1 |
commit: 1e9b3a08b9243daae1bebd6bac3da939d924df1f |
2 |
Author: Sam James <sam <AT> gentoo <DOT> org> |
3 |
AuthorDate: Mon Jan 2 03:14:09 2023 +0000 |
4 |
Commit: Sam James <sam <AT> gentoo <DOT> org> |
5 |
CommitDate: Mon Jan 2 20:34:17 2023 +0000 |
6 |
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1e9b3a08 |
7 |
|
8 |
sys-devel/clang-common: add baseline hardening |
9 |
|
10 |
Add new /etc/clang/gentoo-hardened.cfg which sets hardening |
11 |
options: |
12 |
* -fstack-clash-protection |
13 |
* -fstack-protector-strong |
14 |
* -fPIE (already set by USE=pie on Clang, but this moves it out, as upstream |
15 |
prefer the config method.) |
16 |
* -D_FORTIFY_SOURCE=2 |
17 |
|
18 |
Further, add USE=hardened, which controls adding -D_LIBCPP_ENABLE_ASSERTIONS=1 |
19 |
(analogue to libstdc++'s -D_GLIBCXX_ASSERTIONS) and -D_FORTIFY_SOURCE=3. |
20 |
|
21 |
Bug: https://bugs.gentoo.org/851111 |
22 |
Signed-off-by: Sam James <sam <AT> gentoo.org> |
23 |
|
24 |
...0.9999.ebuild => clang-common-15.0.6-r1.ebuild} | 45 +++++++++++++++++----- |
25 |
.../clang-common/clang-common-15.0.6.9999.ebuild | 37 +++++++++++++++++- |
26 |
.../clang-common/clang-common-16.0.0.9999.ebuild | 37 +++++++++++++++++- |
27 |
...d => clang-common-16.0.0_pre20230101-r1.ebuild} | 37 +++++++++++++++++- |
28 |
4 files changed, 141 insertions(+), 15 deletions(-) |
29 |
|
30 |
diff --git a/sys-devel/clang-common/clang-common-16.0.0.9999.ebuild b/sys-devel/clang-common/clang-common-15.0.6-r1.ebuild |
31 |
similarity index 75% |
32 |
copy from sys-devel/clang-common/clang-common-16.0.0.9999.ebuild |
33 |
copy to sys-devel/clang-common/clang-common-15.0.6-r1.ebuild |
34 |
index e9669ee1adcc..7ec66f0dd663 100644 |
35 |
--- a/sys-devel/clang-common/clang-common-16.0.0.9999.ebuild |
36 |
+++ b/sys-devel/clang-common/clang-common-15.0.6-r1.ebuild |
37 |
@@ -1,4 +1,4 @@ |
38 |
-# Copyright 1999-2022 Gentoo Authors |
39 |
+# Copyright 1999-2023 Gentoo Authors |
40 |
# Distributed under the terms of the GNU General Public License v2 |
41 |
|
42 |
EAPI=8 |
43 |
@@ -10,10 +10,10 @@ HOMEPAGE="https://llvm.org/" |
44 |
|
45 |
LICENSE="Apache-2.0-with-LLVM-exceptions UoI-NCSA" |
46 |
SLOT="0" |
47 |
-KEYWORDS="" |
48 |
+KEYWORDS="~amd64 ~arm ~arm64 ~ppc ~ppc64 ~riscv ~sparc ~x86 ~amd64-linux ~ppc-macos ~x64-macos" |
49 |
IUSE=" |
50 |
default-compiler-rt default-libcxx default-lld llvm-libunwind |
51 |
- stricter |
52 |
+ hardened stricter |
53 |
" |
54 |
|
55 |
PDEPEND=" |
56 |
@@ -86,8 +86,41 @@ src_install() { |
57 |
# This file contains flags common to clang, clang++ and clang-cpp. |
58 |
@gentoo-runtimes.cfg |
59 |
@gentoo-gcc-install.cfg |
60 |
+ @gentoo-hardened.cfg |
61 |
EOF |
62 |
|
63 |
+ # Baseline hardening (bug #851111) |
64 |
+ newins - gentoo-hardened.cfg <<-EOF |
65 |
+ -fstack-clash-protection |
66 |
+ -fstack-protector-strong |
67 |
+ -fPIE |
68 |
+ -include "${ESYSROOT}/usr/include/gentoo/fortify.h" |
69 |
+ EOF |
70 |
+ |
71 |
+ dodir /usr/include/gentoo |
72 |
+ |
73 |
+ local fortify_level=$(usex hardened 3 2) |
74 |
+ # We have to do this because glibc's headers warn if F_S is set |
75 |
+ # without optimization and that would at the very least be very noisy |
76 |
+ # during builds and at worst trigger many -Werror builds. |
77 |
+ cat >> "${ED}/usr/include/gentoo/fortify.h" <<- EOF || die |
78 |
+ #ifndef _FORTIFY_SOURCE |
79 |
+ #if defined(__OPTIMIZE__) && __OPTIMIZE__ > 0 |
80 |
+ #define _FORTIFY_SOURCE ${fortify_level} |
81 |
+ #endif |
82 |
+ #endif |
83 |
+ EOF |
84 |
+ |
85 |
+ if use hardened ; then |
86 |
+ cat >> "${ED}/etc/clang/gentoo-hardened.cfg" <<-EOF || die |
87 |
+ -D_GLIBCXX_ASSERTIONS |
88 |
+ |
89 |
+ # Analogue to GLIBCXX_ASSERTIONS |
90 |
+ # https://libcxx.llvm.org/UsingLibcxx.html#assertions-mode |
91 |
+ -D_LIBCPP_ENABLE_ASSERTIONS=1 |
92 |
+ EOF |
93 |
+ fi |
94 |
+ |
95 |
if use stricter; then |
96 |
newins - gentoo-stricter.cfg <<-EOF |
97 |
# This file increases the strictness of older clang versions |
98 |
@@ -97,12 +130,6 @@ src_install() { |
99 |
-Werror=implicit-function-declaration |
100 |
-Werror=implicit-int |
101 |
-Werror=incompatible-function-pointer-types |
102 |
- |
103 |
- # constructs banned by C2x |
104 |
- -Werror=deprecated-non-prototype |
105 |
- |
106 |
- # deprecated but large blast radius |
107 |
- #-Werror=strict-prototypes |
108 |
EOF |
109 |
|
110 |
cat >> "${ED}/etc/clang/gentoo-common.cfg" <<-EOF || die |
111 |
|
112 |
diff --git a/sys-devel/clang-common/clang-common-15.0.6.9999.ebuild b/sys-devel/clang-common/clang-common-15.0.6.9999.ebuild |
113 |
index 3e43f51a0aab..709c93681448 100644 |
114 |
--- a/sys-devel/clang-common/clang-common-15.0.6.9999.ebuild |
115 |
+++ b/sys-devel/clang-common/clang-common-15.0.6.9999.ebuild |
116 |
@@ -1,4 +1,4 @@ |
117 |
-# Copyright 1999-2022 Gentoo Authors |
118 |
+# Copyright 1999-2023 Gentoo Authors |
119 |
# Distributed under the terms of the GNU General Public License v2 |
120 |
|
121 |
EAPI=8 |
122 |
@@ -13,7 +13,7 @@ SLOT="0" |
123 |
KEYWORDS="" |
124 |
IUSE=" |
125 |
default-compiler-rt default-libcxx default-lld llvm-libunwind |
126 |
- stricter |
127 |
+ hardened stricter |
128 |
" |
129 |
|
130 |
PDEPEND=" |
131 |
@@ -86,8 +86,41 @@ src_install() { |
132 |
# This file contains flags common to clang, clang++ and clang-cpp. |
133 |
@gentoo-runtimes.cfg |
134 |
@gentoo-gcc-install.cfg |
135 |
+ @gentoo-hardened.cfg |
136 |
EOF |
137 |
|
138 |
+ # Baseline hardening (bug #851111) |
139 |
+ newins - gentoo-hardened.cfg <<-EOF |
140 |
+ -fstack-clash-protection |
141 |
+ -fstack-protector-strong |
142 |
+ -fPIE |
143 |
+ -include "${ESYSROOT}/usr/include/gentoo/fortify.h" |
144 |
+ EOF |
145 |
+ |
146 |
+ dodir /usr/include/gentoo |
147 |
+ |
148 |
+ local fortify_level=$(usex hardened 3 2) |
149 |
+ # We have to do this because glibc's headers warn if F_S is set |
150 |
+ # without optimization and that would at the very least be very noisy |
151 |
+ # during builds and at worst trigger many -Werror builds. |
152 |
+ cat >> "${ED}/usr/include/gentoo/fortify.h" <<- EOF || die |
153 |
+ #ifndef _FORTIFY_SOURCE |
154 |
+ #if defined(__OPTIMIZE__) && __OPTIMIZE__ > 0 |
155 |
+ #define _FORTIFY_SOURCE ${fortify_level} |
156 |
+ #endif |
157 |
+ #endif |
158 |
+ EOF |
159 |
+ |
160 |
+ if use hardened ; then |
161 |
+ cat >> "${ED}/etc/clang/gentoo-hardened.cfg" <<-EOF || die |
162 |
+ -D_GLIBCXX_ASSERTIONS |
163 |
+ |
164 |
+ # Analogue to GLIBCXX_ASSERTIONS |
165 |
+ # https://libcxx.llvm.org/UsingLibcxx.html#assertions-mode |
166 |
+ -D_LIBCPP_ENABLE_ASSERTIONS=1 |
167 |
+ EOF |
168 |
+ fi |
169 |
+ |
170 |
if use stricter; then |
171 |
newins - gentoo-stricter.cfg <<-EOF |
172 |
# This file increases the strictness of older clang versions |
173 |
|
174 |
diff --git a/sys-devel/clang-common/clang-common-16.0.0.9999.ebuild b/sys-devel/clang-common/clang-common-16.0.0.9999.ebuild |
175 |
index e9669ee1adcc..1b9640fcebe0 100644 |
176 |
--- a/sys-devel/clang-common/clang-common-16.0.0.9999.ebuild |
177 |
+++ b/sys-devel/clang-common/clang-common-16.0.0.9999.ebuild |
178 |
@@ -1,4 +1,4 @@ |
179 |
-# Copyright 1999-2022 Gentoo Authors |
180 |
+# Copyright 1999-2023 Gentoo Authors |
181 |
# Distributed under the terms of the GNU General Public License v2 |
182 |
|
183 |
EAPI=8 |
184 |
@@ -13,7 +13,7 @@ SLOT="0" |
185 |
KEYWORDS="" |
186 |
IUSE=" |
187 |
default-compiler-rt default-libcxx default-lld llvm-libunwind |
188 |
- stricter |
189 |
+ hardened stricter |
190 |
" |
191 |
|
192 |
PDEPEND=" |
193 |
@@ -86,8 +86,41 @@ src_install() { |
194 |
# This file contains flags common to clang, clang++ and clang-cpp. |
195 |
@gentoo-runtimes.cfg |
196 |
@gentoo-gcc-install.cfg |
197 |
+ @gentoo-hardened.cfg |
198 |
EOF |
199 |
|
200 |
+ # Baseline hardening (bug #851111) |
201 |
+ newins - gentoo-hardened.cfg <<-EOF |
202 |
+ -fstack-clash-protection |
203 |
+ -fstack-protector-strong |
204 |
+ -fPIE |
205 |
+ -include "${ESYSROOT}/usr/include/gentoo/fortify.h" |
206 |
+ EOF |
207 |
+ |
208 |
+ dodir /usr/include/gentoo |
209 |
+ |
210 |
+ local fortify_level=$(usex hardened 3 2) |
211 |
+ # We have to do this because glibc's headers warn if F_S is set |
212 |
+ # without optimization and that would at the very least be very noisy |
213 |
+ # during builds and at worst trigger many -Werror builds. |
214 |
+ cat >> "${ED}/usr/include/gentoo/fortify.h" <<- EOF || die |
215 |
+ #ifndef _FORTIFY_SOURCE |
216 |
+ #if defined(__OPTIMIZE__) && __OPTIMIZE__ > 0 |
217 |
+ #define _FORTIFY_SOURCE ${fortify_level} |
218 |
+ #endif |
219 |
+ #endif |
220 |
+ EOF |
221 |
+ |
222 |
+ if use hardened ; then |
223 |
+ cat >> "${ED}/etc/clang/gentoo-hardened.cfg" <<-EOF || die |
224 |
+ -D_GLIBCXX_ASSERTIONS |
225 |
+ |
226 |
+ # Analogue to GLIBCXX_ASSERTIONS |
227 |
+ # https://libcxx.llvm.org/UsingLibcxx.html#assertions-mode |
228 |
+ -D_LIBCPP_ENABLE_ASSERTIONS=1 |
229 |
+ EOF |
230 |
+ fi |
231 |
+ |
232 |
if use stricter; then |
233 |
newins - gentoo-stricter.cfg <<-EOF |
234 |
# This file increases the strictness of older clang versions |
235 |
|
236 |
diff --git a/sys-devel/clang-common/clang-common-16.0.0.9999.ebuild b/sys-devel/clang-common/clang-common-16.0.0_pre20230101-r1.ebuild |
237 |
similarity index 77% |
238 |
copy from sys-devel/clang-common/clang-common-16.0.0.9999.ebuild |
239 |
copy to sys-devel/clang-common/clang-common-16.0.0_pre20230101-r1.ebuild |
240 |
index e9669ee1adcc..350245ab982e 100644 |
241 |
--- a/sys-devel/clang-common/clang-common-16.0.0.9999.ebuild |
242 |
+++ b/sys-devel/clang-common/clang-common-16.0.0_pre20230101-r1.ebuild |
243 |
@@ -1,4 +1,4 @@ |
244 |
-# Copyright 1999-2022 Gentoo Authors |
245 |
+# Copyright 1999-2023 Gentoo Authors |
246 |
# Distributed under the terms of the GNU General Public License v2 |
247 |
|
248 |
EAPI=8 |
249 |
@@ -13,7 +13,7 @@ SLOT="0" |
250 |
KEYWORDS="" |
251 |
IUSE=" |
252 |
default-compiler-rt default-libcxx default-lld llvm-libunwind |
253 |
- stricter |
254 |
+ hardened stricter |
255 |
" |
256 |
|
257 |
PDEPEND=" |
258 |
@@ -86,8 +86,41 @@ src_install() { |
259 |
# This file contains flags common to clang, clang++ and clang-cpp. |
260 |
@gentoo-runtimes.cfg |
261 |
@gentoo-gcc-install.cfg |
262 |
+ @gentoo-hardened.cfg |
263 |
EOF |
264 |
|
265 |
+ # Baseline hardening (bug #851111) |
266 |
+ newins - gentoo-hardened.cfg <<-EOF |
267 |
+ -fstack-clash-protection |
268 |
+ -fstack-protector-strong |
269 |
+ -fPIE |
270 |
+ -include "${ESYSROOT}/usr/include/gentoo/fortify.h" |
271 |
+ EOF |
272 |
+ |
273 |
+ dodir /usr/include/gentoo |
274 |
+ |
275 |
+ local fortify_level=$(usex hardened 3 2) |
276 |
+ # We have to do this because glibc's headers warn if F_S is set |
277 |
+ # without optimization and that would at the very least be very noisy |
278 |
+ # during builds and at worst trigger many -Werror builds. |
279 |
+ cat >> "${ED}/usr/include/gentoo/fortify.h" <<- EOF || die |
280 |
+ #ifndef _FORTIFY_SOURCE |
281 |
+ #if defined(__OPTIMIZE__) && __OPTIMIZE__ > 0 |
282 |
+ #define _FORTIFY_SOURCE ${fortify_level} |
283 |
+ #endif |
284 |
+ #endif |
285 |
+ EOF |
286 |
+ |
287 |
+ if use hardened ; then |
288 |
+ cat >> "${ED}/etc/clang/gentoo-hardened.cfg" <<-EOF || die |
289 |
+ -D_GLIBCXX_ASSERTIONS |
290 |
+ |
291 |
+ # Analogue to GLIBCXX_ASSERTIONS |
292 |
+ # https://libcxx.llvm.org/UsingLibcxx.html#assertions-mode |
293 |
+ -D_LIBCPP_ENABLE_ASSERTIONS=1 |
294 |
+ EOF |
295 |
+ fi |
296 |
+ |
297 |
if use stricter; then |
298 |
newins - gentoo-stricter.cfg <<-EOF |
299 |
# This file increases the strictness of older clang versions |