'-fno-stack-protector-all',
'-fno-stack-protector-strong',
);
+my @def_cflags_stack_clash = (
+ '-fstack-clash-protection',
+);
my @def_cflags_pie = (
'-fPIE',
);
\@def_cflags_stack,
\@def_cflags_stack_strong,
\@def_cflags_stack_bad,
+ \@def_cflags_stack_clash,
\@def_cflags_pie,
\@def_cxxflags,
\@def_cppflags,
my $harden_fortify = 1;
my $harden_stack = 1;
my $harden_stack_strong = 1;
+ my $harden_stack_clash = 1;
my $harden_relro = 1;
my $harden_bindnow = $option_bindnow; # defaults to 0
my $harden_pie = $option_pie; # defaults to 0
my $disable = 1;
my $disable_strong = 1;
+ my $disable_clash = 1;
if ($line =~ /\bdpkg-dev_(\S+)/) {
if (Dpkg::Version::version_compare($1, '1.16.1') >= 0) {
if (Dpkg::Version::version_compare($1, '1.18.15') >= 0) {
$disable_harden_pie = 1;
}
+ if (Dpkg::Version::version_compare($1, '1.22.0') >= 0) {
+ $disable_clash = 0;
+ }
}
if ($disable) {
if ($disable_strong) {
$harden_stack_strong = 0;
}
+ if ($disable_clash) {
+ $harden_stack_clash = 0;
+ }
}
# The following two versions of CMake in Debian obeyed CPPFLAGS, but
$harden_stack = 0;
$harden_stack_strong = 0;
}
+ if ($arch !~ /^(?:amd64|arm64|armhf|armel)$/) {
+ $harden_stack_clash = 0;
+ }
if ($cpu =~ /^(?:ia64|hppa)$/) {
$harden_relro = 0;
$harden_bindnow = 0;
@cflags = (@cflags, @def_cflags_stack);
@cxxflags = (@cxxflags, @def_cflags_stack);
}
+ if ($harden_stack_clash) {
+ @cflags = (@cflags, @def_cflags_stack_clash);
+ @cxxflags = (@cxxflags, @def_cflags_stack_clash);
+ }
if ($harden_fortify) {
@cflags = (@cflags, @def_cflags_fortify);
@cxxflags = (@cxxflags, @def_cflags_fortify);
ruderich.org/simon / blhc / blhc.git / blobdiff