From b256c1b6de5e08e44412dfeec008b0967fd1865c Mon Sep 17 00:00:00 2001 From: "Galantsev, Dmitrii" Date: Tue, 4 Feb 2025 22:18:56 -0600 Subject: [PATCH] Fix warnings on CXX/linker flags (#93) 1) When `clang` is used as system compiler, libraries were built without respecting LDFLAGS. For example, this affected LTO flags, if any (and it only affected clang, not gcc). 2) Linker flags are registered as CXX flags, which produces warnings during compilation: ``` clang++: warning: -Wl,-z,noexecstack: 'linker' input unused [-Wunused-command-line-argument] clang++: warning: -Wl,-znoexecheap: 'linker' input unused [-Wunused-command-line-argument] clang++: warning: -Wl,-z,relro: 'linker' input unused [-Wunused-command-line-argument] clang++: warning: -Wl,-z,now: 'linker' input unused [-Wunused-command-line-argument] ``` 3) Clang does not support `-Wtrampolines` flag: ``` warning: unknown warning option '-Wtrampolines' [-Wunknown-warning-option] ``` 4) No linkers support `noexecheap` anymore. `noexecheap` linker flag was a part of PaX patches to GNU ld, (which were dropped in 2017)[https://www.gentoo.org/support/news-items/2017-08-19-hardened-sources-removal.html]. Now ld/ld.lld/ld.gold don't support it and protection of heap is managed by NX bit. Therefore every compiler produces this warning: ``` ld.lld: warning: unknown -z value: noexecheap ``` Change-Id: I2334a4d4c745df2abc12d543616ca179f85c3575 Signed-off-by: Galantsev, Dmitrii Co-authored-by: Sv. Lockal --- cmake_modules/help_package.cmake | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/cmake_modules/help_package.cmake b/cmake_modules/help_package.cmake index 8690816b4c..906b6e7913 100644 --- a/cmake_modules/help_package.cmake +++ b/cmake_modules/help_package.cmake @@ -56,8 +56,16 @@ function(generic_package) ## Security breach mitigation flags set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -DFORTIFY_SOURCE=2 -fstack-protector-all -Wcast-align" PARENT_SCOPE) ## More security breach mitigation flags - set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Wl,-z,noexecstack -Wl,-znoexecheap -Wl,-z,relro" PARENT_SCOPE) - set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Wtrampolines -Wl,-z,now" PARENT_SCOPE) + set(HARDENING_LDFLAGS + "${HARDENING_LDFLAGS} -Wl,-z,noexecstack -Wl,-z,relro -Wl,-z,now") + set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} ${HARDENING_LDFLAGS}" PARENT_SCOPE) + set(CMAKE_SHARED_LINKER_FLAGS "${CMAKE_SHARED_LINKER_FLAGS} ${HARDENING_LDFLAGS}" PARENT_SCOPE) + + include(CheckCXXCompilerFlag) + check_cxx_compiler_flag("-Wtrampolines" CXX_SUPPORTS_WTRAMPOLINES) + if(CXX_SUPPORTS_WTRAMPOLINES) + set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -Wtrampolines" PARENT_SCOPE) + endif() endif() # Clang does not set the build-id