-
-
Notifications
You must be signed in to change notification settings - Fork 52
/
Hardening.cmake
85 lines (71 loc) · 2.87 KB
/
Hardening.cmake
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
include_guard()
# Enable the sanitizers for the given project
function(
enable_hardening
_project_name
ENABLE_CONTROL_FLOW_PROTECTION
ENABLE_STACK_PROTECTION
ENABLE_OVERFLOW_PROTECTION
ENABLE_ELF_PROTECTION
ENABLE_RUNTIME_SYMBOLS_RESOLUTION
)
set(HARDENING_COMPILE_OPTIONS "")
set(HARDENING_LINK_OPTIONS "")
if(CMAKE_CXX_COMPILER_ID STREQUAL "GNU" OR CMAKE_CXX_COMPILER_ID MATCHES ".*Clang")
if(${ENABLE_CONTROL_FLOW_PROTECTION} AND CMAKE_SYSTEM_PROCESSOR MATCHES
"([xX]86)|(amd64)|(AMD64)|([xX]86_64)|(i686)"
)
list(APPEND HARDENING_COMPILE_OPTIONS -fcf-protection=full)
list(APPEND HARDENING_LINK_OPTIONS -fcf-protection=full)
endif()
if(${ENABLE_STACK_PROTECTION})
set(_enable_stack_clash_protection TRUE)
if(APPLE)
# `-fstack-clash-protection` doesn't work on MacOS M1 with clang
if(CMAKE_SYSTEM_PROCESSOR MATCHES "arm64" AND CMAKE_CXX_COMPILER_ID MATCHES ".*Clang")
set(_enable_stack_clash_protection FALSE)
endif()
endif()
if(_enable_stack_clash_protection)
list(APPEND HARDENING_COMPILE_OPTIONS -fstack-clash-protection)
endif()
list(APPEND HARDENING_COMPILE_OPTIONS -fstack-protector-strong)
endif()
if(${ENABLE_OVERFLOW_PROTECTION})
list(APPEND HARDENING_COMPILE_OPTIONS -Wstrict-overflow=4)
if(CMAKE_CXX_COMPILER_ID STREQUAL "GNU")
list(APPEND HARDENING_COMPILE_OPTIONS -Wstringop-overflow=4 -Wformat-overflow=2)
endif()
if(CMAKE_BUILD_TYPE STREQUAL "Release" OR CMAKE_BUILD_TYPE STREQUAL "RelWithDebInfo")
target_compile_definitions(${_project_name} INTERFACE _FORTIFY_SOURCE=3)
endif()
endif()
if(${ENABLE_ELF_PROTECTION})
set_target_properties(${_project_name} PROPERTIES POSITION_INDEPENDENT_CODE ON)
list(APPEND HARDENING_LINK_OPTIONS -Wl,-z,relro -Wl,-z,noexecstack -Wl,-z,separate-code)
if(NOT ENABLE_RUNTIME_SYMBOLS_RESOLUTION)
list(APPEND HARDENING_LINK_OPTIONS -Wl,-z,now)
endif()
endif()
endif()
if(CMAKE_CXX_COMPILER_ID STREQUAL "MSVC")
if(${ENABLE_CONTROL_FLOW_PROTECTION})
list(APPEND HARDENING_COMPILE_OPTIONS /guard:cf)
list(APPEND HARDENING_LINK_OPTIONS /guard:cf)
endif()
if(${ENABLE_STACK_PROTECTION} AND CMAKE_BUILD_TYPE STREQUAL "Debug")
list(APPEND HARDENING_COMPILE_OPTIONS /RTC1)
endif()
if(${ENABLE_OVERFLOW_PROTECTION})
list(APPEND HARDENING_COMPILE_OPTIONS /sdl)
endif()
endif()
target_compile_options(
${_project_name} INTERFACE $<$<COMPILE_LANGUAGE:CXX>:${HARDENING_COMPILE_OPTIONS}>
$<$<COMPILE_LANGUAGE:C>:${HARDENING_COMPILE_OPTIONS}>
)
target_link_options(
${_project_name} INTERFACE $<$<COMPILE_LANGUAGE:CXX>:${HARDENING_LINK_OPTIONS}>
$<$<COMPILE_LANGUAGE:C>:${HARDENING_LINK_OPTIONS}>
)
endfunction()