It was an interesting page; I haven't read it before. Btw the name CPPFLAGS could be confusing at first: "CPP" stands for C PreProcessor, not "C Plus Plus". So it applies to both C and C++ code.
regards, Anders Widell 2013-12-13 11:34, Mathivanan Naickan Palanivelu skrev: > Ack. > I was going through this link to review this patch. > http://www.gnu.org/software/automake/manual/html_node/Flag-Variables-Ordering.html > It might be of interest to you too. > Basically, I wanted to figure out whether CPP_FLAGS should be passed to > AM_CPP FLAGS or > to AM_CXX FLAGS. > - Mathi. > >> -----Original Message----- >> From: Anders Widell [mailto:anders.wid...@ericsson.com] >> Sent: Monday, December 09, 2013 5:15 PM >> To: Mathivanan Naickan Palanivelu >> Cc: opensaf-devel@lists.sourceforge.net >> Subject: [PATCH 1 of 1] build: Add extra GCC hardening compilation flags >> [#650] >> >> 00-README.conf | 2 +- >> Makefile.common | 4 ++-- >> README | 16 ++++++++++++---- >> configure.ac | 18 ++++++++++++++++++ >> tools/cluster_sim_uml/README | 2 +- >> 5 files changed, 34 insertions(+), 8 deletions(-) >> >> >> By default, build with the extra hardening flags "-D_FORTIFY_SOURCE=2 >> -fstack-protector" for improved security and enhanced run-time error >> detection. The flags can be overridden by setting the environment variable >> OSAF_HARDEN_FLAGS when building OpenSAF. >> >> Note that -D_FORTIFY_SOURCE=2 is only enabled in optimized builds. To >> reduce the >> risk that a user accidentally builds without optimization by overriding the >> default CFLAGS and/or CXXFLAGS, the README files have been updated to >> recommend >> passing preprocessor definitions using CPPFLAGS instead of CFLAGS. >> >> diff --git a/00-README.conf b/00-README.conf >> --- a/00-README.conf >> +++ b/00-README.conf >> @@ -85,7 +85,7 @@ file does not have to be changed unless: >> - OpenSAF should run as a different UNIX group and user than the default >> 'opensaf' >> group/user. >> >> - If OpenSAF was built with the flags "CFLAGS=-DRUNASROOT", then >> + If OpenSAF was built with the flags "CPPFLAGS=-DRUNASROOT", >> then >> change OPENSAF_GROUP and OPENSAF_USER to root i.e. for old >> (<4.2) behaviour. >> >> For any other user, change OPENSAF_GROUP and OPENSAF_USER >> accordingly >> diff --git a/Makefile.common b/Makefile.common >> --- a/Makefile.common >> +++ b/Makefile.common >> @@ -12,8 +12,8 @@ AM_CPPFLAGS = \ >> $(CORE_INCLUDES) \ >> $(all_includes) >> >> -AM_CFLAGS = -Wall -fno-strict-aliasing -Werror -fPIC >> -AM_CXXFLAGS = -Wall -fno-strict-aliasing -Werror -fPIC - >> D__STDC_FORMAT_MACROS >> +AM_CFLAGS = -Wall -fno-strict-aliasing -Werror -fPIC >> @OSAF_HARDEN_FLAGS@ >> +AM_CXXFLAGS = -Wall -fno-strict-aliasing -Werror -fPIC - >> D__STDC_FORMAT_MACROS @OSAF_HARDEN_FLAGS@ >> AM_LDFLAGS = -ldl -lrt -lpthread >> >> # >> diff --git a/README b/README >> --- a/README >> +++ b/README >> @@ -293,7 +293,7 @@ 1.1.1, 1.1.2 etc. >> To re-enable the old (pre 4.3) non flat addressing, configure the constant >> MDS_USE_SUBSLOT_ID=1 at configure time as in: >> >> - % ./configure CFLAGS="-DMDS_USE_SUBSLOT_ID=1 ..." >> + % ./configure CPPFLAGS="-DMDS_USE_SUBSLOT_ID=1 ..." >> >> In the non flat scheme, the slot ID is shifted up 4 bits and subslot ID is >> added in the 4 LSB. The consequence of this is reduced number of >> @@ -308,7 +308,7 @@ 2) Run as root (optional) >> If the old (<4.2) behaviour of running all processes as root is desired, >> use >> the following configure command: >> >> - % ./configure CFLAGS=-DRUNASROOT >> + % ./configure CPPFLAGS=-DRUNASROOT >> >> >> 3) Configure TIPC importance (optional) >> @@ -317,13 +317,21 @@ The default TIPC importance is LOW for a >> In some cases the default importance must be changed if e.g. an application >> starves the LOW importance communication level. >> To change the default importance, use the following configure command >> >> - % ./configure CFLAGS=-DTIPCIMPORTANCE=level >> + % ./configure CPPFLAGS=-DTIPCIMPORTANCE=level >> where level is any of TIPC_LOW_IMPORTANCE, >> TIPC_MEDIUM_IMPORTANCE or TIPC_HIGH_IMPORTANCE >> - e.g. configure CFLAGS=-DTIPCIMPORTANCE=TIPC_HIGH_IMPORTANCE >> + e.g. configure CPPFLAGS=-DTIPCIMPORTANCE=TIPC_HIGH_IMPORTANCE >> >> Note: Giving same importance to AVND & all other Opensaf models is not >> preferred option. The behavior is unsupported. >> >> >> +4) Configure GCC hardening options (optional) >> + >> +By default, the options "-fstack-protector -D_FORTIFY_SOURCE=2" are >> passed to >> +GCC for improved security. You can override these options by setting the >> +OSAF_HARDEN_FLAGS when configuring OpenSAF. For example: >> + >> + % ./configure OSAF_HARDEN_FLAGS="-fstack-protector-all - >> D_FORTIFY_SOURCE=2" >> + >> If you are using a released archive (dist tarball) follow the simple common >> steps: >> >> diff --git a/configure.ac b/configure.ac >> --- a/configure.ac >> +++ b/configure.ac >> @@ -545,6 +545,22 @@ if test "$enable_imm_pbe" = yes; then >> PKG_CHECK_MODULES([SQLITE3], [sqlite3]) >> fi >> >> +if test -z "$OSAF_HARDEN_FLAGS"; then >> + # _FORTIFY_SOURCE requires optimization, so only enable it in >> optimized >> + # builds, i.e. when -O is present in both CFLAGS and CXXFLAGS. >> + if echo "${CFLAGS}" | grep -q -- -O; then >> + if echo "${CXXFLAGS}" | grep -q -- -O; then >> + OSAF_HARDEN_FLAGS="-D_FORTIFY_SOURCE=2" >> + fi >> + fi >> + # Also check for -O0 (which explicitly disables optimisation) >> + if echo "${CFLAGS} ${CXXFLAGS}" | grep -q -- -O0; then >> + OSAF_HARDEN_FLAGS="" >> + fi >> + OSAF_HARDEN_FLAGS="${OSAF_HARDEN_FLAGS} -fstack- >> protector" >> +fi >> +AC_SUBST(OSAF_HARDEN_FLAGS) >> + >> ############################################# >> # Checks for header files. >> ############################################# >> @@ -925,8 +941,10 @@ echo "" >> echo " Compiling Options:" >> echo "${ECHO_T} C Compiler: ${CC}" >> echo "${ECHO_T} C++ Compiler: ${CXX}" >> +echo "${ECHO_T} CPPFLAGS: ${CPPFLAGS} ${AM_CPPFLAGS}" >> echo "${ECHO_T} CFLAGS: ${CFLAGS} ${AM_CFLAGS}" >> echo "${ECHO_T} CXXFLAGS: ${CXXFLAGS} ${AM_CXXFLAGS}" >> +echo "${ECHO_T} OSAF_HARDEN_FLAGS: ${OSAF_HARDEN_FLAGS}" >> echo "${ECHO_T} LDFLAGS: ${LDFLAGS}" >> echo "${ECHO_T} Enable RPATH: ${enable_rpath}" >> >> diff --git a/tools/cluster_sim_uml/README >> b/tools/cluster_sim_uml/README >> --- a/tools/cluster_sim_uml/README >> +++ b/tools/cluster_sim_uml/README >> @@ -77,7 +77,7 @@ When the UML root file system is generat >> DESTDIR set to the UML root file system. Make sure you have a default >> configured Opensaf like this: >> >> -$ ./configure CFLAGS=-DRUNASROOT >> +$ ./configure CPPFLAGS=-DRUNASROOT >> >> - Execute './build_uml'. >> ------------------------------------------------------------------------------ Rapidly troubleshoot problems before they affect your business. Most IT organizations don't have a clear picture of how application performance affects their revenue. With AppDynamics, you get 100% visibility into your Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! http://pubads.g.doubleclick.net/gampad/clk?id=84349831&iu=/4140/ostg.clktrk _______________________________________________ Opensaf-devel mailing list Opensaf-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/opensaf-devel
