Skip to content
  • Henrique de Moraes Holschuh's avatar
    configure: default build to hardened -O3 PIE with lots of warnings · 19d13848
    Henrique de Moraes Holschuh authored
    Override the autoconf default CFLAGS, CPPFLAGS and LDFLAGS for a more
    optimized, hardened build by default.  Also, print the value of these
    variables in configure output.
    
    The standard methods to override the default CFLAGS, CPPFLAGS and
    LDFLAGS in configure still work, and will bypass the new defaults.
    Linux distros that override these on every build should not see any
    changes.
    
    Should the compiler not be detected as gcc-compatible, no change to
    CFLAGS/CPPFLAGS/LDFLAGS will be made.  Note that clang is explicitly
    supported, and works just fine.
    
    The build will default to a baseline of "-O3 -g" and will attempt to
    selectively enable the following warning options:
    
      -Wall -Wextra -Wformat=2 -Werror=format-security -Wtrampolines
      -Wformat-signedness -Wformat-overflow=2 -Wformat-truncation=2
      -Wtrampolines -Wcast-align -Wsign-conversion -Wnull-dereference
      -Wstrict-prototypes -Wmissing-prototypes -Wmissing-declarations
      -Wredundant-decls -Wstrict-overflow -Winit-self -Wshadow
      -Wrestrict -Wpointer-arith -Wlogical-op -Wbad-function-cast
      -Wwrite-strings -Wduplicated-branches -Wduplicated-cond
      -Walloca -Wvla -Walloc-zero -Walloc-size-larger-than=1073741824
    
    and the following hardening options:
    
      -D_FORTIFY_SOURCE=2 -fstack-protector-strong -Wstack-protector
      -fPIE -Wl,-z,relro -Wl,-z,now -pie
    
    configure will attempt to detect the set of compiler and linker driver
    flags that would work from the above list.
    
    Caveats: autoconf 2.69 and automake 1.13 or later are now required.
    19d13848