make hardening flags optional, but enable for CI

2025-09-22 11:22:18 -04:00 · 2023-04-28 12:32:54 +02:00 · 2023-04-28 12:32:54 +02:00 · 1110d0c1f1
commit 1110d0c1f1
parent 5eaf9d1568
2 changed files with 8 additions and 7 deletions
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@ -35,7 +35,7 @@ jobs:
      - name: Configure
        env:
          CC: ${{ matrix.compiler }}
-        run: cmake -B build -G "Ninja" -DENABLE_WERROR=ON
+        run: cmake -B build -G "Ninja" -DENABLE_WERROR=ON -DENABLE_HARDENING=ON

      - name: Build
        run: cmake --build build
--- a/cmake/WoofSettings.cmake
+++ b/cmake/WoofSettings.cmake
@ -44,12 +44,6 @@ _checked_add_compile_option(-Wnull-dereference)
 _checked_add_compile_option(-Wredundant-decls)
 _checked_add_compile_option(-Wrestrict)

-# Hardening flags (from dpkg-buildflags)
-
-_checked_add_compile_option(-fstack-protector-strong)
-_checked_add_compile_option(-D_FORTIFY_SOURCE=2)
-_checked_add_link_option(-Wl,-z,relro)
-
 if(MSVC)
    # Silence the usual warnings for POSIX and standard C functions.
    list(APPEND COMMON_COMPILE_OPTIONS "/D_CRT_NONSTDC_NO_DEPRECATE")
@ -93,6 +87,13 @@ if(ENABLE_ASAN)
    _checked_add_link_option(-fsanitize=address)
 endif()

+option(ENABLE_HARDENING "Enable hardening flags" OFF)
+if(ENABLE_HARDENING)
+    _checked_add_compile_option(-fstack-protector-strong)
+    _checked_add_compile_option(-D_FORTIFY_SOURCE=2)
+    _checked_add_link_option(-Wl,-z,relro)
+endif()
+
 if(${FORCE_COLORED_OUTPUT})
    _checked_add_compile_option(-fdiagnostics-color=always F_DIAG_COLOR)
    if (NOT F_DIAG_COLOR)