From ae245865eaf861123fe2ecfa01653798ae8b98b9 Mon Sep 17 00:00:00 2001 From: Bram Matthys Date: Sun, 22 Feb 2026 19:41:43 +0100 Subject: [PATCH] Pass hardening flags to libraries that we build/ship ourselves (if any) Previously we didn't and that means that if any shipped lib was used, without hardening, this would cause non-CET libraries to silently disable CET for the entire process, and partial RELRO on the libs means the full RELRO in UnrealIRCd is much less useful. Actually, system libs on Debian/Ubuntu don't even have full RELRO atm, but hey, we try to do better, also.. some other OS/distro might have it on and who knows Debian/Ubuntu change their mind later.. --- configure | 26 ++++++++++++++++++-------- configure.ac | 26 ++++++++++++++++++-------- 2 files changed, 36 insertions(+), 16 deletions(-) diff --git a/configure b/configure index a4d2909ff..86ad3c318 100755 --- a/configure +++ b/configure @@ -5429,6 +5429,12 @@ fi +# Hardening flags to be used for libraries +# These are the same of what we have, except we leave out -fstrict-flex-arrays=3 +# since that would break in some cases of code, and we don't control the libs.. +HARDEN_LIB_CFLAGS=$(echo "$HARDEN_CFLAGS" | sed 's/-fstrict-flex-arrays=3//') +HARDEN_LIB_LDFLAGS="$HARDEN_LDFLAGS" + # End of flag tests. CC="$saved_CC" CXX="$saved_CXX" @@ -8745,8 +8751,9 @@ fi printf "%s\n" "configuring PCRE2 regex library" >&6; } cd pcre2-$pcre2_version save_cflags="$CFLAGS" -CFLAGS="$orig_cflags" -export CFLAGS +CFLAGS="$orig_cflags $HARDEN_LIB_CFLAGS" +LDFLAGS="$HARDEN_LIB_LDFLAGS" +export CFLAGS LDFLAGS ./configure --enable-jit --enable-shared --prefix=$cur_dir/extras/pcre2 --libdir=$PRIVATELIBDIR || exit 1 CFLAGS="$save_cflags" { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: compiling PCRE2 regex library" >&5 @@ -8995,8 +9002,9 @@ fi printf "%s\n" "compiling sodium library" >&6; } cd libsodium-$sodium_version save_cflags="$CFLAGS" -CFLAGS="$orig_cflags" -export CFLAGS +CFLAGS="$orig_cflags $HARDEN_LIB_CFLAGS" +LDFLAGS="$HARDEN_LIB_LDFLAGS" +export CFLAGS LDFLAGS ./configure --prefix=$cur_dir/extras/sodium --libdir=$PRIVATELIBDIR --enable-shared --disable-static --enable-opt || exit 1 CFLAGS="$save_cflags" { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: compiling sodium resolver library" >&5 @@ -9124,8 +9132,9 @@ fi printf "%s\n" "configuring c-ares library" >&6; } cd c-ares-$cares_version save_cflags="$CFLAGS" -CFLAGS="$orig_cflags" -export CFLAGS +CFLAGS="$orig_cflags $HARDEN_LIB_CFLAGS" +LDFLAGS="$HARDEN_LIB_LDFLAGS" +export CFLAGS LDFLAGS ./configure --prefix=$cur_dir/extras/c-ares --libdir=$PRIVATELIBDIR --enable-shared --disable-tests || exit 1 CFLAGS="$save_cflags" { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: compiling c-ares resolver library" >&5 @@ -9270,8 +9279,9 @@ fi printf "%s\n" "compiling jansson library" >&6; } cd jansson-$jansson_version save_cflags="$CFLAGS" -CFLAGS="$orig_cflags" -export CFLAGS +CFLAGS="$orig_cflags $HARDEN_LIB_CFLAGS" +LDFLAGS="$HARDEN_LIB_LDFLAGS" +export CFLAGS LDFLAGS ./configure --prefix=$cur_dir/extras/jansson --libdir=$PRIVATELIBDIR --enable-shared --disable-static || exit 1 CFLAGS="$save_cflags" { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: compiling jansson resolver library" >&5 diff --git a/configure.ac b/configure.ac index 416537798..da16c572b 100644 --- a/configure.ac +++ b/configure.ac @@ -178,6 +178,12 @@ AC_SUBST([HARDEN_LDFLAGS]) AC_SUBST([HARDEN_BINCFLAGS]) AC_SUBST([HARDEN_BINLDFLAGS]) +# Hardening flags to be used for libraries +# These are the same of what we have, except we leave out -fstrict-flex-arrays=3 +# since that would break in some cases of code, and we don't control the libs.. +HARDEN_LIB_CFLAGS=$(echo "$HARDEN_CFLAGS" | sed 's/-fstrict-flex-arrays=3//') +HARDEN_LIB_LDFLAGS="$HARDEN_LDFLAGS" + # End of flag tests. CC="$saved_CC" CXX="$saved_CXX" @@ -653,8 +659,9 @@ fi AC_MSG_RESULT(configuring PCRE2 regex library) cd pcre2-$pcre2_version save_cflags="$CFLAGS" -CFLAGS="$orig_cflags" -export CFLAGS +CFLAGS="$orig_cflags $HARDEN_LIB_CFLAGS" +LDFLAGS="$HARDEN_LIB_LDFLAGS" +export CFLAGS LDFLAGS ./configure --enable-jit --enable-shared --prefix=$cur_dir/extras/pcre2 --libdir=$PRIVATELIBDIR || exit 1 CFLAGS="$save_cflags" AC_MSG_RESULT(compiling PCRE2 regex library) @@ -747,8 +754,9 @@ fi AC_MSG_RESULT(compiling sodium library) cd libsodium-$sodium_version save_cflags="$CFLAGS" -CFLAGS="$orig_cflags" -export CFLAGS +CFLAGS="$orig_cflags $HARDEN_LIB_CFLAGS" +LDFLAGS="$HARDEN_LIB_LDFLAGS" +export CFLAGS LDFLAGS ./configure --prefix=$cur_dir/extras/sodium --libdir=$PRIVATELIBDIR --enable-shared --disable-static --enable-opt || exit 1 CFLAGS="$save_cflags" AC_MSG_RESULT(compiling sodium resolver library) @@ -796,8 +804,9 @@ fi AC_MSG_RESULT(configuring c-ares library) cd c-ares-$cares_version save_cflags="$CFLAGS" -CFLAGS="$orig_cflags" -export CFLAGS +CFLAGS="$orig_cflags $HARDEN_LIB_CFLAGS" +LDFLAGS="$HARDEN_LIB_LDFLAGS" +export CFLAGS LDFLAGS ./configure --prefix=$cur_dir/extras/c-ares --libdir=$PRIVATELIBDIR --enable-shared --disable-tests || exit 1 CFLAGS="$save_cflags" AC_MSG_RESULT(compiling c-ares resolver library) @@ -872,8 +881,9 @@ fi AC_MSG_RESULT(compiling jansson library) cd jansson-$jansson_version save_cflags="$CFLAGS" -CFLAGS="$orig_cflags" -export CFLAGS +CFLAGS="$orig_cflags $HARDEN_LIB_CFLAGS" +LDFLAGS="$HARDEN_LIB_LDFLAGS" +export CFLAGS LDFLAGS ./configure --prefix=$cur_dir/extras/jansson --libdir=$PRIVATELIBDIR --enable-shared --disable-static || exit 1 CFLAGS="$save_cflags" AC_MSG_RESULT(compiling jansson resolver library)