cbuild: additional default hardening

Enable format-security by default in C and C++. These are compile
time only, but still useful diagnostics (and incorrect stuff will
now abort at build time).

While at it, add and enable var-init, which will zero-initialize
variables in C/C++ by default (should have minimal impact and
reduce potential attack surface, at the cost of hiding - but
also mitigating - some bugs).

Packaging.md

@@ -1717,6 +1717,8 @@ Currently the following options are always enabled by default:
 * `scp` Enables `-fstack-clash-protection` (`ppc64le`, `ppc64`, `ppc`, `x86_64`)
 * `int` Traps signed integer overflows and integer division by zero.
 * `pac` Enables AArch64 pointer authentication (`aarch64`).
+* `format` Format-security default errors for C and C++ (compile-time).
+* `var-init` Auto-zero initialization for variables (`-ftrivial-auto-var-init=zero`)
 
 Several others are available that are not on by default:
 

src/cbuild/core/profile.py

@@ -19,6 +19,9 @@
     "ssp": True,  # this should really be compiler default
     "scp": True,  # stack-clash-protection
     "int": True,  # ubsan integer hardening
+    # misc general hardening that you'll almost never want to disable
+    "format": True,  # format-security
+    "var-init": True, # trivial-auto-var-init=zero
     # options affecting enabled hardening types
     "cfi-genptr": False,  # loosen pointer type checks
     "cfi-icall": True,  # indirect call checks
@@ -119,6 +122,12 @@ def _get_hcflags(prof, tharden, opts, stage):
     hflags = []
     hard = _get_harden(prof, tharden, opts, stage)
 
+    if hard["format"]:
+        hflags += ["-Wformat", "-Werror=format-security"]
+
+    if hard["var-init"]:
+        hflags.append("-ftrivial-auto-var-init=zero")
+
     if not hard["pie"]:
         hflags.append("-fno-PIE")