Skip to content

Commit d4e7a84

Browse files
gms1gms1
authored
Merge pull request #4 from gms1/feature/hardening
2 parents 859747d + d76c462 commit d4e7a84

File tree

1 file changed

+46
-2
lines changed

1 file changed

+46
-2
lines changed

binding.gyp

Lines changed: 46 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,7 @@
1111
"xcode_settings": {
1212
"CLANG_CXX_LIBRARY": "libc++",
1313
"MACOSX_DEPLOYMENT_TARGET": "10.7",
14+
"OTHER_CFLAGS": [ "-fstack-protector-strong" ]
1415
},
1516
"include_dirs": [
1617
"<!@(node -p \"require('node-addon-api').include\")"],
@@ -39,15 +40,58 @@
3940
"deps/sqlite3.gyp:sqlite3"
4041
]
4142
}
42-
]
43+
],
44+
# Linux hardening flags (apply to all builds)
45+
["OS=='linux'", {
46+
"cflags+": [
47+
"-fstack-protector-strong",
48+
"-fPIC"
49+
],
50+
"ldflags+": [ "-Wl,-z,relro,-z,now" ]
51+
}],
52+
# Windows hardening flags (apply to all builds)
53+
["OS=='win'", {
54+
"msvs_settings": {
55+
"VCCLCompilerTool": {
56+
"ExceptionHandling": 1,
57+
"BufferSecurityCheck": "true",
58+
"ControlFlowGuard": "Guard"
59+
},
60+
"VCLinkerTool": {
61+
"AdditionalOptions": [ "/DYNAMICBASE", "/NXCOMPAT" ]
62+
}
63+
}
64+
}]
4365
],
4466
"sources": [
4567
"src/backup.cc",
4668
"src/database.cc",
4769
"src/node_sqlite3.cc",
4870
"src/statement.cc"
4971
],
50-
"defines": [ "NAPI_VERSION=<(napi_build_version)" ]
72+
"defines": [ "NAPI_VERSION=<(napi_build_version)" ],
73+
# Release-specific hardening flags
74+
"configurations": {
75+
"Release": {
76+
"conditions": [
77+
# _FORTIFY_SOURCE applies to all Linux architectures
78+
["OS=='linux'", {
79+
"defines+": [ "_FORTIFY_SOURCE=2" ]
80+
}],
81+
# Control Flow Protection only for x86_64 (Intel CET)
82+
["OS=='linux' and target_arch=='x64'", {
83+
"cflags+": [ "-fcf-protection=full" ]
84+
}],
85+
["OS=='win'", {
86+
"msvs_settings": {
87+
"VCCLCompilerTool": {
88+
"AdditionalOptions": [ "/sdl" ]
89+
}
90+
}
91+
}]
92+
]
93+
}
94+
}
5195
}
5296
]
5397
}

0 commit comments

Comments
 (0)