diff options
author | Andrew Morrow <acm@mongodb.com> | 2016-05-25 08:03:22 -0400 |
---|---|---|
committer | Andrew Morrow <acm@mongodb.com> | 2016-06-02 11:24:23 -0400 |
commit | fa477177acae2cd372c5703d36a7f80d26cd6a40 (patch) | |
tree | 6bc40fdeca5589376ca287796a87c5785d334773 /SConstruct | |
parent | 1278d0f137defe7ffda47e79d976a5c7d986a092 (diff) | |
download | mongo-fa477177acae2cd372c5703d36a7f80d26cd6a40.tar.gz |
SERVER-23911 Add _FORTIFY_SOURCE to preprocessor definitions when requested
Diffstat (limited to 'SConstruct')
-rw-r--r-- | SConstruct | 44 |
1 files changed, 44 insertions, 0 deletions
diff --git a/SConstruct b/SConstruct index 426b51bede5..f8593e47d00 100644 --- a/SConstruct +++ b/SConstruct @@ -474,6 +474,13 @@ add_option('modules', help="Comma-separated list of modules to build. Empty means none. Default is all.", ) +add_option('runtime-hardening', + choices=["on", "off"], + default="off", + help="Enable runtime hardening features (e.g. stack smash protection)", + type='choice', +) + try: with open("version.json", "r") as version_fp: version_data = json.load(version_fp) @@ -2219,6 +2226,43 @@ def doConfigure(myenv): else: myenv.ConfError("Don't know how to enable --lto on current toolchain") + if get_option('runtime-hardening') == "on": + # Older glibc doesn't work well with _FORTIFY_SOURCE=2. Selecting 2.11 as the minimum was an + # emperical decision, as that is the oldest non-broken glibc we seem to require. It is possible + # that older glibc's work, but we aren't trying. + # + # https://gforge.inria.fr/tracker/?func=detail&group_id=131&atid=607&aid=14070 + # https://github.com/jedisct1/libsodium/issues/202 + def CheckForGlibcKnownToSupportFortify(context): + test_body=""" + #include <features.h> + #if !__GLIBC_PREREQ(2, 11) + #error + #endif + """ + context.Message('Checking for glibc with non-broken _FORTIFY_SOURCE...') + ret = context.TryCompile(textwrap.dedent(test_body), ".c") + context.Result(ret) + return ret + + conf = Configure(myenv, help=False, custom_tests = { + 'CheckForFortify': CheckForGlibcKnownToSupportFortify, + }) + + # Fortify only possibly makes sense on POSIX systems, and we know that clang is not a valid + # combination: + # + # http://lists.llvm.org/pipermail/cfe-dev/2015-November/045852.html + # + if env.TargetOSIs('posix') and not env.ToolchainIs('clang') and conf.CheckForFortify(): + conf.env.Append( + CPPDEFINES=[ + ('_FORTIFY_SOURCE', 2), + ], + ) + + myenv = conf.Finish() + # We set this to work around https://gcc.gnu.org/bugzilla/show_bug.cgi?id=43052 if not myenv.ToolchainIs('msvc'): AddToCCFLAGSIfSupported(myenv, "-fno-builtin-memcmp") |