From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id C259D15800F for ; Mon, 2 Jan 2023 20:35:24 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id B73D1E084A; Mon, 2 Jan 2023 20:35:23 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 928E1E084A for ; Mon, 2 Jan 2023 20:35:23 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 4E4D9335D7F for ; Mon, 2 Jan 2023 20:35:22 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 83B8F76D for ; Mon, 2 Jan 2023 20:35:20 +0000 (UTC) From: "Sam James" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sam James" Message-ID: <1672691657.1e9b3a08b9243daae1bebd6bac3da939d924df1f.sam@gentoo> Subject: [gentoo-commits] repo/gentoo:master commit in: sys-devel/clang-common/ X-VCS-Repository: repo/gentoo X-VCS-Files: sys-devel/clang-common/clang-common-15.0.6-r1.ebuild sys-devel/clang-common/clang-common-15.0.6.9999.ebuild sys-devel/clang-common/clang-common-16.0.0.9999.ebuild sys-devel/clang-common/clang-common-16.0.0_pre20230101-r1.ebuild X-VCS-Directories: sys-devel/clang-common/ X-VCS-Committer: sam X-VCS-Committer-Name: Sam James X-VCS-Revision: 1e9b3a08b9243daae1bebd6bac3da939d924df1f X-VCS-Branch: master Date: Mon, 2 Jan 2023 20:35:20 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: be34c8ad-e31e-4eb3-9c9b-9f404a10732c X-Archives-Hash: 4fb19fed17027d8754f243569bf415a9 commit: 1e9b3a08b9243daae1bebd6bac3da939d924df1f Author: Sam James gentoo org> AuthorDate: Mon Jan 2 03:14:09 2023 +0000 Commit: Sam James gentoo org> CommitDate: Mon Jan 2 20:34:17 2023 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1e9b3a08 sys-devel/clang-common: add baseline hardening Add new /etc/clang/gentoo-hardened.cfg which sets hardening options: * -fstack-clash-protection * -fstack-protector-strong * -fPIE (already set by USE=pie on Clang, but this moves it out, as upstream prefer the config method.) * -D_FORTIFY_SOURCE=2 Further, add USE=hardened, which controls adding -D_LIBCPP_ENABLE_ASSERTIONS=1 (analogue to libstdc++'s -D_GLIBCXX_ASSERTIONS) and -D_FORTIFY_SOURCE=3. Bug: https://bugs.gentoo.org/851111 Signed-off-by: Sam James gentoo.org> ...0.9999.ebuild => clang-common-15.0.6-r1.ebuild} | 45 +++++++++++++++++----- .../clang-common/clang-common-15.0.6.9999.ebuild | 37 +++++++++++++++++- .../clang-common/clang-common-16.0.0.9999.ebuild | 37 +++++++++++++++++- ...d => clang-common-16.0.0_pre20230101-r1.ebuild} | 37 +++++++++++++++++- 4 files changed, 141 insertions(+), 15 deletions(-) diff --git a/sys-devel/clang-common/clang-common-16.0.0.9999.ebuild b/sys-devel/clang-common/clang-common-15.0.6-r1.ebuild similarity index 75% copy from sys-devel/clang-common/clang-common-16.0.0.9999.ebuild copy to sys-devel/clang-common/clang-common-15.0.6-r1.ebuild index e9669ee1adcc..7ec66f0dd663 100644 --- a/sys-devel/clang-common/clang-common-16.0.0.9999.ebuild +++ b/sys-devel/clang-common/clang-common-15.0.6-r1.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2022 Gentoo Authors +# Copyright 1999-2023 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=8 @@ -10,10 +10,10 @@ HOMEPAGE="https://llvm.org/" LICENSE="Apache-2.0-with-LLVM-exceptions UoI-NCSA" SLOT="0" -KEYWORDS="" +KEYWORDS="~amd64 ~arm ~arm64 ~ppc ~ppc64 ~riscv ~sparc ~x86 ~amd64-linux ~ppc-macos ~x64-macos" IUSE=" default-compiler-rt default-libcxx default-lld llvm-libunwind - stricter + hardened stricter " PDEPEND=" @@ -86,8 +86,41 @@ src_install() { # This file contains flags common to clang, clang++ and clang-cpp. @gentoo-runtimes.cfg @gentoo-gcc-install.cfg + @gentoo-hardened.cfg EOF + # Baseline hardening (bug #851111) + newins - gentoo-hardened.cfg <<-EOF + -fstack-clash-protection + -fstack-protector-strong + -fPIE + -include "${ESYSROOT}/usr/include/gentoo/fortify.h" + EOF + + dodir /usr/include/gentoo + + local fortify_level=$(usex hardened 3 2) + # We have to do this because glibc's headers warn if F_S is set + # without optimization and that would at the very least be very noisy + # during builds and at worst trigger many -Werror builds. + cat >> "${ED}/usr/include/gentoo/fortify.h" <<- EOF || die + #ifndef _FORTIFY_SOURCE + #if defined(__OPTIMIZE__) && __OPTIMIZE__ > 0 + #define _FORTIFY_SOURCE ${fortify_level} + #endif + #endif + EOF + + if use hardened ; then + cat >> "${ED}/etc/clang/gentoo-hardened.cfg" <<-EOF || die + -D_GLIBCXX_ASSERTIONS + + # Analogue to GLIBCXX_ASSERTIONS + # https://libcxx.llvm.org/UsingLibcxx.html#assertions-mode + -D_LIBCPP_ENABLE_ASSERTIONS=1 + EOF + fi + if use stricter; then newins - gentoo-stricter.cfg <<-EOF # This file increases the strictness of older clang versions @@ -97,12 +130,6 @@ src_install() { -Werror=implicit-function-declaration -Werror=implicit-int -Werror=incompatible-function-pointer-types - - # constructs banned by C2x - -Werror=deprecated-non-prototype - - # deprecated but large blast radius - #-Werror=strict-prototypes EOF cat >> "${ED}/etc/clang/gentoo-common.cfg" <<-EOF || die diff --git a/sys-devel/clang-common/clang-common-15.0.6.9999.ebuild b/sys-devel/clang-common/clang-common-15.0.6.9999.ebuild index 3e43f51a0aab..709c93681448 100644 --- a/sys-devel/clang-common/clang-common-15.0.6.9999.ebuild +++ b/sys-devel/clang-common/clang-common-15.0.6.9999.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2022 Gentoo Authors +# Copyright 1999-2023 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=8 @@ -13,7 +13,7 @@ SLOT="0" KEYWORDS="" IUSE=" default-compiler-rt default-libcxx default-lld llvm-libunwind - stricter + hardened stricter " PDEPEND=" @@ -86,8 +86,41 @@ src_install() { # This file contains flags common to clang, clang++ and clang-cpp. @gentoo-runtimes.cfg @gentoo-gcc-install.cfg + @gentoo-hardened.cfg EOF + # Baseline hardening (bug #851111) + newins - gentoo-hardened.cfg <<-EOF + -fstack-clash-protection + -fstack-protector-strong + -fPIE + -include "${ESYSROOT}/usr/include/gentoo/fortify.h" + EOF + + dodir /usr/include/gentoo + + local fortify_level=$(usex hardened 3 2) + # We have to do this because glibc's headers warn if F_S is set + # without optimization and that would at the very least be very noisy + # during builds and at worst trigger many -Werror builds. + cat >> "${ED}/usr/include/gentoo/fortify.h" <<- EOF || die + #ifndef _FORTIFY_SOURCE + #if defined(__OPTIMIZE__) && __OPTIMIZE__ > 0 + #define _FORTIFY_SOURCE ${fortify_level} + #endif + #endif + EOF + + if use hardened ; then + cat >> "${ED}/etc/clang/gentoo-hardened.cfg" <<-EOF || die + -D_GLIBCXX_ASSERTIONS + + # Analogue to GLIBCXX_ASSERTIONS + # https://libcxx.llvm.org/UsingLibcxx.html#assertions-mode + -D_LIBCPP_ENABLE_ASSERTIONS=1 + EOF + fi + if use stricter; then newins - gentoo-stricter.cfg <<-EOF # This file increases the strictness of older clang versions diff --git a/sys-devel/clang-common/clang-common-16.0.0.9999.ebuild b/sys-devel/clang-common/clang-common-16.0.0.9999.ebuild index e9669ee1adcc..1b9640fcebe0 100644 --- a/sys-devel/clang-common/clang-common-16.0.0.9999.ebuild +++ b/sys-devel/clang-common/clang-common-16.0.0.9999.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2022 Gentoo Authors +# Copyright 1999-2023 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=8 @@ -13,7 +13,7 @@ SLOT="0" KEYWORDS="" IUSE=" default-compiler-rt default-libcxx default-lld llvm-libunwind - stricter + hardened stricter " PDEPEND=" @@ -86,8 +86,41 @@ src_install() { # This file contains flags common to clang, clang++ and clang-cpp. @gentoo-runtimes.cfg @gentoo-gcc-install.cfg + @gentoo-hardened.cfg EOF + # Baseline hardening (bug #851111) + newins - gentoo-hardened.cfg <<-EOF + -fstack-clash-protection + -fstack-protector-strong + -fPIE + -include "${ESYSROOT}/usr/include/gentoo/fortify.h" + EOF + + dodir /usr/include/gentoo + + local fortify_level=$(usex hardened 3 2) + # We have to do this because glibc's headers warn if F_S is set + # without optimization and that would at the very least be very noisy + # during builds and at worst trigger many -Werror builds. + cat >> "${ED}/usr/include/gentoo/fortify.h" <<- EOF || die + #ifndef _FORTIFY_SOURCE + #if defined(__OPTIMIZE__) && __OPTIMIZE__ > 0 + #define _FORTIFY_SOURCE ${fortify_level} + #endif + #endif + EOF + + if use hardened ; then + cat >> "${ED}/etc/clang/gentoo-hardened.cfg" <<-EOF || die + -D_GLIBCXX_ASSERTIONS + + # Analogue to GLIBCXX_ASSERTIONS + # https://libcxx.llvm.org/UsingLibcxx.html#assertions-mode + -D_LIBCPP_ENABLE_ASSERTIONS=1 + EOF + fi + if use stricter; then newins - gentoo-stricter.cfg <<-EOF # This file increases the strictness of older clang versions diff --git a/sys-devel/clang-common/clang-common-16.0.0.9999.ebuild b/sys-devel/clang-common/clang-common-16.0.0_pre20230101-r1.ebuild similarity index 77% copy from sys-devel/clang-common/clang-common-16.0.0.9999.ebuild copy to sys-devel/clang-common/clang-common-16.0.0_pre20230101-r1.ebuild index e9669ee1adcc..350245ab982e 100644 --- a/sys-devel/clang-common/clang-common-16.0.0.9999.ebuild +++ b/sys-devel/clang-common/clang-common-16.0.0_pre20230101-r1.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2022 Gentoo Authors +# Copyright 1999-2023 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=8 @@ -13,7 +13,7 @@ SLOT="0" KEYWORDS="" IUSE=" default-compiler-rt default-libcxx default-lld llvm-libunwind - stricter + hardened stricter " PDEPEND=" @@ -86,8 +86,41 @@ src_install() { # This file contains flags common to clang, clang++ and clang-cpp. @gentoo-runtimes.cfg @gentoo-gcc-install.cfg + @gentoo-hardened.cfg EOF + # Baseline hardening (bug #851111) + newins - gentoo-hardened.cfg <<-EOF + -fstack-clash-protection + -fstack-protector-strong + -fPIE + -include "${ESYSROOT}/usr/include/gentoo/fortify.h" + EOF + + dodir /usr/include/gentoo + + local fortify_level=$(usex hardened 3 2) + # We have to do this because glibc's headers warn if F_S is set + # without optimization and that would at the very least be very noisy + # during builds and at worst trigger many -Werror builds. + cat >> "${ED}/usr/include/gentoo/fortify.h" <<- EOF || die + #ifndef _FORTIFY_SOURCE + #if defined(__OPTIMIZE__) && __OPTIMIZE__ > 0 + #define _FORTIFY_SOURCE ${fortify_level} + #endif + #endif + EOF + + if use hardened ; then + cat >> "${ED}/etc/clang/gentoo-hardened.cfg" <<-EOF || die + -D_GLIBCXX_ASSERTIONS + + # Analogue to GLIBCXX_ASSERTIONS + # https://libcxx.llvm.org/UsingLibcxx.html#assertions-mode + -D_LIBCPP_ENABLE_ASSERTIONS=1 + EOF + fi + if use stricter; then newins - gentoo-stricter.cfg <<-EOF # This file increases the strictness of older clang versions