Skip to content

Commit

Permalink
elf hardened options
Browse files Browse the repository at this point in the history
  • Loading branch information
@wang-bin
wang-bin committed May 27, 2024
1 parent 0beb8ba commit a502ad1
Showing 1 changed file with 7 additions and 4 deletions.
11 changes: 7 additions & 4 deletions avbuild.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -226,9 +226,11 @@ enable_opt hwaccels
$USE_VK || disable_opt vulkan

add_elf_flags() {
HARDENED_CFLAGS="-fstack-protector-strong -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 -fPIE" # toolchain=hardened is -fstack-protector-all
HARDENED_LDFLAGS="-Wl,-z,relro -Wl,-z,now"
# -Wl,-z,noexecstack -Wl,--as-needed is added by configure
EXTRA_CFLAGS+=" -Wa,--noexecstack -fdata-sections -ffunction-sections -fstack-protector-strong" # TODO: check -fstack-protector-strong
EXTRA_LDFLAGS+=" -Wl,--gc-sections" # -Wl,-z,relro -Wl,-z,now
EXTRA_CFLAGS+=" -Wa,--noexecstack -fdata-sections -ffunction-sections $HARDENED_CFLAGS"
EXTRA_LDFLAGS+=" -Wl,--gc-sections $HARDENED_LDFLAGS"
# rpath
}

Expand Down Expand Up @@ -1187,6 +1189,7 @@ setup_apple_env() {
: ${os_ver:=$os_min}
TOOLCHAIN_OPT+=" --enable-cross-compile $ASM_OPT --arch=$OS_ARCH --target-os=darwin --cc=clang --sysroot=\$(xcrun --sdk $SYSROOT_SDK --show-sdk-path)"
disable_opt programs
# apple clang default -fstack-protector, 90KB larger for arm64 lite build. strong is about 5KB larger than default
# if target_vendor is not apple(-v same except vendor): d: building for 'tvOS-simulator', but linking in object file built for 'tvOS'
EXTRA_CFLAGS+=" -arch $OS_ARCH --target=apple-${target_os}${os_ver}${env_suffix} $BITCODE_FLAGS $EXTRA_FLAGS" # -fvisibility=hidden -fvisibility-inlines-hidden"
EXTRA_LDFLAGS+=" -arch $OS_ARCH --target=apple-${target_os}${os_ver}${env_suffix} $BITCODE_LFLAGS $EXTRA_FLAGS -Wl,-dead_strip" # -fvisibility=hidden -fvisibility-inlines-hidden"
Expand Down Expand Up @@ -1343,7 +1346,7 @@ setup_gnu_env(){
add_elf_flags
local gnu_cc=gcc
local ARCH=${1:0:5}
TOOLCHAIN_OPT+=" --toolchain=hardened"
#TOOLCHAIN_OPT+=" --toolchain=hardened"
$IS_CROSS_BUILD && {
IS_CROSS_BUILD=true
echo "gnu cross build"
Expand Down Expand Up @@ -1447,7 +1450,7 @@ EOF
return 0
fi

TOOLCHAIN_OPT+=" --toolchain=hardened"
#TOOLCHAIN_OPT+=" --toolchain=hardened"
[ -n "${ARCH/*64/}" ] && BIT=32
[ $BIT -ne $CC_BIT ] && {
EXTRA_CFLAGS="-m$BIT $EXTRA_CFLAGS"
Expand Down

0 comments on commit a502ad1

Please sign in to comment.