening flag, which compiles with -fstack-protector-strong on GCC and Clang
This flag enables the stack-cookie exploit mitigation for all functions which
manipulate stack-based buffers, providing better protections than
-fstack-protector, at considerably lower performance overhead than
-fstack-protector-all.
r=froydnj
MozReview-Commit-ID: 7ZNAHHAf376
--- a/build/moz.configure/toolchain.configure
+++ b/build/moz.configure/toolchain.configure
@@ -969,8 +969,21 @@ set_config('VISIBILITY_FLAGS', visibilit
# We only want to include windows.configure when we are compiling on
# Windows, for Windows.
@depends(target, host)
def is_windows(target, host):
return host.kernel == 'WINNT' and target.kernel == 'WINNT'
include('windows.configure', when=is_windows)
+
+# Security Hardening
+# ==============================================================
+
+option('--enable-hardening', env='MOZ_SECURITY_HARDENING',
+ help='Enables security hardening compiler options')
+
+@depends('--enable-hardening', c_compiler)
+def security_hardening_cflags(value, c_compiler):
+ if value and c_compiler.type in ['gcc', 'clang']:
+ return '-fstack-protector-strong'
+
+add_old_configure_assignment('HARDENING_CFLAGS', security_hardening_cflags)
--- a/old-configure.in
+++ b/old-configure.in
@@ -548,16 +548,21 @@ fi
if test -n "${CLANG_CXX}${CLANG_CL}"; then
_WARNINGS_CXXFLAGS="-Qunused-arguments ${_WARNINGS_CXXFLAGS}"
fi
if test -n "$COMPILE_ENVIRONMENT"; then
MOZ_CONFIG_SANITIZE
fi
+# Add the hardening flags from moz.configure
+CFLAGS="$CFLAGS $HARDENING_CFLAGS"
+CPPFLAGS="$CPPFLAGS $HARDENING_CFLAGS"
+CXXFLAGS="$CXXFLAGS $HARDENING_CFLAGS"
+
dnl ========================================================
dnl GNU specific defaults
dnl ========================================================
if test "$GNU_CC"; then
MMX_FLAGS="-mmmx"
SSE_FLAGS="-msse"
SSE2_FLAGS="-msse2"
SSSE3_FLAGS="-mssse3"