Add hardening flags to linux targets

cpython-unix/build-cpython.sh

@@ -729,6 +729,10 @@ autoconf
 # 3.12 and earlier)
 CFLAGS_JIT="${CFLAGS}"
 
+# JIT stencils should not inherit target-wide stack hardening flags.
+CFLAGS_JIT="${CFLAGS_JIT//-fstack-protector-strong/}"
+CFLAGS_JIT="${CFLAGS_JIT//-fstack-clash-protection/}"
+
 # In 3.14+, the JIT compiler on x86-64 Linux uses a model that conflicts with `-fPIC`, so strip it
 # from the flags. See:
 # - https://github.com/python/cpython/issues/135690

cpython-unix/build.py

@@ -92,6 +92,14 @@ def add_target_env(env, build_platform, target_triple, build_env, build_options)
     extra_host_cflags = []
     extra_host_ldflags = []
 
+    if "debug" in build_options and "-linux-" in target_triple:
+        # Fortification requires optimization and is ineffective with debug's -O0.
+        extra_target_cflags = [
+            flag
+            for flag in extra_target_cflags
+            if flag not in {"-U_FORTIFY_SOURCE", "-D_FORTIFY_SOURCE=3"}
+        ]
+
     # Add compiler-rt for aarch64-musl to resolve missing builtins
     if target_triple == "aarch64-unknown-linux-musl":
         extra_target_cflags.append("--rtlib=compiler-rt")

cpython-unix/targets.yml

@@ -130,6 +130,11 @@ aarch64-unknown-linux-gnu:
   target_cc: clang
   target_cxx: clang++
   target_cflags:
+    # Hardening
+    - '-fstack-protector-strong'
+    - '-fstack-clash-protection'
+    - '-U_FORTIFY_SOURCE'
+    - '-D_FORTIFY_SOURCE=3'
     - '-fvisibility=hidden'
     # Enable frame pointers
     - '-fno-omit-frame-pointer'
@@ -139,6 +144,8 @@ aarch64-unknown-linux-gnu:
   target_ldflags:
     # Hardening
     - '-Wl,-z,noexecstack'
+    - '-Wl,-z,relro'
+    - '-Wl,-z,now'
   needs:
     - autoconf
     - bdb
@@ -185,9 +192,16 @@ armv7-unknown-linux-gnueabi:
   host_cxx: /usr/bin/x86_64-linux-gnu-g++
   target_cc: /usr/bin/arm-linux-gnueabi-gcc
   target_cxx: /usr/bin/arm-linux-gnueabi-g++
+  target_cflags:
+    # Hardening
+    - '-fstack-protector-strong'
+    - '-U_FORTIFY_SOURCE'
+    - '-D_FORTIFY_SOURCE=3'
   target_ldflags:
     # Hardening
     - '-Wl,-z,noexecstack'
+    - '-Wl,-z,relro'
+    - '-Wl,-z,now'
   needs:
     - autoconf
     - bdb
@@ -229,9 +243,16 @@ armv7-unknown-linux-gnueabihf:
   host_cxx: /usr/bin/x86_64-linux-gnu-g++
   target_cc: /usr/bin/arm-linux-gnueabihf-gcc
   target_cxx: /usr/bin/arm-linux-gnueabihf-g++
+  target_cflags:
+    # Hardening
+    - '-fstack-protector-strong'
+    - '-U_FORTIFY_SOURCE'
+    - '-D_FORTIFY_SOURCE=3'
   target_ldflags:
     # Hardening
     - '-Wl,-z,noexecstack'
+    - '-Wl,-z,relro'
+    - '-Wl,-z,now'
   needs:
     - autoconf
     - bdb
@@ -273,9 +294,16 @@ loongarch64-unknown-linux-gnu:
   host_cxx: /usr/bin/x86_64-linux-gnu-g++
   target_cc: /usr/bin/loongarch64-linux-gnu-gcc
   target_cxx: /usr/bin/loongarch64-linux-gnu-g++
+  target_cflags:
+    # Hardening
+    - '-fstack-protector-strong'
+    - '-U_FORTIFY_SOURCE'
+    - '-D_FORTIFY_SOURCE=3'
   target_ldflags:
     # Hardening
     - '-Wl,-z,noexecstack'
+    - '-Wl,-z,relro'
+    - '-Wl,-z,now'
     - '-Wl,-z,max-page-size=0x10000'
   needs:
     - autoconf
@@ -318,9 +346,16 @@ mips-unknown-linux-gnu:
   host_cxx: /usr/bin/x86_64-linux-gnu-g++
   target_cc: /usr/bin/mips-linux-gnu-gcc
   target_cxx: /usr/bin/mips-linux-gnu-g++
+  target_cflags:
+    # Hardening
+    - '-fstack-protector-strong'
+    - '-U_FORTIFY_SOURCE'
+    - '-D_FORTIFY_SOURCE=3'
   target_ldflags:
     # Hardening
     - '-Wl,-z,noexecstack'
+    - '-Wl,-z,relro'
+    - '-Wl,-z,now'
   needs:
     - autoconf
     - bdb
@@ -362,9 +397,16 @@ mipsel-unknown-linux-gnu:
   host_cxx: /usr/bin/x86_64-linux-gnu-g++
   target_cc: /usr/bin/mipsel-linux-gnu-gcc
   target_cxx: /usr/bin/mipsel-linux-gnu-g++
+  target_cflags:
+    # Hardening
+    - '-fstack-protector-strong'
+    - '-U_FORTIFY_SOURCE'
+    - '-D_FORTIFY_SOURCE=3'
   target_ldflags:
     # Hardening
     - '-Wl,-z,noexecstack'
+    - '-Wl,-z,relro'
+    - '-Wl,-z,now'
   needs:
     - autoconf
     - bdb
@@ -406,9 +448,16 @@ ppc64le-unknown-linux-gnu:
   host_cxx: /usr/bin/x86_64-linux-gnu-g++
   target_cc: /usr/bin/powerpc64le-linux-gnu-gcc
   target_cxx: /usr/bin/powerpc64le-linux-gnu-g++
+  target_cflags:
+    # Hardening
+    - '-fstack-protector-strong'
+    - '-U_FORTIFY_SOURCE'
+    - '-D_FORTIFY_SOURCE=3'
   target_ldflags:
     # Hardening
     - '-Wl,-z,noexecstack'
+    - '-Wl,-z,relro'
+    - '-Wl,-z,now'
   needs:
     - autoconf
     - bdb
@@ -450,9 +499,16 @@ riscv64-unknown-linux-gnu:
   host_cxx: /usr/bin/x86_64-linux-gnu-g++
   target_cc: /usr/bin/riscv64-linux-gnu-gcc
   target_cxx: /usr/bin/riscv64-linux-gnu-g++
+  target_cflags:
+    # Hardening
+    - '-fstack-protector-strong'
+    - '-U_FORTIFY_SOURCE'
+    - '-D_FORTIFY_SOURCE=3'
   target_ldflags:
     # Hardening
     - '-Wl,-z,noexecstack'
+    - '-Wl,-z,relro'
+    - '-Wl,-z,now'
   needs:
     - autoconf
     - bdb
@@ -495,11 +551,17 @@ s390x-unknown-linux-gnu:
   target_cc: /usr/bin/s390x-linux-gnu-gcc
   target_cxx: /usr/bin/s390x-linux-gnu-g++
   target_cflags:
+    # Hardening
+    - '-fstack-protector-strong'
+    - '-U_FORTIFY_SOURCE'
+    - '-D_FORTIFY_SOURCE=3'
     # set the minimum compatibility level to z10 (released 2008)
     - '-march=z10'
   target_ldflags:
     # Hardening
     - '-Wl,-z,noexecstack'
+    - '-Wl,-z,relro'
+    - '-Wl,-z,now'
   needs:
     - autoconf
     - bdb
@@ -598,6 +660,11 @@ x86_64-unknown-linux-gnu:
   target_cc: clang
   target_cxx: clang++
   target_cflags:
+    # Hardening
+    - '-fstack-protector-strong'
+    - '-fstack-clash-protection'
+    - '-U_FORTIFY_SOURCE'
+    - '-D_FORTIFY_SOURCE=3'
     - '-fvisibility=hidden'
     # Enable frame pointers
     - '-fno-omit-frame-pointer'
@@ -607,6 +674,8 @@ x86_64-unknown-linux-gnu:
   target_ldflags:
     # Hardening
     - '-Wl,-z,noexecstack'
+    - '-Wl,-z,relro'
+    - '-Wl,-z,now'
   needs:
     - autoconf
     - bdb
@@ -650,6 +719,11 @@ x86_64_v2-unknown-linux-gnu:
   target_cc: clang
   target_cxx: clang++
   target_cflags:
+    # Hardening
+    - '-fstack-protector-strong'
+    - '-fstack-clash-protection'
+    - '-U_FORTIFY_SOURCE'
+    - '-D_FORTIFY_SOURCE=3'
     - '-march=x86-64-v2'
     - '-fvisibility=hidden'
     # Enable frame pointers
@@ -660,6 +734,8 @@ x86_64_v2-unknown-linux-gnu:
   target_ldflags:
     # Hardening
     - '-Wl,-z,noexecstack'
+    - '-Wl,-z,relro'
+    - '-Wl,-z,now'
   needs:
     - autoconf
     - bdb
@@ -703,6 +779,11 @@ x86_64_v3-unknown-linux-gnu:
   target_cc: clang
   target_cxx: clang++
   target_cflags:
+    # Hardening
+    - '-fstack-protector-strong'
+    - '-fstack-clash-protection'
+    - '-U_FORTIFY_SOURCE'
+    - '-D_FORTIFY_SOURCE=3'
     - '-march=x86-64-v3'
     - '-fvisibility=hidden'
     # Enable frame pointers
@@ -713,6 +794,8 @@ x86_64_v3-unknown-linux-gnu:
   target_ldflags:
     # Hardening
     - '-Wl,-z,noexecstack'
+    - '-Wl,-z,relro'
+    - '-Wl,-z,now'
   needs:
     - autoconf
     - bdb
@@ -756,6 +839,11 @@ x86_64_v4-unknown-linux-gnu:
   target_cc: clang
   target_cxx: clang++
   target_cflags:
+    # Hardening
+    - '-fstack-protector-strong'
+    - '-fstack-clash-protection'
+    - '-U_FORTIFY_SOURCE'
+    - '-D_FORTIFY_SOURCE=3'
     - '-march=x86-64-v4'
     - '-fvisibility=hidden'
     # Enable frame pointers
@@ -766,6 +854,8 @@ x86_64_v4-unknown-linux-gnu:
   target_ldflags:
     # Hardening
     - '-Wl,-z,noexecstack'
+    - '-Wl,-z,relro'
+    - '-Wl,-z,now'
   needs:
     - autoconf
     - bdb
@@ -809,13 +899,18 @@ x86_64-unknown-linux-musl:
   target_cc: musl-clang
   target_cxx: clang++  # TODO: Explore a musl-clang++ shim?
   target_cflags:
+    # Hardening
+    - '-fstack-protector-strong'
+    - '-fstack-clash-protection'
     - '-fvisibility=hidden'
     # Enable frame pointers
     - '-fno-omit-frame-pointer'
     - '-mno-omit-leaf-frame-pointer'
   target_ldflags:
     # Hardening
     - '-Wl,-z,noexecstack'
+    - '-Wl,-z,relro'
+    - '-Wl,-z,now'
   needs:
     - autoconf
     - bdb
@@ -859,6 +954,9 @@ x86_64_v2-unknown-linux-musl:
   target_cc: musl-clang
   target_cxx: clang++  # TODO: Explore a musl-clang++ shim?
   target_cflags:
+    # Hardening
+    - '-fstack-protector-strong'
+    - '-fstack-clash-protection'
     - '-march=x86-64-v2'
     - '-fvisibility=hidden'
     # Enable frame pointers
@@ -867,6 +965,8 @@ x86_64_v2-unknown-linux-musl:
   target_ldflags:
     # Hardening
     - '-Wl,-z,noexecstack'
+    - '-Wl,-z,relro'
+    - '-Wl,-z,now'
   needs:
     - autoconf
     - bdb
@@ -910,6 +1010,9 @@ x86_64_v3-unknown-linux-musl:
   target_cc: musl-clang
   target_cxx: clang++  # TODO: Explore a musl-clang++ shim?
   target_cflags:
+    # Hardening
+    - '-fstack-protector-strong'
+    - '-fstack-clash-protection'
     - '-march=x86-64-v3'
     - '-fvisibility=hidden'
     # Enable frame pointers
@@ -918,6 +1021,8 @@ x86_64_v3-unknown-linux-musl:
   target_ldflags:
     # Hardening
     - '-Wl,-z,noexecstack'
+    - '-Wl,-z,relro'
+    - '-Wl,-z,now'
   needs:
     - autoconf
     - bdb
@@ -961,6 +1066,9 @@ x86_64_v4-unknown-linux-musl:
   target_cc: musl-clang
   target_cxx: clang++  # TODO: Explore a musl-clang++ shim?
   target_cflags:
+    # Hardening
+    - '-fstack-protector-strong'
+    - '-fstack-clash-protection'
     - '-march=x86-64-v4'
     - '-fvisibility=hidden'
     # Enable frame pointers
@@ -969,6 +1077,8 @@ x86_64_v4-unknown-linux-musl:
   target_ldflags:
     # Hardening
     - '-Wl,-z,noexecstack'
+    - '-Wl,-z,relro'
+    - '-Wl,-z,now'
   needs:
     - autoconf
     - bdb
@@ -1016,13 +1126,18 @@ aarch64-unknown-linux-musl:
   target_cc: musl-clang
   target_cxx: clang++
   target_cflags:
+    # Hardening
+    - '-fstack-protector-strong'
+    - '-fstack-clash-protection'
     - '-fvisibility=hidden'
     # Enable frame pointers
     - '-fno-omit-frame-pointer'
     - '-mno-omit-leaf-frame-pointer'
   target_ldflags:
     # Hardening
     - '-Wl,-z,noexecstack'
+    - '-Wl,-z,relro'
+    - '-Wl,-z,now'
   needs:
     - autoconf
     - bdb