cbuild: switch off default vis/cfi and adjust templates

CFI fails often enough and usually harmlessly enough that it
cannot be enabled out of box. However, it is still recommended
to explicitly enable it where possible.

Also, document the supported hardening options.

Packaging.md

@@ -1466,11 +1466,38 @@ Currently the following options are always enabled by default:
 
 * `pie` Position-independent executables.
 * `ssp` Enables `-fstack-protector-strong`.
-
-The following options are only enabled on targets where the toolchain
-supports it (currently `ppc64le`, `ppc64` and `x86_64`):
-
-* `scp` Enables `-fstack-clash-protection`.
+* `scp` Enables `-fstack-clash-protection` (`ppc64le`, `ppc64`, `ppc`, `x86_64`)
+* `int` Traps signed integer overflows, excess shift and integer division by zero.
+* `pac` Enables AArch64 pointer authentication (`aarch64`).
+
+Several others are available that are not on by default:
+
+* `vis` Build with `-fvisibility=hidden` in default flags.
+* `cfi` Enables Clang Control Flow Integrity (needs `vis`, `x86_64` and `aarch64`)
+* `sst` Enables Clang SafeStack (`x86_64`, `aarch64`)
+
+CFI has additional options that affect it:
+
+* `cfi-genptr` Relaxed pointer checks (disabled by default).
+* `cfi-icall` Indirect function call checking (enabled by default).
+
+Hardening options that are not supported on a platform are silently disabled,
+but their dependency relationships are always checked.
+
+CFI should be enabled where possible. Our current CFI is not cross-DSO, which
+means calls across shared library boundaries will not be checked, and the whole
+template needs building with hidden visibility. A lot of projects do not like
+being built with hidden visibility, and since Clang CFI is type-based, it is
+rather easy to encounter CFI violations, so it is not something that can just
+be enabled and expected to work. Careful testing should be done for each template
+that enables CFI.
+
+The `int` hardening option is enabled by default, but can likewise result in
+crashes in various programs/libraries. However, such crashes are always bugs
+in those programs/libraries. The best solution is to fix the issues and submit
+patches upstream, but in case of complicated bugs, it is okay to disable it in
+the template and put in a comment for later (with information on how to reproduce
+the crash).
 
 <a id="tools"></a>
 ### Tools and Tool Flags

contrib/atf-rk3399-bl31/template.py

@@ -11,7 +11,7 @@
 url = "https://developer.trustedfirmware.org/dashboard/view/6"
 source = f"https://git.trustedfirmware.org/TF-A/trusted-firmware-a.git/snapshot/trusted-firmware-a-{pkgver}.tar.gz"
 sha256 = "53422dc649153838e03820330ba17cb10afe3e330ecde0db11e4d5f1361a33e6"
-hardening = ["!vis", "!int"]
+hardening = ["!int"]
 # not relevant
 options = ["!strip", "!check", "!lto", "!debug"]
 

contrib/binutils-aarch64-none-elf/template.py

@@ -37,7 +37,6 @@
 url = "https://www.gnu.org/software/binutils"
 source = f"$(GNU_SITE)/binutils/binutils-{pkgver}.tar.xz"
 sha256 = "645c25f563b8adc0a81dbd6a41cffbf4d37083a382e02d5d3df4f65c09516d00"
-hardening = ["!vis"]
 # resistance is futile
 options = ["!check", "!lto"]
 

contrib/binutils-arm-none-eabi/template.py

@@ -37,7 +37,6 @@
 url = "https://www.gnu.org/software/binutils"
 source = f"$(GNU_SITE)/binutils/binutils-{pkgver}.tar.xz"
 sha256 = "645c25f563b8adc0a81dbd6a41cffbf4d37083a382e02d5d3df4f65c09516d00"
-hardening = ["!vis"]
 # resistance is futile
 options = ["!check", "!lto"]
 

contrib/binutils-riscv64-unknown-elf/template.py

@@ -37,7 +37,6 @@
 url = "https://www.gnu.org/software/binutils"
 source = f"$(GNU_SITE)/binutils/binutils-{pkgver}.tar.xz"
 sha256 = "645c25f563b8adc0a81dbd6a41cffbf4d37083a382e02d5d3df4f65c09516d00"
-hardening = ["!vis"]
 # resistance is futile
 options = ["!check", "!lto"]
 

contrib/crispy-doom/template.py

@@ -14,6 +14,7 @@
 url = "https://github.com/fabiangreffrath/crispy-doom"
 source = f"{url}/archive/{pkgname}-{pkgver}.tar.gz"
 sha256 = "7c5bb36393dec39b9732e53963dadd6bcc3bd193370c4ec5b1c0121df3b38faa"
+hardening = ["vis", "cfi"]
 
 def pre_configure(self):
     self.do("autoreconf", "-if")

contrib/dbus-glib/template.py

@@ -16,8 +16,6 @@
 url = "https://www.freedesktop.org/wiki/Software/DBusBindings"
 source = f"http://dbus.freedesktop.org/releases/{pkgname}/{pkgname}-{pkgver}.tar.gz"
 sha256 = "7d550dccdfcd286e33895501829ed971eeb65c614e73aadb4a08aeef719b143a"
-# unmarked api
-hardening = ["!vis"]
 options = ["!cross"]
 
 @subpackage("dbus-glib-devel")

contrib/efl/template.py

@@ -57,8 +57,8 @@
 url = "https://enlightenment.org"
 source = f"https://download.enlightenment.org/rel/libs/{pkgname}/{pkgname}-{pkgver}.tar.xz"
 sha256 = "d9f83aa0fd9334f44deeb4e4952dc0e5144683afac786feebce6030951617d15"
-# janky codebase
-hardening = ["!int", "!vis"]
+# FIXME int: janky codebase
+hardening = ["!int"]
 # some suites are in a bad shape
 options = ["!check"]
 

contrib/enlightenment/template.py

@@ -26,8 +26,8 @@
     "usr/lib/enlightenment/utils/enlightenment_system",
     "usr/lib/enlightenment/utils/enlightenment_sys",
 ]
-# janky codebase
-hardening = ["!int", "!vis"]
+# FIXME int: janky codebase
+hardening = ["!int"]
 
 def post_install(self):
     self.install_license("COPYING")

contrib/firefox-esr/template.py

@@ -42,8 +42,6 @@
     # firefox checks for it by calling --help
     "CBUILD_BYPASS_STRIP_WRAPPER": "1",
 }
-# cfi known not to work
-hardening = ["!vis", "!cfi"]
 options = ["!cross"]
 exec_wrappers = [
     ("/usr/bin/llvm-objdump", "objdump"),
@@ -99,7 +97,7 @@ def do_configure(self):
         "--target=" + self.profile().triplet,
         "--enable-linker=lld",
         "--enable-release",
-        "--enable-optimize=" + self.get_cflags(shell = True),
+        "--enable-optimize",
         "--disable-install-strip",
         "--disable-strip",
         # system libs

contrib/fish-shell/template.py

@@ -11,8 +11,8 @@
 url = "https://fishshell.com"
 source = f"https://github.com/fish-shell/{pkgname}/releases/download/{pkgver}/fish-{pkgver}.tar.xz"
 sha256 = "a6d45b3dc5a45dd31772e7f8dfdfecabc063986e8f67d60bd7ca60cc81db6928"
-# FIXME: test fail
-hardening = ["!int"]
+# FIXME int: test fail
+hardening = ["vis", "cfi", "!int"]
 
 def post_install(self):
     self.install_shell("/usr/bin/fish")

contrib/gcc-aarch64-none-elf/template.py

@@ -62,7 +62,7 @@
     "CXXFLAGS_FOR_TARGET": "-g -Os -ffunction-sections -fdata-sections",
 }
 nostrip_files = ["libgcc.a"]
-hardening = ["!pie", "!vis"]
+hardening = ["!pie"]
 # no tests to run
 options = ["!check", "!lto", "!cross", "!scanshlibs"]
 exec_wrappers = [

contrib/gcc-arm-none-eabi/template.py

@@ -64,7 +64,7 @@
     "CXXFLAGS_FOR_TARGET": "-g -Os -ffunction-sections -fdata-sections",
 }
 nostrip_files = ["libgcc.a"]
-hardening = ["!pie", "!vis"]
+hardening = ["!pie"]
 # no tests to run
 options = ["!check", "!lto", "!cross", "!scanshlibs"]
 exec_wrappers = [

contrib/gcc-riscv64-unknown-elf/template.py

@@ -62,7 +62,7 @@
     "CXXFLAGS_FOR_TARGET": "-g -Os -ffunction-sections -fdata-sections",
 }
 nostrip_files = ["libgcc.a"]
-hardening = ["!pie", "!vis"]
+hardening = ["!pie"]
 # no tests to run
 options = ["!check", "!lto", "!cross", "!scanshlibs"]
 exec_wrappers = [

contrib/libsasl/template.py

@@ -18,8 +18,6 @@
 url = "https://www.cyrusimap.org/sasl"
 source = f"https://github.com/cyrusimap/cyrus-sasl/releases/download/cyrus-sasl-{pkgver}/cyrus-sasl-{pkgver}.tar.gz"
 sha256 = "7ccfc6abd01ed67c1a0924b353e526f1b766b21f42d4562ee635a8ebfc5bb38c"
-# does not mark api visibility
-hardening = ["!vis"]
 options = ["!cross"]
 
 def pre_configure(self):

contrib/lua5.1-bitop/template.py

@@ -9,8 +9,6 @@
 url = "http://bitop.luajit.org"
 source = f"{url}/download/LuaBitOp-{pkgver}.tar.gz"
 sha256 = "1207c9293dcd52eb9dca6538d1b87352bd510f4e760938f5048433f7f272ce99"
-# lua uses explicit visibility
-hardening = ["!vis"]
 
 def do_install(self):
     self.install_license("README")

contrib/nodejs/template.py

@@ -24,8 +24,7 @@
 source = f"{url}/dist/v{pkgver}/node-v{pkgver}.tar.gz"
 sha256 = "ba8174dda00d5b90943f37c6a180a1d37c861d91e04a4cb38dc1c0c74981c186"
 debug_level = 1 # allow LTO build to not run out of mem
-# FIXME: fails to build
-hardening = ["!vis"]
+hardening = ["!cfi"] # TODO
 options = ["!cross"]
 
 def post_extract(self):

contrib/oniguruma/template.py

@@ -10,8 +10,6 @@
 url = "https://github.com/kkos/oniguruma"
 source = f"{url}/releases/download/v{pkgver}/onig-{pkgver}.tar.gz"
 sha256 = "28cd62c1464623c7910565fb1ccaaa0104b2fe8b12bcd646e81f73b47535213e"
-# unmarked api
-hardening = ["!vis"]
 
 def post_install(self):
     self.install_license("COPYING")

contrib/pcre/template.py

@@ -22,7 +22,6 @@
 url = "http://www.pcre.org"
 source = f"$(SOURCEFORGE_SITE)/{pkgname}/{pkgname}/{pkgver}/{pkgname}-{pkgver}.tar.bz2"
 sha256 = "4dae6fdcd2bb0bb6c37b5f97c33c2be954da743985369cddac3546e3218bffb8"
-hardening = ["!vis"]
 options = ["!cross"]
 
 match self.profile().arch:

contrib/pekwm/template.py

@@ -13,5 +13,6 @@
 url = "https://www.pekwm.se"
 source = f"https://github.com/pekdon/{pkgname}/archive/release-{pkgver}.tar.gz"
 sha256 = "62e858015e1a5a54bbddab202a1fb455c821bda62498e9cadfa1d00a5a2575c3"
+hardening = ["vis", "cfi"]
 # no test target
 options = ["!check"]

contrib/psmisc/template.py

@@ -13,6 +13,7 @@
 source = f"$(SOURCEFORGE_SITE)/{pkgname}/{pkgname}-{pkgver}.tar.xz"
 sha256 = "dc37ecc2f7e4a90a94956accc6e1c77adb71316b7c9cbd39b26738db0c3ae58b"
 tool_flags = {"LDFLAGS": ["-lgnu_getopt"], "CFLAGS": ["-Dgetopt_long_only=gnu_getopt_long_only"]}
+hardening = ["vis", "cfi"]
 
 def pre_check(self):
     # ERROR: global config file /builddir/psmisc-23.5/testsuite/global-conf.exp not found.

contrib/source-highlight/template.py

@@ -12,7 +12,6 @@
 url = "http://www.gnu.org/software/src-highlite"
 source = f"$(GNU_SITE)/src-highlite/{pkgname}-{pkgver}.tar.gz"
 sha256 = "3a7fd28378cb5416f8de2c9e77196ec915145d44e30ff4e0ee8beb3fe6211c91"
-hardening = ["!vis"]
 options = ["!cross"]
 
 # aarch64 libtool fix

contrib/terminology/template.py

@@ -10,6 +10,7 @@
 url = "https://enlightenment.org"
 source = f"http://download.enlightenment.org/rel/apps/{pkgname}/{pkgname}-{pkgver}.tar.xz"
 sha256 = "f8ced9584c2e9ae87452ce7425fd25b2d3e122c7489785d2917890215c6b5aa9"
+hardening = ["vis", "cfi"]
 
 def post_install(self):
     self.install_license("COPYING")

contrib/u-boot-imx8mq_reform2/template.py

@@ -8,7 +8,7 @@
 url = "https://source.mnt.re/reform/reform-boundary-uboot"
 source = f"https://repo.chimera-linux.org/distfiles/{pkgname}-{pkgver}.tar.gz"
 sha256 = "d8699b465c8d09549aee622e3a42d4101e765abfe4f3f0be54a45a3d878a152a"
-hardening = ["!vis", "!int"]
+hardening = ["!int"]
 # not relevant
 options = ["!strip", "!check", "!lto", "!debug"]
 

contrib/u-boot-pinebook-pro-rk3399/template.py

@@ -23,6 +23,6 @@
     "U_BOOT_TRIPLET": "aarch64-none-elf",
     "U_BOOT_TARGETS": "idbloader.img u-boot.itb",
 }
-hardening = ["!vis", "!int"]
+hardening = ["!int"]
 # not relevant
 options = ["!strip", "!check", "!lto", "!debug"]

contrib/u-boot-qemu-riscv64/template.py

@@ -16,6 +16,6 @@
     "U_BOOT_TRIPLET": "riscv64-unknown-elf",
     "U_BOOT_TARGETS": "u-boot",
 }
-hardening = ["!vis", "!int"]
+hardening = ["!int"]
 # not relevant
 options = ["!strip", "!check", "!lto", "!debug", "foreignelf"]

contrib/u-boot-qemu-riscv64_smode/template.py

@@ -16,6 +16,6 @@
     "U_BOOT_TRIPLET": "riscv64-unknown-elf",
     "U_BOOT_TARGETS": "u-boot",
 }
-hardening = ["!vis", "!int"]
+hardening = ["!int"]
 # not relevant
 options = ["!strip", "!check", "!lto", "!debug", "foreignelf"]

contrib/u-boot-qemu_arm64/template.py

@@ -16,6 +16,6 @@
     "U_BOOT_TRIPLET": "aarch64-none-elf",
     "U_BOOT_TARGETS": "u-boot",
 }
-hardening = ["!vis", "!int"]
+hardening = ["!int"]
 # not relevant
 options = ["!strip", "!check", "!lto", "!debug", "foreignelf"]

contrib/u-boot-sifive_unmatched/template.py

@@ -18,6 +18,6 @@
     "U_BOOT_TRIPLET": "riscv64-unknown-elf",
     "U_BOOT_TARGETS": "spl/u-boot-spl.bin u-boot.itb",
 }
-hardening = ["!vis", "!int"]
+hardening = ["!int"]
 # not relevant
 options = ["!strip", "!check", "!lto", "!debug", "foreignelf"]

contrib/zsh/template.py

@@ -34,8 +34,8 @@
 url = "https://www.zsh.org"
 source = f"{url}/pub/{pkgname}-{pkgver}.tar.xz"
 sha256 = "9b8d1ecedd5b5e81fbf1918e876752a7dd948e05c1a0dba10ab863842d45acd5"
-# FIXME test failures
-hardening = ["!vis", "!int"]
+# FIXME int: test failures
+hardening = ["!int"]
 
 def post_patch(self):
     self.rm("Completion/Linux/Command/_pkgtool")

main/abseil-cpp/template.py

@@ -11,7 +11,6 @@
 url = "https://abseil.io"
 source = f"https://github.com/abseil/{pkgname}/archive/refs/tags/{pkgver}.tar.gz"
 sha256 = "91ac87d30cc6d79f9ab974c51874a704de9c2647c40f6932597329a282217ba8"
-hardening = ["!vis"]
 # tests are not built, require gtest
 options = ["!check"]
 

main/accountsservice/template.py

@@ -17,8 +17,6 @@
 url = "https://www.freedesktop.org/wiki/Software/AccountsService"
 source = f"$(FREEDESKTOP_SITE)/{pkgname}/{pkgname}-{pkgver}.tar.xz"
 sha256 = "909997a76919fe7dc138a9a01cea70bd622d5a932dbc9fb13010113023a7a391"
-# glib
-hardening = ["!vis"]
 # does not like the dbusmock for some reason
 options = ["!cross", "!check"]
 

main/acl/template.py

@@ -15,7 +15,6 @@
 url = "https://savannah.nongnu.org/projects/acl"
 source = f"$(NONGNU_SITE)/acl/acl-{pkgver}.tar.gz"
 sha256 = "760c61c68901b37fdd5eefeeaf4c0c7a26bdfdd8ac747a1edff1ce0e243c11af"
-hardening = ["!vis"]
 # test suite makes assumptions about a GNU environment
 options = ["bootstrap", "!check"]
 

main/alsa-lib/template.py

@@ -21,7 +21,6 @@
 url = "https://www.alsa-project.org"
 source = f"{url}/files/pub/lib/{pkgname}-{pkgver}.tar.bz2"
 sha256 = "1ab01b74e33425ca99c2e36c0844fd6888273193bd898240fe8f93accbcbf347"
-hardening = ["!vis"]
 # tests require stuff we disable
 options = ["!check"]
 

main/apk-tools/template.py

@@ -15,7 +15,6 @@
 url = "http://git.alpinelinux.org/cgit/apk-tools"
 source = f"https://gitlab.alpinelinux.org/alpine/{pkgname}/-/archive/{_gitrev}.tar.gz"
 sha256 = "7c475aa40e71b82fba36a0ab8805f545fbf16983ef0a5b8b9968207e5466cfa8"
-hardening = ["!vis"]
 options = ["bootstrap"]
 
 if self.stage > 0:

main/argp-standalone/template.py

@@ -10,8 +10,6 @@
 source = f"{url}/archive/{pkgver}.tar.gz"
 sha256 = "879d76374424dce051b812f16f43c6d16de8dbaddd76002f83fd1b6e57d39e0b"
 tool_flags = {"CFLAGS": ["-fPIC"]}
-# explicit visibility
-hardening = ["!vis"]
 options = ["!lto", "!splitstatic"]
 
 def pre_configure(self):

main/at-spi2-core/template.py

@@ -16,8 +16,6 @@
 url = "https://gitlab.gnome.org/GNOME/at-spi2-core"
 source = f"$(GNOME_SITE)/{pkgname}/{pkgver[:-2]}/{pkgname}-{pkgver}.tar.xz"
 sha256 = "aa0c86c79f7a8d67bae49a5b7a5ab08430c608cffe6e33bf47a72f41ab03c3d0"
-# glib
-hardening = ["!vis"]
 # non-trivial dbus setup
 options = ["!check", "!cross"]
 

main/attr/template.py

@@ -15,7 +15,6 @@
 url = "http://savannah.nongnu.org/projects/attr"
 source = f"$(NONGNU_SITE)/attr/attr-{pkgver}.tar.gz"
 sha256 = "bae1c6949b258a0d68001367ce0c741cebdacdd3b62965d17e5eb23cd78adaf8"
-hardening = ["!vis"]
 options = ["bootstrap"]
 
 @subpackage("attr-devel")

main/avahi-ui-progs/template.py

@@ -50,7 +50,6 @@
 url = "https://github.com/lathiat/avahi"
 source = f"{url}/releases/download/v{pkgver}/avahi-{pkgver}.tar.gz"
 sha256 = "060309d7a333d38d951bc27598c677af1796934dbd98e1024e7ad8de798fedda"
-hardening = ["!vis"]
 options = ["!cross"]
 
 def do_install(self):

main/avahi/template.py

@@ -45,7 +45,6 @@
 url = "https://github.com/lathiat/avahi"
 source = f"{url}/releases/download/v{pkgver}/{pkgname}-{pkgver}.tar.gz"
 sha256 = "060309d7a333d38d951bc27598c677af1796934dbd98e1024e7ad8de798fedda"
-hardening = ["!vis"]
 options = ["!cross"]
 
 system_users = ["_avahi:23"]

main/awk/template.py

@@ -9,6 +9,7 @@
 url = "https://github.com/onetrueawk/awk"
 source = f"https://github.com/onetrueawk/awk/archive/{_commit}.tar.gz"
 sha256 = "d84c93b6b8a7b8ae60866c3a5bbcf55ca415308b5a24544b62546f55453c25fe"
+hardening = ["vis", "cfi"]
 # test suite uses local tools that are not present
 options = ["bootstrap", "!check"]