mirror of https://github.com/citusdata/citus.git
Add security flags in configure scripts (#4760)
Hanefi Onaldi
GitHub
parent
f3b0d445b2
commit
f87107eb6b
|
|
@ -86,6 +86,7 @@ endif
|
|||
|
||||
# Add options passed to configure or computed therein, to CFLAGS/CPPFLAGS/...
|
||||
override CFLAGS += @CFLAGS@ @CITUS_CFLAGS@
|
||||
override BITCODE_CFLAGS := $(BITCODE_CFLAGS) @CITUS_BITCODE_CFLAGS@
|
||||
ifneq ($(GIT_VERSION),)
|
||||
override CFLAGS += -DGIT_VERSION=\"$(GIT_VERSION)\"
|
||||
endif
|
||||
|
|
|
|||
|
|
@ -628,8 +628,10 @@ POSTGRES_BUILDDIR
|
|||
POSTGRES_SRCDIR
|
||||
CITUS_LDFLAGS
|
||||
CITUS_CPPFLAGS
|
||||
CITUS_BITCODE_CFLAGS
|
||||
CITUS_CFLAGS
|
||||
GIT_BIN
|
||||
with_security_flags
|
||||
with_zstd
|
||||
with_lz4
|
||||
EGREP
|
||||
|
|
@ -696,6 +698,7 @@ with_libcurl
|
|||
with_reports_hostname
|
||||
with_lz4
|
||||
with_zstd
|
||||
with_security_flags
|
||||
'
|
||||
ac_precious_vars='build_alias
|
||||
host_alias
|
||||
|
|
@ -1342,6 +1345,8 @@ Optional Packages:
|
|||
and update checks
|
||||
--without-lz4 do not use lz4
|
||||
--without-zstd do not use zstd
|
||||
--without-security-flags
|
||||
do not use security flags
|
||||
|
||||
Some influential environment variables:
|
||||
PG_CONFIG Location to find pg_config for target PostgreSQL instalation
|
||||
|
|
@ -4346,6 +4351,48 @@ if test x"$citusac_cv_prog_cc_cflags__Werror_return_type" = x"yes"; then
|
|||
CITUS_CFLAGS="$CITUS_CFLAGS -Werror=return-type"
|
||||
fi
|
||||
|
||||
# Security flags
|
||||
# Flags taken from: https://liquid.microsoft.com/Web/Object/Read/ms.security/Requirements/Microsoft.Security.SystemsADM.10203#guide
|
||||
# We do not enforce the following flag because it is only available on GCC>=8
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $CC supports -fstack-clash-protection" >&5
|
||||
$as_echo_n "checking whether $CC supports -fstack-clash-protection... " >&6; }
|
||||
if ${citusac_cv_prog_cc_cflags__fstack_clash_protection+:} false; then :
|
||||
$as_echo_n "(cached) " >&6
|
||||
else
|
||||
citusac_save_CFLAGS=$CFLAGS
|
||||
flag=-fstack-clash-protection
|
||||
case $flag in -Wno*)
|
||||
flag=-W$(echo $flag | cut -c 6-)
|
||||
esac
|
||||
CFLAGS="$citusac_save_CFLAGS $flag"
|
||||
ac_save_c_werror_flag=$ac_c_werror_flag
|
||||
ac_c_werror_flag=yes
|
||||
cat confdefs.h - <<_ACEOF >conftest.$ac_ext
|
||||
/* end confdefs.h. */
|
||||
|
||||
int
|
||||
main ()
|
||||
{
|
||||
|
||||
;
|
||||
return 0;
|
||||
}
|
||||
_ACEOF
|
||||
if ac_fn_c_try_compile "$LINENO"; then :
|
||||
citusac_cv_prog_cc_cflags__fstack_clash_protection=yes
|
||||
else
|
||||
citusac_cv_prog_cc_cflags__fstack_clash_protection=no
|
||||
fi
|
||||
rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
|
||||
ac_c_werror_flag=$ac_save_c_werror_flag
|
||||
CFLAGS="$citusac_save_CFLAGS"
|
||||
fi
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $citusac_cv_prog_cc_cflags__fstack_clash_protection" >&5
|
||||
$as_echo "$citusac_cv_prog_cc_cflags__fstack_clash_protection" >&6; }
|
||||
if test x"$citusac_cv_prog_cc_cflags__fstack_clash_protection" = x"yes"; then
|
||||
CITUS_CFLAGS="$CITUS_CFLAGS -fstack-clash-protection"
|
||||
fi
|
||||
|
||||
|
||||
#
|
||||
# --enable-coverage enables generation of code coverage metrics with gcov
|
||||
|
|
@ -4493,8 +4540,8 @@ if test "$version_num" != '11'; then
|
|||
$as_echo "#define HAS_TABLEAM 1" >>confdefs.h
|
||||
|
||||
else
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: postgres version does not support table access methodds" >&5
|
||||
$as_echo "$as_me: postgres version does not support table access methodds" >&6;}
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: postgres version does not support table access methods" >&5
|
||||
$as_echo "$as_me: postgres version does not support table access methods" >&6;}
|
||||
fi;
|
||||
|
||||
# Require lz4 & zstd only if we are compiling columnar
|
||||
|
|
@ -4687,6 +4734,55 @@ fi
|
|||
|
||||
fi # test "$HAS_TABLEAM" == 'yes'
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
# Check whether --with-security-flags was given.
|
||||
if test "${with_security_flags+set}" = set; then :
|
||||
withval=$with_security_flags;
|
||||
case $withval in
|
||||
yes)
|
||||
:
|
||||
;;
|
||||
no)
|
||||
:
|
||||
;;
|
||||
*)
|
||||
as_fn_error $? "no argument expected for --with-security-flags option" "$LINENO" 5
|
||||
;;
|
||||
esac
|
||||
|
||||
else
|
||||
with_security_flags=yes
|
||||
|
||||
fi
|
||||
|
||||
|
||||
|
||||
|
||||
if test "$with_security_flags" = yes; then
|
||||
# Flags taken from: https://liquid.microsoft.com/Web/Object/Read/ms.security/Requirements/Microsoft.Security.SystemsADM.10203#guide
|
||||
|
||||
# We always want to have some compiler flags for security concerns.
|
||||
SECURITY_CFLAGS="-fstack-protector-strong -D_FORTIFY_SOURCE=2 -O2 -z noexecstack -fpic -shared -Wl,-z,relro -Wl,-z,now -Wformat -Wformat-security -Werror=format-security"
|
||||
CITUS_CFLAGS="$CITUS_CFLAGS $SECURITY_CFLAGS"
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: Blindly added security flags for linker: $SECURITY_CFLAGS" >&5
|
||||
$as_echo "$as_me: Blindly added security flags for linker: $SECURITY_CFLAGS" >&6;}
|
||||
|
||||
# We always want to have some clang flags for security concerns.
|
||||
# This doesn't include "-Wl,-z,relro -Wl,-z,now" on purpuse, because bitcode is not linked.
|
||||
# This doesn't include -fsanitize=cfi because it breaks builds on many distros including
|
||||
# Debian/Buster, Debian/Stretch, Ubuntu/Bionic, Ubuntu/Xenial and EL7.
|
||||
SECURITY_BITCODE_CFLAGS="-fsanitize=safe-stack -fstack-protector-strong -flto -fPIC -Wformat -Wformat-security -Werror=format-security"
|
||||
CITUS_BITCODE_CFLAGS="$CITUS_BITCODE_CFLAGS $SECURITY_BITCODE_CFLAGS"
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: Blindly added security flags for llvm: $SECURITY_BITCODE_CFLAGS" >&5
|
||||
$as_echo "$as_me: Blindly added security flags for llvm: $SECURITY_BITCODE_CFLAGS" >&6;}
|
||||
|
||||
{ $as_echo "$as_me:${as_lineno-$LINENO}: WARNING: If you run into issues during linking or bitcode compilation, you can use --without-security-flags." >&5
|
||||
$as_echo "$as_me: WARNING: If you run into issues during linking or bitcode compilation, you can use --without-security-flags." >&2;}
|
||||
fi
|
||||
|
||||
# Check if git is installed, when installed the gitref of the checkout will be baked in the application
|
||||
# Extract the first word of "git", so it can be a program name with args.
|
||||
set dummy git; ac_word=$2
|
||||
|
|
@ -4752,6 +4848,8 @@ fi
|
|||
|
||||
CITUS_CFLAGS="$CITUS_CFLAGS"
|
||||
|
||||
CITUS_BITCODE_CFLAGS="$CITUS_BITCODE_CFLAGS"
|
||||
|
||||
CITUS_CPPFLAGS="$CITUS_CPPFLAGS"
|
||||
|
||||
CITUS_LDFLAGS="$LIBS $CITUS_LDFLAGS"
|
||||
|
|
|
|||
31
configure.in
31
configure.in
|
|
@ -174,6 +174,10 @@ CITUSAC_PROG_CC_CFLAGS_OPT([-Werror=vla]) # visual studio does not support thes
|
|||
CITUSAC_PROG_CC_CFLAGS_OPT([-Werror=implicit-int])
|
||||
CITUSAC_PROG_CC_CFLAGS_OPT([-Werror=implicit-function-declaration])
|
||||
CITUSAC_PROG_CC_CFLAGS_OPT([-Werror=return-type])
|
||||
# Security flags
|
||||
# Flags taken from: https://liquid.microsoft.com/Web/Object/Read/ms.security/Requirements/Microsoft.Security.SystemsADM.10203#guide
|
||||
# We do not enforce the following flag because it is only available on GCC>=8
|
||||
CITUSAC_PROG_CC_CFLAGS_OPT([-fstack-clash-protection])
|
||||
|
||||
#
|
||||
# --enable-coverage enables generation of code coverage metrics with gcov
|
||||
|
|
@ -216,7 +220,7 @@ if test "$version_num" != '11'; then
|
|||
HAS_TABLEAM=yes
|
||||
AC_DEFINE([HAS_TABLEAM], 1, [Define to 1 to build with table access method support, pg12 and up])
|
||||
else
|
||||
AC_MSG_NOTICE([postgres version does not support table access methodds])
|
||||
AC_MSG_NOTICE([postgres version does not support table access methods])
|
||||
fi;
|
||||
|
||||
# Require lz4 & zstd only if we are compiling columnar
|
||||
|
|
@ -261,11 +265,36 @@ if test "$HAS_TABLEAM" == 'yes'; then
|
|||
|
||||
fi # test "$HAS_TABLEAM" == 'yes'
|
||||
|
||||
|
||||
PGAC_ARG_BOOL(with, security-flags, yes,
|
||||
[do not use security flags])
|
||||
AC_SUBST(with_security_flags)
|
||||
|
||||
if test "$with_security_flags" = yes; then
|
||||
# Flags taken from: https://liquid.microsoft.com/Web/Object/Read/ms.security/Requirements/Microsoft.Security.SystemsADM.10203#guide
|
||||
|
||||
# We always want to have some compiler flags for security concerns.
|
||||
SECURITY_CFLAGS="-fstack-protector-strong -D_FORTIFY_SOURCE=2 -O2 -z noexecstack -fpic -shared -Wl,-z,relro -Wl,-z,now -Wformat -Wformat-security -Werror=format-security"
|
||||
CITUS_CFLAGS="$CITUS_CFLAGS $SECURITY_CFLAGS"
|
||||
AC_MSG_NOTICE([Blindly added security flags for linker: $SECURITY_CFLAGS])
|
||||
|
||||
# We always want to have some clang flags for security concerns.
|
||||
# This doesn't include "-Wl,-z,relro -Wl,-z,now" on purpuse, because bitcode is not linked.
|
||||
# This doesn't include -fsanitize=cfi because it breaks builds on many distros including
|
||||
# Debian/Buster, Debian/Stretch, Ubuntu/Bionic, Ubuntu/Xenial and EL7.
|
||||
SECURITY_BITCODE_CFLAGS="-fsanitize=safe-stack -fstack-protector-strong -flto -fPIC -Wformat -Wformat-security -Werror=format-security"
|
||||
CITUS_BITCODE_CFLAGS="$CITUS_BITCODE_CFLAGS $SECURITY_BITCODE_CFLAGS"
|
||||
AC_MSG_NOTICE([Blindly added security flags for llvm: $SECURITY_BITCODE_CFLAGS])
|
||||
|
||||
AC_MSG_WARN([If you run into issues during linking or bitcode compilation, you can use --without-security-flags.])
|
||||
fi
|
||||
|
||||
# Check if git is installed, when installed the gitref of the checkout will be baked in the application
|
||||
AC_PATH_PROG(GIT_BIN, git)
|
||||
AC_CHECK_FILE(.git,[HAS_DOTGIT=yes], [HAS_DOTGIT=])
|
||||
|
||||
AC_SUBST(CITUS_CFLAGS, "$CITUS_CFLAGS")
|
||||
AC_SUBST(CITUS_BITCODE_CFLAGS, "$CITUS_BITCODE_CFLAGS")
|
||||
AC_SUBST(CITUS_CPPFLAGS, "$CITUS_CPPFLAGS")
|
||||
AC_SUBST(CITUS_LDFLAGS, "$LIBS $CITUS_LDFLAGS")
|
||||
AC_SUBST(POSTGRES_SRCDIR, "$POSTGRES_SRCDIR")
|
||||
|
|
|
|||
Loading…
Reference in New Issue