Add required compiler and linker flags to meet sequrity requirements. (#666)

* Add required compiler and linker flags to meet sequrity requirements. * Update compiler and linker flags for building python wrapper.

Add required compiler and linker flags to meet sequrity requirements. (#666)
* Add required compiler and linker flags to meet sequrity requirements. * Update compiler and linker flags for building python wrapper.
54e3b619 · Sang Ik Lee · Scott Cyphers · 3b981907 · 54e3b619 · 54e3b619
Commit 54e3b619 authored Mar 16, 2018 by Sang Ik Lee Committed by Scott Cyphers Mar 16, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 26 additions and 5 deletions

setup.py python/setup.py +15 -4

setup.py.in python/setup.py.in +11 -1

No files found.
--- a/python/setup.py
+++ b/python/setup.py
@@ -209,21 +209,32 @@ ext_modules = [Extension(
 class BuildExt(build_ext):
-    """A custom build extension for adding compiler-specific options."""
+    """
+    A custom build extension for adding compiler-specific options.
+    """
    def build_extensions(self):
+        ct = self.compiler.compiler_type
        for ext in self.extensions:
            ext.extra_compile_args += [cpp_flag(self.compiler)]
-            ext.extra_compile_args += ['-w']
+            if has_flag(self.compiler, '-fstack-protector-strong'):
+                ext.extra_compile_args += ['-fstack-protector-strong']
+            else:
+                ext.extra_compile_args += ['-fstack-protector']
            if has_flag(self.compiler, '-frtti'):
                ext.extra_compile_args += ['-frtti']
            if sys.platform == 'darwin':
                ext.extra_compile_args += ['-stdlib=libc++', '-mmacosx-version-min=10.7']
-                ext.extra_link_args += ['-Wl,-rpath,@loader_path/../..']
+                ext.extra_link_args += ["-Wl,-rpath,@loader_path/../.."]
            else:
                if has_flag(self.compiler, '-fvisibility=hidden'):
                    ext.extra_compile_args += ['-fvisibility=hidden']
                ext.extra_link_args += ['-Wl,-rpath,$ORIGIN/../..']
+            if sys.platform != 'darwin':
+                ext.extra_link_args += ['-z', 'noexecstack']
+                ext.extra_link_args += ['-z', 'relro']
+                ext.extra_link_args += ['-z', 'now']
+            ext.extra_compile_args += ['-Wformat', '-Wformat-security']
+            ext.extra_compile_args += ['-O2', '-D_FORTIFY_SOURCE=2']
        build_ext.build_extensions(self)

--- a/python/setup.py.in
+++ b/python/setup.py.in
@@ -226,6 +226,10 @@ class BuildExt(build_ext):
        ct = self.compiler.compiler_type
        for ext in self.extensions:
            ext.extra_compile_args += [cpp_flag(self.compiler)]
+            if has_flag(self.compiler, '-fstack-protector-strong'):
+                ext.extra_compile_args += ['-fstack-protector-strong']
+            else:
+                ext.extra_compile_args += ['-fstack-protector']
            if has_flag(self.compiler, '-frtti'):
                ext.extra_compile_args += ['-frtti']
            if sys.platform == 'darwin':
@@ -234,7 +238,13 @@ class BuildExt(build_ext):
            else:
                if has_flag(self.compiler, '-fvisibility=hidden'):
                    ext.extra_compile_args += ['-fvisibility=hidden']
-                ext.extra_link_args += ["-Wl,-rpath,$ORIGIN/../.."]
+                ext.extra_link_args += ['-Wl,-rpath,$ORIGIN/../..']
+            if sys.platform != 'darwin':
+                ext.extra_link_args += ['-z', 'noexecstack']
+                ext.extra_link_args += ['-z', 'relro']
+                ext.extra_link_args += ['-z', 'now']
+            ext.extra_compile_args += ['-Wformat', '-Wformat-security']
+            ext.extra_compile_args += ['-O2', '-D_FORTIFY_SOURCE=2']
        build_ext.build_extensions(self)