Skip to content

Commit

Permalink
Merge pull request #915 from chef/lcg/enable-hardening
Browse files Browse the repository at this point in the history 
Remove Solaris 10 platform and enable some hardening flags on Linux/Mac/FreeBSD
  • Loading branch information
@tas50
tas50 authored Nov 14, 2019
2 parents f0e30ed + ac913fe commit d1e84cc
Show file tree
Hide file tree
Showing 2 changed files with 44 additions and 55 deletions.
27 changes: 8 additions & 19 deletions lib/omnibus/software.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -668,33 +668,22 @@ def with_standard_compiler_flags(env = {}, opts = {})
"ARFLAGS" => "-X64 cru",
}
when "solaris2"
if platform_version.satisfies?("<= 5.10")
solaris_flags = {
# this override is due to a bug in libtool documented here:
# http://lists.gnu.org/archive/html/bug-libtool/2005-10/msg00004.html
"CC" => "gcc -static-libgcc",
"LDFLAGS" => "-R#{install_dir}/embedded/lib -L#{install_dir}/embedded/lib -static-libgcc",
"CFLAGS" => "-I#{install_dir}/embedded/include -O2",
}
elsif platform_version.satisfies?(">= 5.11")
solaris_flags = {
"CC" => "gcc -m64 -static-libgcc",
"LDFLAGS" => "-Wl,-rpath,#{install_dir}/embedded/lib -L#{install_dir}/embedded/lib -static-libgcc",
"CFLAGS" => "-I#{install_dir}/embedded/include -O2",
}
end
solaris_flags
{
"CC" => "gcc -m64 -static-libgcc",
"LDFLAGS" => "-Wl,-rpath,#{install_dir}/embedded/lib -L#{install_dir}/embedded/lib -static-libgcc",
"CFLAGS" => "-I#{install_dir}/embedded/include -O2",
}
when "freebsd"
{
"CC" => "clang",
"CXX" => "clang++",
"LDFLAGS" => "-L#{install_dir}/embedded/lib",
"CFLAGS" => "-I#{install_dir}/embedded/include -O2",
"CFLAGS" => "-I#{install_dir}/embedded/include -O2 -D_FORTIFY_SOURCE=2 -fstack-protector",
}
when "suse"
suse_flags = {
"LDFLAGS" => "-Wl,-rpath,#{install_dir}/embedded/lib -L#{install_dir}/embedded/lib",
"CFLAGS" => "-I#{install_dir}/embedded/include -O2",
"CFLAGS" => "-I#{install_dir}/embedded/include -O2 -D_FORTIFY_SOURCE=2 -fstack-protector",
}
# Enable gcc version 4.8 if it is available
if which("gcc-4.8") && platform_version.satisfies?("< 12")
Expand All @@ -721,7 +710,7 @@ def with_standard_compiler_flags(env = {}, opts = {})
else
{
"LDFLAGS" => "-Wl,-rpath,#{install_dir}/embedded/lib -L#{install_dir}/embedded/lib",
"CFLAGS" => "-I#{install_dir}/embedded/include -O2",
"CFLAGS" => "-I#{install_dir}/embedded/include -O2 -D_FORTIFY_SOURCE=2 -fstack-protector",
}
end

Expand Down
72 changes: 36 additions & 36 deletions spec/unit/software_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -73,9 +73,9 @@ module Omnibus
it "sets the defaults" do
expect(subject.with_standard_compiler_flags).to eq(
"LDFLAGS" => "-Wl,-rpath,/opt/project/embedded/lib -L/opt/project/embedded/lib",
"CFLAGS" => "-I/opt/project/embedded/include -O2",
"CXXFLAGS" => "-I/opt/project/embedded/include -O2",
"CPPFLAGS" => "-I/opt/project/embedded/include -O2",
"CFLAGS" => "-I/opt/project/embedded/include -O2 -D_FORTIFY_SOURCE=2 -fstack-protector",
"CXXFLAGS" => "-I/opt/project/embedded/include -O2 -D_FORTIFY_SOURCE=2 -fstack-protector",
"CPPFLAGS" => "-I/opt/project/embedded/include -O2 -D_FORTIFY_SOURCE=2 -fstack-protector",
"LD_RUN_PATH" => "/opt/project/embedded/lib",
"PKG_CONFIG_PATH" => "/opt/project/embedded/lib/pkgconfig",
"OMNIBUS_INSTALL_DIR" => "/opt/project"
Expand All @@ -84,9 +84,9 @@ module Omnibus
it "overrides LDFLAGS" do
expect(subject.with_standard_compiler_flags("LDFLAGS" => "foo")).to eq(
"LDFLAGS" => "-Wl,-rpath,/opt/project/embedded/lib -L/opt/project/embedded/lib",
"CFLAGS" => "-I/opt/project/embedded/include -O2",
"CXXFLAGS" => "-I/opt/project/embedded/include -O2",
"CPPFLAGS" => "-I/opt/project/embedded/include -O2",
"CFLAGS" => "-I/opt/project/embedded/include -O2 -D_FORTIFY_SOURCE=2 -fstack-protector",
"CXXFLAGS" => "-I/opt/project/embedded/include -O2 -D_FORTIFY_SOURCE=2 -fstack-protector",
"CPPFLAGS" => "-I/opt/project/embedded/include -O2 -D_FORTIFY_SOURCE=2 -fstack-protector",
"LD_RUN_PATH" => "/opt/project/embedded/lib",
"PKG_CONFIG_PATH" => "/opt/project/embedded/lib/pkgconfig",
"OMNIBUS_INSTALL_DIR" => "/opt/project"
Expand All @@ -95,9 +95,9 @@ module Omnibus
it "overrides CFLAGS" do
expect(subject.with_standard_compiler_flags("CFLAGS" => "foo")).to eq(
"LDFLAGS" => "-Wl,-rpath,/opt/project/embedded/lib -L/opt/project/embedded/lib",
"CFLAGS" => "-I/opt/project/embedded/include -O2",
"CXXFLAGS" => "-I/opt/project/embedded/include -O2",
"CPPFLAGS" => "-I/opt/project/embedded/include -O2",
"CFLAGS" => "-I/opt/project/embedded/include -O2 -D_FORTIFY_SOURCE=2 -fstack-protector",
"CXXFLAGS" => "-I/opt/project/embedded/include -O2 -D_FORTIFY_SOURCE=2 -fstack-protector",
"CPPFLAGS" => "-I/opt/project/embedded/include -O2 -D_FORTIFY_SOURCE=2 -fstack-protector",
"LD_RUN_PATH" => "/opt/project/embedded/lib",
"PKG_CONFIG_PATH" => "/opt/project/embedded/lib/pkgconfig",
"OMNIBUS_INSTALL_DIR" => "/opt/project"
Expand All @@ -106,9 +106,9 @@ module Omnibus
it "overrides CXXFLAGS" do
expect(subject.with_standard_compiler_flags("CXXFLAGS" => "foo")).to eq(
"LDFLAGS" => "-Wl,-rpath,/opt/project/embedded/lib -L/opt/project/embedded/lib",
"CFLAGS" => "-I/opt/project/embedded/include -O2",
"CXXFLAGS" => "-I/opt/project/embedded/include -O2",
"CPPFLAGS" => "-I/opt/project/embedded/include -O2",
"CFLAGS" => "-I/opt/project/embedded/include -O2 -D_FORTIFY_SOURCE=2 -fstack-protector",
"CXXFLAGS" => "-I/opt/project/embedded/include -O2 -D_FORTIFY_SOURCE=2 -fstack-protector",
"CPPFLAGS" => "-I/opt/project/embedded/include -O2 -D_FORTIFY_SOURCE=2 -fstack-protector",
"LD_RUN_PATH" => "/opt/project/embedded/lib",
"PKG_CONFIG_PATH" => "/opt/project/embedded/lib/pkgconfig",
"OMNIBUS_INSTALL_DIR" => "/opt/project"
Expand All @@ -117,9 +117,9 @@ module Omnibus
it "overrides CPPFLAGS" do
expect(subject.with_standard_compiler_flags("CPPFLAGS" => "foo")).to eq(
"LDFLAGS" => "-Wl,-rpath,/opt/project/embedded/lib -L/opt/project/embedded/lib",
"CFLAGS" => "-I/opt/project/embedded/include -O2",
"CXXFLAGS" => "-I/opt/project/embedded/include -O2",
"CPPFLAGS" => "-I/opt/project/embedded/include -O2",
"CFLAGS" => "-I/opt/project/embedded/include -O2 -D_FORTIFY_SOURCE=2 -fstack-protector",
"CXXFLAGS" => "-I/opt/project/embedded/include -O2 -D_FORTIFY_SOURCE=2 -fstack-protector",
"CPPFLAGS" => "-I/opt/project/embedded/include -O2 -D_FORTIFY_SOURCE=2 -fstack-protector",
"LD_RUN_PATH" => "/opt/project/embedded/lib",
"PKG_CONFIG_PATH" => "/opt/project/embedded/lib/pkgconfig",
"OMNIBUS_INSTALL_DIR" => "/opt/project"
Expand All @@ -129,9 +129,9 @@ module Omnibus
expect(subject.with_standard_compiler_flags("numberwang" => 4)).to eq(
"numberwang" => 4,
"LDFLAGS" => "-Wl,-rpath,/opt/project/embedded/lib -L/opt/project/embedded/lib",
"CFLAGS" => "-I/opt/project/embedded/include -O2",
"CXXFLAGS" => "-I/opt/project/embedded/include -O2",
"CPPFLAGS" => "-I/opt/project/embedded/include -O2",
"CFLAGS" => "-I/opt/project/embedded/include -O2 -D_FORTIFY_SOURCE=2 -fstack-protector",
"CXXFLAGS" => "-I/opt/project/embedded/include -O2 -D_FORTIFY_SOURCE=2 -fstack-protector",
"CPPFLAGS" => "-I/opt/project/embedded/include -O2 -D_FORTIFY_SOURCE=2 -fstack-protector",
"LD_RUN_PATH" => "/opt/project/embedded/lib",
"PKG_CONFIG_PATH" => "/opt/project/embedded/lib/pkgconfig",
"OMNIBUS_INSTALL_DIR" => "/opt/project"
Expand Down Expand Up @@ -196,9 +196,9 @@ module Omnibus
it "sets the defaults" do
expect(subject.with_standard_compiler_flags).to eq(
"LDFLAGS" => "-Wl,-rpath,/opt/project/embedded/lib -L/opt/project/embedded/lib",
"CFLAGS" => "-I/opt/project/embedded/include -O2",
"CXXFLAGS" => "-I/opt/project/embedded/include -O2",
"CPPFLAGS" => "-I/opt/project/embedded/include -O2",
"CFLAGS" => "-I/opt/project/embedded/include -O2 -D_FORTIFY_SOURCE=2 -fstack-protector",
"CXXFLAGS" => "-I/opt/project/embedded/include -O2 -D_FORTIFY_SOURCE=2 -fstack-protector",
"CPPFLAGS" => "-I/opt/project/embedded/include -O2 -D_FORTIFY_SOURCE=2 -fstack-protector",
"LD_RUN_PATH" => "/opt/project/embedded/lib",
"PKG_CONFIG_PATH" => "/opt/project/embedded/lib/pkgconfig",
"OMNIBUS_INSTALL_DIR" => "/opt/project"
Expand Down Expand Up @@ -240,9 +240,9 @@ module Omnibus
it "sets the defaults" do
expect(subject.with_standard_compiler_flags).to eq(
"CC" => "clang",
"CFLAGS" => "-I/opt/project/embedded/include -O2",
"CXXFLAGS" => "-I/opt/project/embedded/include -O2",
"CPPFLAGS" => "-I/opt/project/embedded/include -O2",
"CFLAGS" => "-I/opt/project/embedded/include -O2 -D_FORTIFY_SOURCE=2 -fstack-protector",
"CXXFLAGS" => "-I/opt/project/embedded/include -O2 -D_FORTIFY_SOURCE=2 -fstack-protector",
"CPPFLAGS" => "-I/opt/project/embedded/include -O2 -D_FORTIFY_SOURCE=2 -fstack-protector",
"CXX" => "clang++",
"LDFLAGS" => "-L/opt/project/embedded/lib",
"LD_RUN_PATH" => "/opt/project/embedded/lib",
Expand All @@ -267,9 +267,9 @@ module Omnibus
expect(subject.with_standard_compiler_flags).to eq(
"CC" => "clang",
"CXX" => "clang++",
"CFLAGS" => "-I/opt/project/embedded/include -O2",
"CXXFLAGS" => "-I/opt/project/embedded/include -O2",
"CPPFLAGS" => "-I/opt/project/embedded/include -O2",
"CFLAGS" => "-I/opt/project/embedded/include -O2 -D_FORTIFY_SOURCE=2 -fstack-protector",
"CXXFLAGS" => "-I/opt/project/embedded/include -O2 -D_FORTIFY_SOURCE=2 -fstack-protector",
"CPPFLAGS" => "-I/opt/project/embedded/include -O2 -D_FORTIFY_SOURCE=2 -fstack-protector",
"LDFLAGS" => "-L/opt/project/embedded/lib",
"LD_RUN_PATH" => "/opt/project/embedded/lib",
"PKG_CONFIG_PATH" => "/opt/project/embedded/lib/pkgconfig",
Expand All @@ -287,9 +287,9 @@ module Omnibus
it "sets the defaults" do
expect(subject.with_standard_compiler_flags).to eq(
"LDFLAGS" => "-Wl,-rpath,/opt/project/embedded/lib -L/opt/project/embedded/lib",
"CFLAGS" => "-I/opt/project/embedded/include -O2",
"CXXFLAGS" => "-I/opt/project/embedded/include -O2",
"CPPFLAGS" => "-I/opt/project/embedded/include -O2",
"CFLAGS" => "-I/opt/project/embedded/include -O2 -D_FORTIFY_SOURCE=2 -fstack-protector",
"CXXFLAGS" => "-I/opt/project/embedded/include -O2 -D_FORTIFY_SOURCE=2 -fstack-protector",
"CPPFLAGS" => "-I/opt/project/embedded/include -O2 -D_FORTIFY_SOURCE=2 -fstack-protector",
"LD_RUN_PATH" => "/opt/project/embedded/lib",
"PKG_CONFIG_PATH" => "/opt/project/embedded/lib/pkgconfig",
"OMNIBUS_INSTALL_DIR" => "/opt/project"
Expand All @@ -307,9 +307,9 @@ module Omnibus
"CC" => "gcc-4.8",
"CXX" => "g++-4.8",
"LDFLAGS" => "-Wl,-rpath,/opt/project/embedded/lib -L/opt/project/embedded/lib",
"CFLAGS" => "-I/opt/project/embedded/include -O2",
"CXXFLAGS" => "-I/opt/project/embedded/include -O2",
"CPPFLAGS" => "-I/opt/project/embedded/include -O2",
"CFLAGS" => "-I/opt/project/embedded/include -O2 -D_FORTIFY_SOURCE=2 -fstack-protector",
"CXXFLAGS" => "-I/opt/project/embedded/include -O2 -D_FORTIFY_SOURCE=2 -fstack-protector",
"CPPFLAGS" => "-I/opt/project/embedded/include -O2 -D_FORTIFY_SOURCE=2 -fstack-protector",
"LD_RUN_PATH" => "/opt/project/embedded/lib",
"PKG_CONFIG_PATH" => "/opt/project/embedded/lib/pkgconfig",
"OMNIBUS_INSTALL_DIR" => "/opt/project"
Expand All @@ -328,9 +328,9 @@ module Omnibus
it "sets the defaults" do
expect(subject.with_standard_compiler_flags).to eq(
"LDFLAGS" => "-Wl,-rpath,/opt/project/embedded/lib -L/opt/project/embedded/lib",
"CFLAGS" => "-I/opt/project/embedded/include -O2",
"CXXFLAGS" => "-I/opt/project/embedded/include -O2",
"CPPFLAGS" => "-I/opt/project/embedded/include -O2",
"CFLAGS" => "-I/opt/project/embedded/include -O2 -D_FORTIFY_SOURCE=2 -fstack-protector",
"CXXFLAGS" => "-I/opt/project/embedded/include -O2 -D_FORTIFY_SOURCE=2 -fstack-protector",
"CPPFLAGS" => "-I/opt/project/embedded/include -O2 -D_FORTIFY_SOURCE=2 -fstack-protector",
"LD_RUN_PATH" => "/opt/project/embedded/lib",
"PKG_CONFIG_PATH" => "/opt/project/embedded/lib/pkgconfig",
"OMNIBUS_INSTALL_DIR" => "/opt/project"
Expand Down

0 comments on commit d1e84cc

Please sign in to comment.