From 784c469575d5c75b24d0b3ee092331c7e1f7505e Mon Sep 17 00:00:00 2001
From: Theodore Ts'o <tytso@mit.edu>
Date: Thu, 25 Apr 2024 13:23:55 -0400
Subject: configure: Use FORTIFY_SOURCE=3 when hardening is enabled

FORTIFY_SOURCE=3 provides much more robust checks for buffer overruns
and other memory bugs[1].  It requires gcc 12 and glibc 2.34 which
should be available on most modern distributions (which are the ones
that use --enable-hardening).

[1] https://developers.redhat.com/articles/2022/09/17/gccs-new-fortification-level

Signed-off-by: Theodore Ts'o <tytso@mit.edu>
---
 configure    | 4 ++--
 configure.ac | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/configure b/configure
index 2ffbc6076..866eca252 100755
--- a/configure
+++ b/configure
@@ -1596,7 +1596,7 @@ Optional Features:
   --enable-bsd-shlibs     select BSD shared libraries
   --enable-profile        build profiling libraries
   --enable-gcov           build for coverage testing using gcov
-  --enable-hardening      build for coverage testing using gcov
+  --enable-hardening      build with hardening flags such as fortify
   --enable-jbd-debug      enable journal debugging
   --enable-blkid-debug    enable blkid debugging
   --disable-testio-debug  disable the use of the test I/O manager for
@@ -5961,7 +5961,7 @@ if test ${enable_hardening+y}
 then :
   enableval=$enable_hardening; if test "$enableval" = "yes"
 then
-	HARDEN_CFLAGS="-D_FORTIFY_SOURCE=2 -fstack-protector-strong"
+	HARDEN_CFLAGS="-D_FORTIFY_SOURCE=3 -fstack-protector-strong"
 	HARDEN_LDFLAGS="-Wl,-z,relro -Wl,-z,now"
 	CFLAGS="$CFLAGS $HARDEN_CFLAGS -fPIE"
 	CFLAGS_SHLIB="$CFLAGS_SHLIB $HARDEN_CFLAGS"
diff --git a/configure.ac b/configure.ac
index e4a17b952..cc204031d 100644
--- a/configure.ac
+++ b/configure.ac
@@ -365,10 +365,10 @@ CFLAGS_STLIB="${CFLAGS_STLIB:-$CFLAGS}"
 LDFLAGS_SHLIB=${LDFLAGS_SHLIB:-$LDFLAGS}
 LDFLAGS_STATIC=${LDFLAGS_STATIC:-$LDFLAGS}
 AC_ARG_ENABLE([hardening],
-AS_HELP_STRING([--enable-hardening],[build for coverage testing using gcov]),
+AS_HELP_STRING([--enable-hardening],[build with hardening flags such as fortify]),
 if test "$enableval" = "yes"
 then
-	HARDEN_CFLAGS="-D_FORTIFY_SOURCE=2 -fstack-protector-strong"
+	HARDEN_CFLAGS="-D_FORTIFY_SOURCE=3 -fstack-protector-strong"
 	HARDEN_LDFLAGS=["-Wl,-z,relro -Wl,-z,now"]
 	CFLAGS="$CFLAGS $HARDEN_CFLAGS -fPIE"
 	CFLAGS_SHLIB="$CFLAGS_SHLIB $HARDEN_CFLAGS"
-- 
cgit 1.2.3-korg