MDEV-5730 enhance security using special compilation options

-Wl,-z,relro,-z,now -pie -fstack-protector --param=ssp-buffer-size=4 -D_FORTIFY_SOURCE=2
author: Sergei Golubchik <serg@mariadb.org> 2014-06-16 21:39:09 +0200
committer: Sergei Golubchik <serg@mariadb.org> 2014-06-26 11:54:13 +0200
commit: da4f8269bf5919f7a48739dbe5460fe22a768967 (patch)
tree: fa6bca718db34ef02f1d8ecaaf7aedd8e38575b8
parent: 6c0e3ef4503c6121f7d5b6b07dcd2ee035e26032 (diff)
download: mariadb-git-da4f8269bf5919f7a48739dbe5460fe22a768967.tar.gz
1 files changed, 14 insertions, 0 deletions
diff --git a/CMakeLists.txt b/CMakeLists.txt
index a5f2dc2a3ad..bc1193c441a 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -199,6 +199,20 @@ IF (WITH_ASAN)
   ENDIF()
 ENDIF()
 
+OPTION(SECURITY_HARDENED "Use security-enhancing compiler features (stack protector, relro, etc)" ON)
+IF(SECURITY_HARDENED)
+  # security-enhancing flags
+  MY_CHECK_AND_SET_COMPILER_FLAG("-pie -fPIC")
+  MY_CHECK_AND_SET_COMPILER_FLAG("-Wl,-z,relro,-z,now")
+  MY_CHECK_AND_SET_COMPILER_FLAG("-fstack-protector --param=ssp-buffer-size=4")
+
+  # sometimes _FORTIFY_SOURCE is predefined
+  INCLUDE(CheckSymbolExists)
+  CHECK_SYMBOL_EXISTS(_FORTIFY_SOURCE "" HAVE_FORTIFY_SOURCE)
+  IF(NOT HAVE_FORTIFY_SOURCE)
+    ADD_DEFINITIONS(-D_FORTIFY_SOURCE=2)
+  ENDIF()
+ENDIF()
 
 OPTION(ENABLE_DEBUG_SYNC "Enable debug sync (debug builds only)" ON) 
 IF(ENABLE_DEBUG_SYNC)
author	Sergei Golubchik <serg@mariadb.org>	2014-06-16 21:39:09 +0200
committer	Sergei Golubchik <serg@mariadb.org>	2014-06-26 11:54:13 +0200
commit	da4f8269bf5919f7a48739dbe5460fe22a768967 (patch)
tree	fa6bca718db34ef02f1d8ecaaf7aedd8e38575b8
parent	6c0e3ef4503c6121f7d5b6b07dcd2ee035e26032 (diff)
download	mariadb-git-da4f8269bf5919f7a48739dbe5460fe22a768967.tar.gz