From c236ae6575960189ac9d4245969aceef04acfffc Mon Sep 17 00:00:00 2001 From: Aqua-sama Date: Fri, 24 Jan 2020 16:47:05 +0200 Subject: Move compiler flags to meson.build from pkgbuild --- linux/makepkg/PKGBUILD | 29 ++++++++++++++++------------- meson.build | 1 + 2 files changed, 17 insertions(+), 13 deletions(-) diff --git a/linux/makepkg/PKGBUILD b/linux/makepkg/PKGBUILD index 07eb25d..6754fe8 100644 --- a/linux/makepkg/PKGBUILD +++ b/linux/makepkg/PKGBUILD @@ -1,13 +1,15 @@ -# Maintainer: Aqua-sama +# Maintainer: Aqua-sama -## not-use flags Options +## not-use flags # Enable plugin signing: _signPlugins=0 # Enable breakpad integraton: _enableBreakpad=0 # test _test=1 +# install prefix +_prefix='/usr/local' pkgname=smolbote-git @@ -22,13 +24,17 @@ arch=('x86_64' 'aarch64') license=('GPL3') depends=('qt5-webengine>=5.11.0' 'spdlog') +makedepends=('git' 'meson' 'python-kconfiglib' 'openssl' 'qt5-tools' 'scdoc') if [ $_enableBreakpad == "1" ]; then - makedepends=('git' 'meson' 'python-kconfiglib' 'openssl' 'qt5-tools' 'scdoc' 'breakpad-git') -else - makedepends=('git' 'meson' 'python-kconfiglib' 'openssl' 'qt5-tools' 'scdoc') + makedepends+=('breakpad-git') fi optdepends=('firejail: launch a sandboxed instance') +# this isn't a hard requirement, simply a workaround as the build script +# sets some additional hardening flags that the default makepkg.conf +# will turn down +options=(!buildflags) + # use git+file:///path/to/your/repo to build from a local repo source=("git+https://library.iserlohn-fortress.net/aqua/smolbote.git" "git+https://github.com/itay-grudev/SingleApplication.git" @@ -71,11 +77,8 @@ build() { # --auto-features=disabled - features should be explicitly enabled # b_pie: Build executables as position independent # b_lto: Use link time optimization - export CFLAGS="$CFLAGS -O3 -fstack-protector-all -flto=4" - export CXXFLAGS="$CXXFLAGS -O3 -fstack-protector-all -flto=4" - export LDFLAGS="$LDFLAGS,-fuse-ld=gold" - meson --buildtype=plain --wrap-mode=nodownload \ - --prefix=/usr/local --auto-features=disabled \ + meson --buildtype=release --wrap-mode=nodownload \ + --prefix=$_prefix --auto-features=disabled \ -Db_pie=true \ -Dmanpage=enabled \ $srcdir/build @@ -100,7 +103,7 @@ package() { if [ $_signPlugins == "1" ]; then msg "Signing plugins" - for so in $pkgdir/usr/local/lib/smolbote/plugins/*.so; do + for so in $pkgdir/$_prefix/lib/smolbote/plugins/*.so; do msg2 "Signed $(basename $so)" openssl dgst -sha256 -sign $srcdir/build/privateKey.pem -out $so.sig $so done @@ -109,8 +112,8 @@ package() { if [ $_enableBreakpad == "1" ]; then msg "Installing debug symbols" ninja -C $srcdir/build linux/poi.sym - install -dm644 $pkgdir/usr/local/lib/smolbote/symbols/poi/$(head -n1 linux/poi.sym | awk '{ print $(NF-1) }') - install -m644 -t $pkgdir/usr/local/lib/smolbote/symbols/poi/$(head -n1 linux/poi.sym | awk '{ print $(NF-1) }') $srcdir/build/linux/poi.sym + install -dm644 $pkgdir/$_prefix/lib/smolbote/symbols/poi/$(head -n1 linux/poi.sym | awk '{ print $(NF-1) }') + install -m644 -t $pkgdir/$_prefix/lib/smolbote/symbols/poi/$(head -n1 linux/poi.sym | awk '{ print $(NF-1) }') $srcdir/build/linux/poi.sym fi } diff --git a/meson.build b/meson.build index 5e50801..2e7ec72 100644 --- a/meson.build +++ b/meson.build @@ -31,6 +31,7 @@ add_project_arguments(cxx.get_supported_arguments([ '-ffunction-sections', # Place each function into its own section, better ASLR but larger executables '-fstack-protector-all', # Emit code to check for buffer overflows on all functions '-fstack-clash-protection', # Emit code to check for stack clash attacks + '-flto=4', '-mspeculative-load-hardening', # Spectre v1 mitigation -- cgit v1.2.1