hardened-cc/hgcc

   1 #!/bin/dash
   2 # At least its not perl..
   3
   4 # Enable/disable here, don't touch unless you know what you are doing.
   5 hcc_force_stack=1
   6 #hcc_force_stack_all=1
   7 hcc_force_fortify=1
   8 #hcc_force_format=1
   9 hcc_force_fPIE=1
  10 hcc_force_bindnow=1
  11 #hcc_force_trampolines=1
  12 #hcc_force_noexec=1
  13 #hcc_force_unstrict=1
  14 #hcc_force_nullptr=1
  15
  16 # Don't touch:
  17 hcc_linking=1
  18
  19 for opt; do
  20   case "$opt" in
  21     -fno-PIC|-fno-pic|-fno-PIE|-fno-pie|-nopie|-static|-shared|-D__KERNEL__|-nostdlib|-nostartfiles)
  22       unset hcc_force_fPIE;;
  23     -fPIC|-fpic)
  24       unset hcc_force_fPIE;;
  25     -c)
  26       unset hcc_linking;;
  27     -D_FORTIFY_SOURCE=[0-1])
  28       unset hcc_force_fortify;;
  29     -fno-stack-protector|-fno-stack-protector-all|-nostdlib|-ffreestanding)
  30       unset hcc_force_stack;
  31       unset hcc_force_stack_all;;
  32   esac
  33 done
  34
  35 # Use relro unconditionally.
  36 # -Wl,-z,now: This affects only the *startup* time because the dynamic linker has to do more work -
  37 # but according to Kees Cook overhead of BIND_NOW is negligible nowadays even with huge applications.
  38 if [ $hcc_linking ]; then
  39   hcc_link_relro="-Wl,-z,relro"
  40   if [ $hcc_force_bindnow ]; then
  41     hcc_link_bindnow="-Wl,--hash-style=gnu -Wl,-z,now"
  42   fi
  43   if [ $hcc_force_fPIE ]; then
  44     hcc_link_pie="-pie" # See Line 86.
  45   fi
  46 fi
  47
  48 # Lightweight SSP is default in Arch Linux CFLAGS, useful for builds that ignore them:
  49 if [ $hcc_force_stack ]; then
  50   hcc_ssp='-fstack-protector --param=ssp-buffer-size=4'
  51   if [ $hcc_force_stack_all ]; then
  52     hcc_ssp='-fstack-protector-all' # This is the heavyweight version of SSP, usually considered too costly.
  53   fi
  54 fi
  55
  56 # Is default in Arch Linux CFLAGS, useful for builds that ignore them:
  57 # XXX: Might need to disable under some conditions.
  58 if [ $hcc_force_fortify ]; then
  59   hcc_fortify='-D_FORTIFY_SOURCE=2'
  60 fi
  61
  62 # Warnings often erroneous, breaks quite a few builds due to -Werror.
  63 if [ $hcc_force_format ]; then
  64   hcc_format='-Wformat -Wformat-security -Werror=format-security'
  65 fi
  66
  67 # OpenBSD default? You may or may not want this, read the description.
  68 if [ $hcc_force_unstrict ]; then
  69   hcc_unstrict='-fno-strict-aliasing -fno-strict-overflow'
  70 fi
  71
  72 # You should really know why you want to break the build when encountering trampolines.
  73 if [ $hcc_force_trampolines ]; then
  74   hcc_trampolines='-Wtrampolines -Werror=trampolines'
  75 fi
  76
  77 # Available for completeness. Don't use nless you KNOW you need this.
  78 if [ $hcc_force_nullptr ]; then
  79   hcc_nullptr='-fno-delete-null-pointer-checks'
  80 fi
  81
  82 # Required for OpenSSL etc. to work on SELinux/grsec due to assembler code not having the right progbits.
  83 if [ $hcc_force_noexec ]; then
  84   hcc_noexec='-Wa,--noexecstack'
  85 fi
  86
  87 # Automatic PIE handling is pretty much the whole purpose of this wrapper; Acceptable overhead on 64bit.
  88 if [ $hcc_force_fPIE ]; then
  89   hcc_fpie='-DPIC -fPIE'
  90 fi
  91
  92 hcc_linkerflags="$hcc_link_pie $hcc_link_relro $hcc_link_bindnow"
  93
  94 exec /usr/bin/gcc $hcc_fpie $hcc_noexec $hcc_ssp $hcc_fortify $hcc_unstrict $hcc_format $hcc_trampolines $hcc_nullptr "${1+"$@"}" $hcc_linkerflags