build: enable libc++ and libstdc++ hardening

When `ENABLE_HARDENING` is `ON` (which is the default), then enable
light or full hardening in libc++ or libstdc++, depending on the
library used and depending on the build type.

Remove hardening flags from `depends/hosts/linux.mk` in favor of the
more generic way to enable them via CMake. The same would be achieved
after this change by
`cmake -DCMAKE_BUILD_TYPE=Debug -DENABLE_HARDENING=ON`.

Inspired by
https://github.com/bitcoin/bitcoin/issues/31272#issuecomment-2518700939
This commit is contained in:
Vasil Dimov 2024-12-05 07:16:18 +01:00
parent 6475849c40
commit 1ef9f7ca4a
No known key found for this signature in database
GPG key ID: 54DF06F64B55CBBF
3 changed files with 30 additions and 6 deletions

View file

@ -521,6 +521,33 @@ if(ENABLE_HARDENING)
if(CMAKE_SYSTEM_NAME STREQUAL "Darwin")
try_append_linker_flag("-Wl,-fixup_chains" TARGET hardening_interface)
endif()
if(HAVE_LIBCPP)
# https://libcxx.llvm.org/Hardening.html
if(CMAKE_BUILD_TYPE STREQUAL "Debug")
target_compile_definitions(hardening_interface INTERFACE _LIBCPP_HARDENING_MODE=_LIBCPP_HARDENING_MODE_DEBUG)
else()
target_compile_definitions(hardening_interface INTERFACE _LIBCPP_HARDENING_MODE=_LIBCPP_HARDENING_MODE_FAST)
endif()
endif()
if(HAVE_LIBSTDCPP)
# https://gcc.gnu.org/wiki/LibstdcxxDebugMode
# https://gcc.gnu.org/onlinedocs/libstdc++/manual/debug_mode.html
#
# libstdc++ has _GLIBCXX_DEBUG _GLIBCXX_DEBUG_PEDANTIC but they are not ABI compatible with
# normal mode which could cause linkage failures like:
# undefined reference to `mp::Connection::removeSyncCleanup(__gnu_debug::_Safe_iterator...`
# when an external library is not compiled with _GLIBCXX_DEBUG _GLIBCXX_DEBUG_PEDANTIC,
# so we use _GLIBCXX_ASSERTIONS in both Debug and non-Debug builds.
target_compile_definitions(hardening_interface INTERFACE _GLIBCXX_ASSERTIONS)
find_library(HAVE_LIBSTDCPPEXP stdc++exp)
if(HAVE_LIBSTDCPPEXP)
target_compile_definitions(hardening_interface INTERFACE _GLIBCXX_DEBUG_BACKTRACE)
target_link_libraries(hardening_interface INTERFACE stdc++exp)
endif()
endif()
endif()
endif()

View file

@ -12,6 +12,9 @@ check_include_file_cxx(sys/resources.h HAVE_SYS_RESOURCES_H)
check_include_file_cxx(sys/vmmeter.h HAVE_SYS_VMMETER_H)
check_include_file_cxx(vm/vm_param.h HAVE_VM_VM_PARAM_H)
check_cxx_symbol_exists(_LIBCPP_VERSION "version" HAVE_LIBCPP)
check_cxx_symbol_exists(__GLIBCXX__ "version" HAVE_LIBSTDCPP)
check_cxx_symbol_exists(O_CLOEXEC "fcntl.h" HAVE_O_CLOEXEC)
check_cxx_symbol_exists(fdatasync "unistd.h" HAVE_FDATASYNC)
check_cxx_symbol_exists(fork "unistd.h" HAVE_DECL_FORK)

View file

@ -13,12 +13,6 @@ linux_release_CXXFLAGS=$(linux_release_CFLAGS)
linux_debug_CFLAGS=-O1 -g
linux_debug_CXXFLAGS=$(linux_debug_CFLAGS)
# https://gcc.gnu.org/onlinedocs/libstdc++/manual/debug_mode.html
linux_debug_CPPFLAGS=-D_GLIBCXX_DEBUG -D_GLIBCXX_DEBUG_PEDANTIC
# https://libcxx.llvm.org/Hardening.html
linux_debug_CPPFLAGS+=-D_LIBCPP_HARDENING_MODE=_LIBCPP_HARDENING_MODE_DEBUG
ifeq (86,$(findstring 86,$(build_arch)))
i686_linux_CC=gcc -m32
i686_linux_CXX=g++ -m32