otp: Use OSSF flags by default when building Erlang

garazdawi · Mar 3, 2025 · 9c916ab · 9c916ab
1 parent c2a2f47
commit 9c916ab
Show file tree

Hide file tree

Showing 17 changed files with 12,182 additions and 5,535 deletions.
diff --git a/.github/dockerfiles/Dockerfile.64-bit b/.github/dockerfiles/Dockerfile.64-bit
@@ -14,10 +14,8 @@ WORKDIR /buildroot/otp/
 
 ENV CFLAGS="-O2 -g -Werror -DwxSTC_DISABLE_MACRO_DEPRECATIONS=1"
 ENV CFLAGS="${CFLAGS} -Wall -Wformat -Wformat=2 -Wno-conversion -Wimplicit-fallthrough \
-    -Werror=format-security -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -D_GLIBCXX_ASSERTIONS \
-    -fstack-clash-protection -fstack-protector-strong -Wtrampolines \
-    -fcf-protection=full -fexceptions -fno-strict-overflow -fno-delete-null-pointer-checks \
-    -D_GLIBCXX_ASSERTIONS"
+    -Werror=format-security -Wtrampolines -fsanitize=signed-integer-overflow"
+ENV CXXFLAGS="-Wno-maybe-uninitialized"
 ## OpenSSF recommended CFLAGS, skipped are:
 ##  -Wconversion -Wextra -Wsign-conversion - As we have way too many of these warnings
 ##  -fstrict-flex-arrays=3 -Wbidi-chars=any - As gcc 11 does not support it
@@ -26,7 +24,7 @@ ENV CFLAGS="${CFLAGS} -Wall -Wformat -Wformat=2 -Wno-conversion -Wimplicit-fallt
 ENV SKIPPED_OSSF_CFLAGS="-Wconversion -mbranch-protection=standard \
     -Wextra  -Werror=implicit -Werror=incompatible-pointer-types -Werror=int-conversion \
     -Wsign-conversion"
-ENV LDFLAGS="-Wl,-z,noexecstack -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -Wl,--no-copy-dt-needed-entries"
+ENV LDFLAGS=""
 ## OpenSSF recommended LDFLAGS, skipped are:
 ## -Wl,-z,nodlopen - as opening drivers/nifs needs this
 ## -fPIE - not needed with gcc 11
@@ -46,6 +44,7 @@ RUN if [ ! -f Makefile ]; then \
 ## Disable -Werror as testcases do not compile with it on
 ENV CFLAGS="-O2 -g"
 ENV LDFLAGS=""
+ENV CXXFLAGS=""
 
 ## Update init.sh with correct env vars
 RUN echo "export MAKEFLAGS=$MAKEFLAGS" > /buildroot/env.sh && \

diff --git a/HOWTO/INSTALL.md b/HOWTO/INSTALL.md
@@ -428,6 +428,10 @@ Some of the available `configure` options are:
     option which will enable `configure` to continue without support for
     timestamps after mid-January 2038. This is typically only an issue on 32-bit
     platforms.
+*   `--disable-security-hardening-flags` - Disable all security hardening
+    flags when compiling Erlang/OTP. This can be useful in some scenarios
+    when the flags either causes Erlang/OTP not to build, or unacceptable
+    performance degradations.
 
 If you or your system has special requirements please read the `Makefile` for
 additional configuration information.