C make.conf, how to specify separate flags when clang is used and when gcc is used.

Alain De Vos · Dec 13, 2021

Can i specify in make.conf when compiling a port to use additional and different compile flags, when one port uses clang and when another uses gcc ?
[E.g. If compiler is one of these , try to add these additional compile flags ...]

mark_j · Dec 13, 2021

In a Makefile you can use ifeq(), so that applies to make.conf

Alain De Vos · Dec 13, 2021

I'm trying a few hardening flags to make.conf. They seem to work with clang & gcc.

Code:

MYOTHERFLAGS=" -fsanitize=safe-stack "
MYFLAGS=" --with-extra-ldflags --with-extra-cflags -O2 -pipe -D_FORTIFY_SOURCE=2 -D_GLIBCXX_ASSERTIONS -fident -mno-unaligned-access -Wformat -Wformat-security -Werror=format-security -fPIC -fPIE -fcf-protection -fexceptions -fno-short-enums -fomit-frame-pointer -fstrict-aliasing -fstack-protector-all -fstack-protector -fstack-protector-strong -fstack-clash-protection "
CFLAGS+="${MYFLAGS}"
CXXFLAGS+="${MYFLAGS}"

Lamia · Dec 13, 2021

You

Alain De Vos said:
I've added a few hardening flags to make.conf. They seem to work with clang & gcc.

Code:

MYFLAGS=" -Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -fsanitize=safe-stack -fstack-protector -fstack-protector-strong -fstack-clash-protection -fexceptions -fcf-protection -D_GLIBCXX_ASSERTIONS -fPIE -fPIC " CFLAGS+="${MYFLAGS}" CXXFLAGS+="${MYFLAGS}"

You can enclose in an if statement like earlier mentioned.

mark_j · Dec 13, 2021

Most flags for gcc apply to clang (which has made adopting it a lot easier than it otherwise would have been).

There's more gcc flags with esoteric settings that clang doesn't have (or need).

Alain De Vos · Dec 13, 2021

Note , many ports don't like , "-fsanitize=safe-stack"

Alain De Vos · Dec 13, 2021

Compiling openjdk with poudriere i receive :

Code:

[00:01:09] The following warnings were produced. Repeated here for convenience:
[00:01:09] WARNING: Ignoring value of MAKE from the environment. Use command line variables instead.
[00:01:09] WARNING: Ignoring CFLAGS(-O2 -pipe  -D_FORTIFY_SOURCE=2 -D_GLIBCXX_ASSERTIONS -fident -mno-unaligned-access -Wformat -Wformat-security -Werror=format-security -fPIC -fPIE -fcf-protection -fexceptions -fno-short-enums -fomit-frame-pointer -fstrict-aliasing -fstack-protector-all -fstack-protector -fstack-protector-strong -fstack-clash-protection -O2 -pipe  -march=ivybridge  -DLIBICONV_PLUG -fstack-protector-strong -fno-strict-aliasing ) found in environment. Use --with-extra-cflags
[00:01:09] WARNING: Ignoring CXXFLAGS(-O2 -pipe  -D_FORTIFY_SOURCE=2 -D_GLIBCXX_ASSERTIONS -fident -mno-unaligned-access -Wformat -Wformat-security -Werror=format-security -fPIC -fPIE -fcf-protection -fexceptions -fno-short-enums -fomit-frame-pointer -fstrict-aliasing -fstack-protector-all -fstack-protector -fstack-protector-strong -fstack-clash-protection -O2 -pipe  -march=ivybridge -DLIBICONV_PLUG -fstack-protector-strong -fno-strict-aliasing  -D_FORTIFY_SOURCE=2 -D_GLIBCXX_ASSERTIONS -fident -mno-unaligned-access -Wformat -Wformat-security -Werror=format-security -fPIC -fPIE -fcf-protection -fexceptions -fno-short-enums -fomit-frame-pointer -fstrict-aliasing -fstack-protector-all -fstack-protector -fstack-protector-strong -fstack-clash-protection -O2 -pipe   -DLIBICONV_PLUG ) found in environment. Use --with-extra-cxxflags
[00:01:09] WARNING: Ignoring LDFLAGS( -fstack-protector-strong ) found in environment. Use --with-extra-ldflags

It looks like openjdk does not like my changes to CFLAGS & CXXFLAGS ?

mark_j · Dec 13, 2021

Well java does explicit bounds checking doesn't it? So stack canaries are probably useless anyway.
I think you'll find lots of these issues when you use all these mitigation techniques to the ports tree just in general. YMMV.
Re: safe-stack: https://clang.llvm.org/docs/SafeStack.html
I don't know much about it but it seems it would clash with code hence the need for __attribute() and __builtin() stuff.

Alain De Vos · Dec 13, 2021

When you increase "security" ports start failing to build or run. qt-ports don't compile with "-fsanitize=safe-stack"
So i had also to :
sysctl.conf:

Code:

kern.elf64.nxstack=1
kern.elf64.aslr.stack_gap=0    # ntp,firefox
kern.elf64.allow_wx=1 # Compilers

mark_j · Dec 13, 2021

It's probably not good that safe-stack fails with qt-ports, but then again, as I wrote, I think they need to take specific action in the code base to allow for this level of protection.

(There's probably a lot of suspect code in ports

)

Alain De Vos · Dec 14, 2021

"-fPIC" gives linker relocation error on important libraries.

mark_j · Dec 14, 2021

If those static libraries weren't compiled with PIC then that's why the linker is barfing.