diff --git a/CMake/HPHPCompiler.cmake b/CMake/HPHPCompiler.cmake index a59c705ade7d16..a09223632107a9 100644 --- a/CMake/HPHPCompiler.cmake +++ b/CMake/HPHPCompiler.cmake @@ -83,13 +83,45 @@ if (${CMAKE_CXX_COMPILER_ID} STREQUAL "Clang" OR ${CMAKE_CXX_COMPILER_ID} STREQU set(GDB_SUBOPTION) # Enable GCC/LLVM stack-smashing protection - if(ENABLE_SSP) + if(ENABLE_HARDENING) list(APPEND GENERAL_OPTIONS + # Enable stack protection and stack-clash protection. # This needs two dashes in the name, so put one here. "-param=ssp-buffer-size=4" - "pie" - "fPIC" + "fstack-protector-strong" + "fstack-clash-protection" + + # Use hardened equivalents of various glibc functions + # to guard against buffer overflows. + "D_FORTIFY_SOURCE=3" + + # https://isisblogs.poly.edu/2011/06/01/relro-relocation-read-only/ + "Wl,-z,relro,-z,now" + # Mark stack as non-executable. + "Wl,-z,noexecstack" + # Separate ELF code into its own segment. + "Wl,-z,separate-code" ) + + # Enable control-flow / branch protection. + if (IS_X64) + list(APPEND GENERAL_OPTIONS "fcf-protection") + elseif (IS_AARCH64) + list(APPEND GENERAL_OPTIONS "mbranch-protection=standard") + endif() + + # Enable C++ standard library assertions. + if (CLANG_FORCE_LIBCPP) + list(APPEND GENERAL_CXX_OPTIONS "D_LIBCPP_HARDENING_MODE=_LIBCPP_HARDENING_MODE_EXTENSIVE") + else() + list(APPEND GENERAL_CXX_OPTIONS "D_GLIBCXX_ASSERTIONS") + endif() + endif() + + if (ENABLE_PIE) + list(APPEND GENERAL_OPTIONS "pie" "fPIC") + else() + list(APPEND GENERAL_OPTIONS "no-pie") endif() if (IS_X64) @@ -110,13 +142,6 @@ if (${CMAKE_CXX_COMPILER_ID} STREQUAL "Clang" OR ${CMAKE_CXX_COMPILER_ID} STREQU "unused-command-line-argument" ) - # Enabled GCC/LLVM stack-smashing protection - if(ENABLE_SSP) - list(APPEND GENERAL_OPTIONS "fstack-protector-strong") - else() - list(APPEND GENERAL_OPTIONS "no-pie") - endif() - if(CLANG_FORCE_LIBCPP) list(APPEND GENERAL_CXX_OPTIONS "stdlib=libc++") endif() @@ -150,15 +175,6 @@ if (${CMAKE_CXX_COMPILER_ID} STREQUAL "Clang" OR ${CMAKE_CXX_COMPILER_ID} STREQU "-param=large-unit-insns=10000" ) - # Enabled GCC/LLVM stack-smashing protection - if(ENABLE_SSP) - if(LINUX) - # https://isisblogs.poly.edu/2011/06/01/relro-relocation-read-only/ - list(APPEND GENERAL_OPTIONS "Wl,-z,relro,-z,now") - endif() - list(APPEND GENERAL_OPTIONS "fstack-protector-strong") - endif() - # X64 if(IS_X64) list(APPEND GENERAL_CXX_OPTIONS "mcrc32") diff --git a/CMake/Options.cmake b/CMake/Options.cmake index e07edc2e1b171a..b1f6a68fb79fee 100644 --- a/CMake/Options.cmake +++ b/CMake/Options.cmake @@ -1,7 +1,8 @@ #set(CMAKE_BUILD_TYPE Debug) option(ALWAYS_ASSERT "Enabled asserts in a release build" OFF) -option(ENABLE_SSP "Enabled GCC/LLVM stack-smashing protection" OFF) +option(ENABLE_HARDENING "Set hardening flags and definitions, e.g. stack-smashing protection" OFF) +option(ENABLE_PIE "Produce position-independent executables" OFF) option(STATIC_CXX_LIB "Statically link libstd++ and libgcc." OFF) option(ENABLE_AARCH64_CRC "Enable the use of CRC instructions" OFF) option(ENABLE_FASTCGI "Enable the FastCGI interface." ON) diff --git a/third-party/brotli/CMakeLists.txt b/third-party/brotli/CMakeLists.txt index 8e652e55a65c92..f5c10a9f655f90 100644 --- a/third-party/brotli/CMakeLists.txt +++ b/third-party/brotli/CMakeLists.txt @@ -15,6 +15,7 @@ ExternalProject_Add( bundled_brotli ${BROTLI_SOURCE_ARGS} CMAKE_ARGS + -DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE} -DCMAKE_INSTALL_PREFIX= -DCMAKE_INSTALL_INCLUDEDIR=include -DCMAKE_INSTALL_LIBDIR=lib diff --git a/third-party/libzip/CMakeLists.txt b/third-party/libzip/CMakeLists.txt index 9e3ea12c7d96ca..12454ae1521148 100644 --- a/third-party/libzip/CMakeLists.txt +++ b/third-party/libzip/CMakeLists.txt @@ -46,6 +46,7 @@ ExternalProject_Add( -DBUILD_EXAMPLES=FALSE -DBUILD_DOC=FALSE -DBUILD_SHARED_LIBS=FALSE + -DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE} -DCMAKE_C_FLAGS=${CMAKE_C_FLAGS} -DCMAKE_C_COMPILER=${CMAKE_C_COMPILER} -DCMAKE_INSTALL_PREFIX= diff --git a/third-party/mcrouter/CMakeLists.txt b/third-party/mcrouter/CMakeLists.txt index 1490d93c0daeb9..4d4134332a6ea0 100644 --- a/third-party/mcrouter/CMakeLists.txt +++ b/third-party/mcrouter/CMakeLists.txt @@ -47,6 +47,7 @@ ExternalProject_Add( -DCMAKE_OSX_SYSROOT=${CMAKE_OSX_SYSROOT} -DCMAKE_C_FLAGS=${CMAKE_C_FLAGS} -DCMAKE_CXX_FLAGS=${CMAKE_CXX_FLAGS} + -DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE} "-DCMAKE_OSX_DEPLOYMENT_TARGET=${CMAKE_OSX_DEPLOYMENT_TARGET}" "-DBOOST_INCLUDE_DIR=$" diff --git a/third-party/timelib/CMakeLists.txt b/third-party/timelib/CMakeLists.txt index 35aa03df215fd3..bf3754a9ac9047 100644 --- a/third-party/timelib/CMakeLists.txt +++ b/third-party/timelib/CMakeLists.txt @@ -34,6 +34,7 @@ ExternalProject_Add( -DCMAKE_INSTALL_INCLUDEDIR=include -DCMAKE_INSTALL_LIBDIR=lib + -DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE} -DCMAKE_C_COMPILER=${CMAKE_C_COMPILER} -DCMAKE_CXX_COMPILER=${CMAKE_CXX_COMPILER} -DCMAKE_OSX_SYSROOT=${CMAKE_OSX_SYSROOT} diff --git a/third-party/watchman/CMakeLists.txt b/third-party/watchman/CMakeLists.txt index 81e5836f295712..c96c3a2afe569a 100644 --- a/third-party/watchman/CMakeLists.txt +++ b/third-party/watchman/CMakeLists.txt @@ -26,6 +26,7 @@ ExternalProject_Add( -DCMAKE_INSTALL_INCLUDEDIR=include -DCMAKE_INSTALL_LIBDIR=lib + -DCMAKE_BUILD_TYPE=${CMAKE_BUILD_TYPE} -DCMAKE_C_COMPILER=${CMAKE_C_COMPILER} -DCMAKE_CXX_COMPILER=${CMAKE_CXX_COMPILER} -DCMAKE_OSX_SYSROOT=${CMAKE_OSX_SYSROOT}