[Git][NTPsec/ntpsec][master] waf: fix compile on macOS, still not right

Gary E. Miller gitlab at mg.gitlab.com
Mon Feb 13 23:20:39 UTC 2017 

Gary E. Miller pushed to branch master at NTPsec / ntpsec


Commits:
ced66089 by Gary E. Miller at 2017-02-13T15:18:54-08:00
waf: fix compile on macOS, still not right

I can't seem to pass the linker flags.  clang not behaving as
docmented.

- - - - -


1 changed file:

- wafhelpers/configure.py


Changes:

=====================================
wafhelpers/configure.py
=====================================
--- a/wafhelpers/configure.py
+++ b/wafhelpers/configure.py
@@ -203,15 +203,9 @@ def cmd_configure(ctx, config):
         ctx.define("DEBUG", 1, comment="Enable debug mode")
         ctx.env.BISONFLAGS += ["--debug"]
 
-    # -O1 will turn on -D_FORTIFY_SOURCE=2 for us
     ctx.env.CFLAGS += [
-        "-fPIE",
-        "-fstack-protector-all",
-        "-O1",
-        "-pie",
         "-Wall",
         "-Wextra",
-        "-Wl,-z,relro,-z,now",
         "-Wstrict-prototypes",
         ]
 
@@ -220,8 +214,48 @@ def cmd_configure(ctx, config):
     # it.
     if ctx.env.CC_NAME == "sun":
         ctx.env.CFLAGS += ["-std=c99"]
+    elif ctx.env.CC_NAME == "clang":
+        # used on macOS, FreeBSD,
+        # FORTIFY needs LTO to work well
+        ctx.env.CFLAGS += [
+                        "-fstack-protector-all",    # hardening
+                        "-std=gnu99",
+                        "-D_FORTIFY_SOURCE=2",      # hardening
+                        ]
+        if ctx.env.DEST_OS != "darwin":
+            # -flto breaks tests on macOS
+            ctx.env.CFLAGS += [
+                "-flto",                    # hardening, needed for sanitize
+                "-fsanitize=cfi",           # hardening
+                "-fsanitize=safe-stack",    # hardening
+                ]
+            ctx.env.LDFLAGS += [
+                    "-Wl,-z,now",    # hardening, no deferred symbol resolution
+                    "-Wl,-z,relro",  # hardening, marks some section read only,
+                    ]
+	    if ctx.options.disable_debug:
+		# not debugging
+		ctx.env.LDFLAGS += [
+			"-Wl,--strip-all",    # Strip binaries
+			]
     else:
-        ctx.env.CFLAGS += ["-std=gnu99"]
+        # -O1 will turn on -D_FORTIFY_SOURCE=2 for us
+        ctx.env.CFLAGS += [
+                        "-fPIE",                    # hardening
+                        "-fstack-protector-all",    # hardening
+                        "-O1",
+                        "-pie",                     # hardening
+                        "-std=gnu99"
+                        ]
+        ctx.env.LDFLAGS += [
+                "-Wl,-z,now",      # hardening, no deferred symbol resolution
+                "-Wl,-z,relro",    # hardening, marks some section read only,
+                ]
+	if ctx.options.disable_debug:
+            # not debugging
+            ctx.env.LDFLAGS += [
+                    "-Wl,-z,strip-all",    # Strip binaries
+                    ]
 
     # XXX: hack
     if ctx.env.DEST_OS in ["freebsd", "openbsd"]:



View it on GitLab: https://gitlab.com/NTPsec/ntpsec/commit/ced66089c30089e8321d3ee68d91a4d71c068a85
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/vc/attachments/20170213/79827d35/attachment.html>

More information about the vc mailing list