File 3819-gh-Enable-openssf-compiler-hardening-optio... of Package erlang

Overview Repositories Revisions Requests Users Attributes Meta

File 3819-gh-Enable-openssf-compiler-hardening-options.patch of Package erlang

From 82af61dafa93fb2c7c6c3c26bd8c58dd4e3f13ad Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Lukas=20Backstr=C3=B6m?= <lukas@erlang.org>
Date: Mon, 28 Oct 2024 11:05:27 +0100
Subject: [PATCH 09/10] gh: Enable openssf compiler hardening options

---
 .github/dockerfiles/Dockerfile.64-bit | 22 +++++++++++++++++++++-
 1 file changed, 21 insertions(+), 1 deletion(-)

diff --git a/.github/dockerfiles/Dockerfile.64-bit b/.github/dockerfiles/Dockerfile.64-bit
index 07054bc811..4c0d15b054 100644
--- a/.github/dockerfiles/Dockerfile.64-bit
+++ b/.github/dockerfiles/Dockerfile.64-bit
@@ -13,11 +13,30 @@ RUN cd /buildroot && tar -xzf ./otp.tar.gz
 WORKDIR /buildroot/otp/
 
 ENV CFLAGS="-O2 -g -Werror -DwxSTC_DISABLE_MACRO_DEPRECATIONS=1"
+ENV CFLAGS="${CFLAGS} -Wall -Wformat -Wformat=2 -Wno-conversion -Wimplicit-fallthrough \
+    -Werror=format-security -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -D_GLIBCXX_ASSERTIONS \
+    -fstack-clash-protection -fstack-protector-strong -Wtrampolines \
+    -fcf-protection=full -fexceptions -fno-strict-overflow -fno-delete-null-pointer-checks \
+    -D_GLIBCXX_ASSERTIONS"
+## OpenSSF recommended CFLAGS, skipped are:
+##  -Wconversion -Wextra -Wsign-conversion - As we have way too many of these warnings
+##  -fstrict-flex-arrays=3 -Wbidi-chars=any - As gcc 11 does not support it
+##  -mbranch-protection=standard - Only on arm
+##  -Werror=implicit -Wincompatible-pointer-types -Wint-conversion - As these do not work on c++ code
+ENV SKIPPED_OSSF_CFLAGS="-Wconversion -mbranch-protection=standard \
+    -Wextra  -Werror=implicit -Werror=incompatible-pointer-types -Werror=int-conversion \
+    -Wsign-conversion"
+ENV LDFLAGS="-Wl,-z,noexecstack -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -Wl,--no-copy-dt-needed-entries"
+## OpenSSF recommended LDFLAGS, skipped are:
+## -Wl,-z,nodlopen - as opening drivers/nifs needs this
+## -fPIE - not needed with gcc 11
+## -fPIC -shared - only needed for .so files
+ENV SKIPPED_OSSF_LDFLAGS="-Wl,-z,nodlopen -fPIE -fPIC -shared"
 
 ## Configure (if not cached), check that no application are disabled and then make
 RUN if [ ! -f Makefile ]; then \
       touch README.md && \
-      ./configure --prefix="/Erlang ∅⊤℞" && \
+      ./configure --prefix="/Erlang ∅⊤℞" --enable-pie && \
       if cat lib/*/CONF_INFO || cat lib/*/SKIP || cat lib/SKIP-APPLICATIONS; then exit 1; fi && \
       find . -type f -newer README.md | xargs tar --transform 's:^./:otp/:' -cf ../otp_cache.tar; \
     fi && \
@@ -26,6 +45,7 @@ RUN if [ ! -f Makefile ]; then \
 
 ## Disable -Werror as testcases do not compile with it on
 ENV CFLAGS="-O2 -g"
+ENV LDFLAGS=""
 
 ## Update init.sh with correct env vars
 RUN echo "export MAKEFLAGS=$MAKEFLAGS" > /buildroot/env.sh && \
-- 
2.43.0

Places

File 3819-gh-Enable-openssf-compiler-hardening-options.patch of Package erlang

Places