Merge pull request #33193 from DaanDeMeyer/fortify

mkosi: Disable FORTIFY_SOURCE when building without optimizations or with sanitizers
2024-10-01 13:55:20 +00:00 · 2024-06-04 13:38:00 +01:00 · 2024-06-04 13:38:00 +01:00 · 0af5114534
parent b1213ef738 d56cf40dd7
commit 0af5114534
5 changed files with 16 additions and 10 deletions
--- a/.github/workflows/mkosi.yml
+++ b/.github/workflows/mkosi.yml
@ -58,30 +58,37 @@ jobs:
            release: rolling
            sanitizers: ""
            llvm: 0
+            cflags: "-O2 -D_FORTIFY_SOURCE=3"
          - distro: debian
            release: testing
            sanitizers: ""
            llvm: 0
+            cflags: "-Og"
          - distro: ubuntu
            release: noble
            sanitizers: ""
            llvm: 0
+            cflags: "-Og"
          - distro: fedora
            release: "40"
            sanitizers: ""
            llvm: 0
+            cflags: "-Og"
          - distro: fedora
            release: rawhide
            sanitizers: address,undefined
            llvm: 1
+            cflags: "-Og"
          - distro: opensuse
            release: tumbleweed
            sanitizers: ""
            llvm: 0
+            cflags: "-Og"
          - distro: centos
            release: "9"
            sanitizers: ""
            llvm: 0
+            cflags: "-Og"

    steps:
    - uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29
@ -127,8 +134,7 @@ jobs:
        Environment=
                # Build debuginfo packages since we'll be publishing the packages as artifacts.
                WITH_DEBUG=1
-                # Enabling optimizations significantly speeds up integration tests.
-                OPTIMIZATION=g
+                CFLAGS="${{ matrix.cflags }}"
                SANITIZERS=${{ matrix.sanitizers }}
                MESON_OPTIONS=--werror
                LLVM=${{ matrix.llvm }}
--- a/mkosi.images/system/mkosi.conf.d/10-arch/mkosi.build.chroot
+++ b/mkosi.images/system/mkosi.conf.d/10-arch/mkosi.build.chroot
@ -24,7 +24,7 @@ ln --symbolic . "pkg/$ID/src"
 # shellcheck source=/dev/null
 . /etc/makepkg.conf

-MKOSI_CFLAGS="-O${OPTIMIZATION:-0} -Wp,-U_FORTIFY_SOURCE"
+MKOSI_CFLAGS="-Wp,-U_FORTIFY_SOURCE"
 if ((LLVM)); then
    # TODO: Remove -fno-sanitize-function when https://github.com/systemd/systemd/issues/29972 is fixed.
    MKOSI_CFLAGS="$MKOSI_CFLAGS -shared-libasan -fno-sanitize=function"
@ -40,10 +40,10 @@ if ((WIPE)); then
    MKOSI_MESON_OPTIONS="$MKOSI_MESON_OPTIONS --wipe"
 fi

-# Override the default options. Disable FORTIFY_SOURCE because it doesn't work with O0. We specifically
-# disable "strip", "zipman" and "lto" as they slow down builds significantly. OPTIONS= cannot be overridden
-# on the makepkg command line so we append to /etc/makepkg.conf instead. The rootfs is overlaid with a
-# writable tmpfs during the build script so these changes don't end up in the image itself.
+# Override the default options. We specifically disable "strip", "zipman" and "lto" as they slow down builds
+# significantly. OPTIONS= cannot be overridden on the makepkg command line so we append to /etc/makepkg.conf
+# instead. The rootfs is overlaid with a writable tmpfs during the build script so these changes don't end up
+# in the image itself.
 tee --append /etc/makepkg.conf >/dev/null <<EOF
 export CC="$( ((LLVM)) && echo clang || echo gcc)"
 export CXX="$( ((LLVM)) && echo clang++ || echo g++)"
--- a/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.build.chroot
+++ b/mkosi.images/system/mkosi.conf.d/10-centos-fedora/mkosi.build.chroot
@ -47,7 +47,7 @@ COMMON_MACRO_OVERRIDES=(
 )

 # TODO: Drop -U_FORTIFY_SOURCE when we switch to CentOS Stream 10.
-MKOSI_CFLAGS="-O${OPTIMIZATION:-0} -Wp,-U_FORTIFY_SOURCE"
+MKOSI_CFLAGS="-Wp,-U_FORTIFY_SOURCE"
 if ((WITH_DEBUG)); then
    MKOSI_CFLAGS="$MKOSI_CFLAGS -fdebug-prefix-map=../src=$SRCDEST"
 fi
--- a/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.build.chroot
+++ b/mkosi.images/system/mkosi.conf.d/10-debian-ubuntu/mkosi.build.chroot
@ -44,7 +44,7 @@ EOF
 cat debian/changelog >>debian/changelog.new
 mv debian/changelog.new debian/changelog

-MKOSI_CFLAGS="-O${OPTIMIZATION:-0}"
+MKOSI_CFLAGS=""
 if ((LLVM)); then
    # TODO: Remove -fno-sanitize-function when https://github.com/systemd/systemd/issues/29972 is fixed.
    MKOSI_CFLAGS="$MKOSI_CFLAGS -shared-libasan -fno-sanitize=function"
--- a/mkosi.images/system/mkosi.conf.d/10-opensuse/mkosi.build.chroot
+++ b/mkosi.images/system/mkosi.conf.d/10-opensuse/mkosi.build.chroot
@ -42,7 +42,7 @@ DIST="$(rpm --eval %dist)"
 ARCH="$(rpm --eval %_arch)"
 SRCDEST="/usr/src/debug/systemd-$VERSION-${RELEASE}${DIST}.$ARCH"

-MKOSI_CFLAGS="-O${OPTIMIZATION:-0} -Wp,-U_FORTIFY_SOURCE"
+MKOSI_CFLAGS="-Wp,-U_FORTIFY_SOURCE"
 if ((WITH_DEBUG)); then
    MKOSI_CFLAGS="$MKOSI_CFLAGS -fdebug-prefix-map=../src=$SRCDEST"
 fi