Consolidate security-related compiler flags #9672
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Update and extend the list of hardening-related compiler flags used by HHVM to better represent modern distro defaults. * Convert the existing `ENABLE_SSP` build option into a new `ENABLE_HARDENING` option and put an updated list of security flags behind it. Both clang and GCC have been supporting these options for a while now, so we can set them irrespective of the compiler. * Put PIE-related options behind a separate `ENABLE_PIE` build option so that we can produce and compare non-PIE and PIE builds once we fix compatibility with PIE. * Forward `CMAKE_BUILD_TYPE` to vendored subprojects. Lack of this was causing the projects to be built without compiler optimizations, which doesn't play well with `FORTIFY_SOURCE`. On systems with glibc >= 2.40, facebook/folly#2519 is needed for this option to work. The overhead from these flags is likely to be limited, as many of them have been set by default for distribution packages for several years now.[1] [1] https://github.com/jvoisin/compiler-flags-distro
|
@facebook-github-bot has imported this pull request. If you are a Meta employee, you can view this in D87347762. (Because this pull request was imported automatically, there will not be any future comments.) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Update and extend the list of hardening-related compiler flags used by HHVM to better represent modern distro defaults.
ENABLE_SSPbuild option into a newENABLE_HARDENINGoption and put an updated list of security flags behind it. Both clang and GCC have been supporting these options for a while now, so we can set them irrespective of the compiler.ENABLE_PIEbuild option so that we can produce and compare non-PIE and PIE builds once we fix compatibility with PIE.CMAKE_BUILD_TYPEto vendored subprojects. Lack of this was causing the projects to be built without compiler optimizations, which doesn't play well withFORTIFY_SOURCE.On systems with glibc >= 2.40, facebook/folly#2519 is needed for this option to work.
The overhead from these flags is likely to be limited, as many of them have been set by default for distribution packages for several years now.[1]
[1] https://github.com/jvoisin/compiler-flags-distro