Use -fstack-clash-protection if gcc >= 8

citusdata · Oct 20, 2020 · 1fdf59a · 1fdf59a
1 parent 514a929
commit 1fdf59a
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 2 deletions.
diff --git a/citus.spec b/citus.spec
@@ -45,6 +45,11 @@ if [ "$(printf '%s\n' "$requiredgccver" "$currentgccver" | sort -V | tail -n1)"
     fi
 fi
 
+gccgte8=$(expr `gcc -dumpversion | cut -f1 -d.` \>= 8)
+ifeq "$(gccgte8)" "1"
+    SECURITY_CFLAGS += -fstack-clash-protection
+endif
+
 %build
 %configure PG_CONFIG=%{pginstdir}/bin/pg_config --with-extra-version="%{?conf_extra_version}" CC=$(command -v gcc) CFLAGS="$SECURITY_CFLAGS"
 make %{?_smp_mflags}

diff --git a/debian/rules b/debian/rules
@@ -2,9 +2,17 @@
 
 include /usr/share/postgresql-common/pgxs_debian_control.mk
 
+# Flags taken from: https://liquid.microsoft.com/Web/Object/Read/ms.security/Requirements/Microsoft.Security.SystemsADM.10203#guide
+SECURITY_CFLAGS=-fstack-protector-strong -D_FORTIFY_SOURCE=2 -O2 -z noexecstack -fpic -Wl,-z,relro -Wl,-z,now -Wformat -Wformat-security -Werror=format-security
+
+GCCVERSIONGTE8=$(shell expr `gcc -dumpversion | cut -f1 -d.` \>= 8)
+ifeq "$(GCCVERSIONGTE8)" "1"
+    # if gcc version is greater than or equal to 8 we should also use this flag
+    SECURITY_CFLAGS += -fstack-clash-protection
+endif
+
 override_dh_auto_build:
-	# Flags taken from: https://liquid.microsoft.com/Web/Object/Read/ms.security/Requirements/Microsoft.Security.SystemsADM.10203#guide
-	+pg_buildext build build-%v '$(CFLAGS) -fstack-protector-strong -D_FORTIFY_SOURCE=2 -O2 -z noexecstack -fpic -Wl,-z,relro -Wl,-z,now -Wformat -Wformat-security -Werror=format-security'
+	+pg_buildext build build-%v '$(CFLAGS) $(SECURITY_CFLAGS)'
 
 override_dh_auto_clean:
 	+pg_buildext clean build-%v