ruby.git/tool/m4/ruby_append_option.m4, branch v3_4_9 The Ruby Programming Language Extract hardening CFLAGS to a special $hardenflags variable 2024-06-11T10:48:55+00:00 KJ Tsanaktsidis kj@kjtsanaktsidis.id.au 2024-06-09T11:15:39+00:00 0ccb80d6bf57cd6e79ad622c024d3d0940ec6f3b This changes the automatic detection of -fstack-protector, -D_FORTIFY_SOURCE, and -mbranch-protection to write to $hardenflags instead of $XCFLAGS. The definition of $cflags is changed to "$hardenflags $orig_cflags $optflags $debugflags $warnflags" to match. Furthermore, these flags are _prepended_ to $hardenflags, rather than appended. The implications of doing this are as follows: * If a CRuby builder specifies cflags="-mbranch-protection=foobar" at the ./configure script, and the configure script detects that -mbranch-protection=pac-ret is accepted, then GCC will be invoked as "gcc -mbranch-protection=pac-ret -mbranch-protection=foobar". Since the last flags take precedence, that means that user-supplied values of these flags in $cflags will take priority. * Likewise, if a CRuby builder explicitly specifies "hardenflags=-mbranch-protection=foobar", because we _prepend_ to $hardenflags in our autoconf script, we will still invoke GCC as "gcc -mbranch-protection=pac-ret -mbranch-protection=foobar". * If a CRuby builder specifies CFLAGS="..." at the configure line, automatic detection of hardening flags is ignored as before. * C extensions will _also_ be built with hardening flags now as well (this was not the case by default before because the detected flags went into $XCFLAGS). Additionally, as part of this work, I changed how the detection of PAC/BTI in Context.S works. Rather than appending the autodetected option to ASFLAGS, we simply compile a set of test programs with the actual CFLAGS in use to determine what PAC/BTI settings were actually chosen by the builder. Context.S is made aware of these choices through some custom macros. The result of this work is that: * Ruby will continue to choose some sensible defaults for hardening options for the C compiler * Distributors are able to specify CFLAGS that are consistent with their distribution and override these defaults * Context.S will react to whatever -mbranch-protection is actually in use, not what was autodetected * Extensions get built with hardening flags too. [Bug #20154] [Bug #20520] 
This changes the automatic detection of -fstack-protector,
-D_FORTIFY_SOURCE, and -mbranch-protection to write to $hardenflags
instead of $XCFLAGS. The definition of $cflags is changed to
"$hardenflags $orig_cflags $optflags $debugflags $warnflags" to match.

Furthermore, these flags are _prepended_ to $hardenflags, rather than
appended.

The implications of doing this are as follows:

* If a CRuby builder specifies cflags="-mbranch-protection=foobar" at
  the ./configure script, and the configure script detects that
  -mbranch-protection=pac-ret is accepted, then GCC will be invoked as
  "gcc -mbranch-protection=pac-ret -mbranch-protection=foobar". Since
  the last flags take precedence, that means that user-supplied values
  of these flags in $cflags will take priority.
* Likewise, if a CRuby builder explicitly specifies
  "hardenflags=-mbranch-protection=foobar", because we _prepend_ to
  $hardenflags in our autoconf script, we will still invoke GCC as
  "gcc -mbranch-protection=pac-ret -mbranch-protection=foobar".
* If a CRuby builder specifies CFLAGS="..." at the configure line,
  automatic detection of hardening flags is ignored as before.
* C extensions will _also_ be built with hardening flags now as well
  (this was not the case by default before because the detected flags
  went into $XCFLAGS).

Additionally, as part of this work, I changed how the detection of
PAC/BTI in Context.S works. Rather than appending the autodetected
option to ASFLAGS, we simply compile a set of test programs with the
actual CFLAGS in use to determine what PAC/BTI settings were actually
chosen by the builder. Context.S is made aware of these choices through
some custom macros.

The result of this work is that:

* Ruby will continue to choose some sensible defaults for hardening
  options for the C compiler
* Distributors are able to specify CFLAGS that are consistent with their
  distribution and override these defaults
* Context.S will react to whatever -mbranch-protection is actually in
  use, not what was autodetected
* Extensions get built with hardening flags too.

[Bug #20154]
[Bug #20520]
Remove comments in tool/m4 from the generated configure 2021-04-17T10:14:21+00:00 Nobuyoshi Nakada nobu@ruby-lang.org 2021-04-17T10:14:21+00:00 1f56238032482ab55db2a7cbf5c156b5ccc17526 






Emacs friendliness [ci skip]
2018-01-20T07:14:59+00:00

shyouhei
shyouhei@b2dd03c8-39d4-4d8f-98ff-823fe69b080e

2018-01-20T07:14:59+00:00

583939602838ad9d39e8485df4c8a8e5f236b608

Just add comment by:
sed -i $'1i\\\n# -*- Autoconf -*-' tool/m4/*.m4

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@61983 b2dd03c8-39d4-4d8f-98ff-823fe69b080e





Just add comment by:
sed -i $'1i\\\n# -*- Autoconf -*-' tool/m4/*.m4

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@61983 b2dd03c8-39d4-4d8f-98ff-823fe69b080e







refactor split configure.ac into files
2018-01-20T07:05:25+00:00

shyouhei
shyouhei@b2dd03c8-39d4-4d8f-98ff-823fe69b080e

2018-01-20T07:05:25+00:00

0664a6377a7fc51e6d96d7b69361cc457e248b00

This does not (yet) change anything. The generated configure file
is the identical to previous one (except several empty lines added
and deleted).

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@61981 b2dd03c8-39d4-4d8f-98ff-823fe69b080e





This does not (yet) change anything. The generated configure file
is the identical to previous one (except several empty lines added
and deleted).

git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@61981 b2dd03c8-39d4-4d8f-98ff-823fe69b080e