pegasus/unrealircd
1
0
Fork 0
mirror of https://github.com/unrealircd/unrealircd.git synced 2026-06-12 17:14:46 +02:00
Code Activity

Pass hardening flags to libraries that we build/ship ourselves (if any)

Browse Source 
Previously we didn't and that means that if any shipped lib was used,
without hardening, this would cause non-CET libraries to silently disable
CET for the entire process, and partial RELRO on the libs means the
full RELRO in UnrealIRCd is much less useful.

Actually, system libs on Debian/Ubuntu don't even have full RELRO atm,
but hey, we try to do better, also.. some other OS/distro might
have it on and who knows Debian/Ubuntu change their mind later..
This commit is contained in:
Bram Matthys
2026-02-22 19:41:43 +01:00
parent dcd8f738fe
commit ae245865ea
2 changed files with 36 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files
configure
Vendored
+18 -8
View File
@@ -5429,6 +5429,12 @@ fi
# Hardening flags to be used for libraries
# These are the same of what we have, except we leave out -fstrict-flex-arrays=3
# since that would break in some cases of code, and we don't control the libs..
HARDEN_LIB_CFLAGS=$(echo "$HARDEN_CFLAGS" | sed 's/-fstrict-flex-arrays=3//')
HARDEN_LIB_LDFLAGS="$HARDEN_LDFLAGS"
# End of flag tests.
CC="$saved_CC"
CXX="$saved_CXX"
@@ -8745,8 +8751,9 @@ fi
printf "%s\n" "configuring PCRE2 regex library" >&6; }
cd pcre2-$pcre2_version
save_cflags="$CFLAGS"
CFLAGS="$orig_cflags"
export CFLAGS
CFLAGS="$orig_cflags $HARDEN_LIB_CFLAGS"
LDFLAGS="$HARDEN_LIB_LDFLAGS"
export CFLAGS LDFLAGS
./configure --enable-jit --enable-shared --prefix=$cur_dir/extras/pcre2 --libdir=$PRIVATELIBDIR || exit 1
CFLAGS="$save_cflags"
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: compiling PCRE2 regex library" >&5
@@ -8995,8 +9002,9 @@ fi
printf "%s\n" "compiling sodium library" >&6; }
cd libsodium-$sodium_version
save_cflags="$CFLAGS"
CFLAGS="$orig_cflags"
export CFLAGS
CFLAGS="$orig_cflags $HARDEN_LIB_CFLAGS"
LDFLAGS="$HARDEN_LIB_LDFLAGS"
export CFLAGS LDFLAGS
./configure --prefix=$cur_dir/extras/sodium --libdir=$PRIVATELIBDIR --enable-shared --disable-static --enable-opt || exit 1
CFLAGS="$save_cflags"
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: compiling sodium resolver library" >&5
@@ -9124,8 +9132,9 @@ fi
printf "%s\n" "configuring c-ares library" >&6; }
cd c-ares-$cares_version
save_cflags="$CFLAGS"
CFLAGS="$orig_cflags"
export CFLAGS
CFLAGS="$orig_cflags $HARDEN_LIB_CFLAGS"
LDFLAGS="$HARDEN_LIB_LDFLAGS"
export CFLAGS LDFLAGS
./configure --prefix=$cur_dir/extras/c-ares --libdir=$PRIVATELIBDIR --enable-shared --disable-tests || exit 1
CFLAGS="$save_cflags"
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: compiling c-ares resolver library" >&5
@@ -9270,8 +9279,9 @@ fi
printf "%s\n" "compiling jansson library" >&6; }
cd jansson-$jansson_version
save_cflags="$CFLAGS"
CFLAGS="$orig_cflags"
export CFLAGS
CFLAGS="$orig_cflags $HARDEN_LIB_CFLAGS"
LDFLAGS="$HARDEN_LIB_LDFLAGS"
export CFLAGS LDFLAGS
./configure --prefix=$cur_dir/extras/jansson --libdir=$PRIVATELIBDIR --enable-shared --disable-static || exit 1
CFLAGS="$save_cflags"
{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: compiling jansson resolver library" >&5
configure.ac
+18 -8
View File
@@ -178,6 +178,12 @@ AC_SUBST([HARDEN_LDFLAGS])
AC_SUBST([HARDEN_BINCFLAGS])
AC_SUBST([HARDEN_BINLDFLAGS])
# Hardening flags to be used for libraries
# These are the same of what we have, except we leave out -fstrict-flex-arrays=3
# since that would break in some cases of code, and we don't control the libs..
HARDEN_LIB_CFLAGS=$(echo "$HARDEN_CFLAGS" | sed 's/-fstrict-flex-arrays=3//')
HARDEN_LIB_LDFLAGS="$HARDEN_LDFLAGS"
# End of flag tests.
CC="$saved_CC"
CXX="$saved_CXX"
@@ -653,8 +659,9 @@ fi
AC_MSG_RESULT(configuring PCRE2 regex library)
cd pcre2-$pcre2_version
save_cflags="$CFLAGS"
CFLAGS="$orig_cflags"
export CFLAGS
CFLAGS="$orig_cflags $HARDEN_LIB_CFLAGS"
LDFLAGS="$HARDEN_LIB_LDFLAGS"
export CFLAGS LDFLAGS
./configure --enable-jit --enable-shared --prefix=$cur_dir/extras/pcre2 --libdir=$PRIVATELIBDIR || exit 1
CFLAGS="$save_cflags"
AC_MSG_RESULT(compiling PCRE2 regex library)
@@ -747,8 +754,9 @@ fi
AC_MSG_RESULT(compiling sodium library)
cd libsodium-$sodium_version
save_cflags="$CFLAGS"
CFLAGS="$orig_cflags"
export CFLAGS
CFLAGS="$orig_cflags $HARDEN_LIB_CFLAGS"
LDFLAGS="$HARDEN_LIB_LDFLAGS"
export CFLAGS LDFLAGS
./configure --prefix=$cur_dir/extras/sodium --libdir=$PRIVATELIBDIR --enable-shared --disable-static --enable-opt || exit 1
CFLAGS="$save_cflags"
AC_MSG_RESULT(compiling sodium resolver library)
@@ -796,8 +804,9 @@ fi
AC_MSG_RESULT(configuring c-ares library)
cd c-ares-$cares_version
save_cflags="$CFLAGS"
CFLAGS="$orig_cflags"
export CFLAGS
CFLAGS="$orig_cflags $HARDEN_LIB_CFLAGS"
LDFLAGS="$HARDEN_LIB_LDFLAGS"
export CFLAGS LDFLAGS
./configure --prefix=$cur_dir/extras/c-ares --libdir=$PRIVATELIBDIR --enable-shared --disable-tests || exit 1
CFLAGS="$save_cflags"
AC_MSG_RESULT(compiling c-ares resolver library)
@@ -872,8 +881,9 @@ fi
AC_MSG_RESULT(compiling jansson library)
cd jansson-$jansson_version
save_cflags="$CFLAGS"
CFLAGS="$orig_cflags"
export CFLAGS
CFLAGS="$orig_cflags $HARDEN_LIB_CFLAGS"
LDFLAGS="$HARDEN_LIB_LDFLAGS"
export CFLAGS LDFLAGS
./configure --prefix=$cur_dir/extras/jansson --libdir=$PRIVATELIBDIR --enable-shared --disable-static || exit 1
CFLAGS="$save_cflags"
AC_MSG_RESULT(compiling jansson resolver library)