X-Git-Url: https://tinc-vpn.org/git/browse?a=blobdiff_plain;f=meson.build;h=7354953d7514c48d237a261c2dcc3c6e6c2c4ddb;hb=38be602754aab531c47bc1b04e71952dfa8abcf5;hp=85d16122bee0af3abb797a65312e304f18b98fe9;hpb=2ded4a80352dfbbd17b35ae0eafcbdc62243d574;p=tinc

diff --git a/meson.build b/meson.build
index 85d16122..7354953d 100644
--- a/meson.build
+++ b/meson.build
@@ -20,6 +20,7 @@ opt_lz4 = get_option('lz4')
 opt_lzo = get_option('lzo')
 opt_miniupnpc = get_option('miniupnpc')
 opt_readline = get_option('readline')
+opt_sandbox = get_option('sandbox')
 opt_static = get_option('static')
 opt_systemd = get_option('systemd')
 opt_tests = get_option('tests')
@@ -50,6 +51,33 @@ endif
 cc_flags = [cc_defs]
 ld_flags = []
 
+if cc_name != 'msvc'
+  cc_flags += [
+    '-Wbad-function-cast',
+    '-Wduplicated-branches',
+    '-Wduplicated-cond',
+    '-Wformat-overflow=2',
+    '-Wformat-truncation=1', # 2 prints too much noise
+    '-Wformat=2',
+    '-Wlogical-op',
+    '-Wmissing-declarations',
+    '-Wmissing-noreturn',
+    '-Wmissing-prototypes',
+    '-Wno-embedded-directive',
+    '-Wold-style-definition',
+    '-Wredundant-decls',
+    '-Wreturn-type',
+    '-Wstrict-prototypes',
+    '-Wswitch-enum',
+    '-Wtrampolines', # may require executable stack which is disabled
+    '-Wvla', # VLAs are not supported by MSVC
+    '-Wwrite-strings',
+    '-fdiagnostics-show-option',
+    '-fno-strict-overflow',
+    '-fstrict-aliasing',
+  ]
+endif
+
 if opt_static.auto()
   static = os_name == 'windows'
 else
@@ -74,26 +102,15 @@ if opt_harden
   else
     cc_flags += [
       '-D_FORTIFY_SOURCE=2',
-      '-fwrapv',
-      '-fno-strict-overflow',
-      '-Wreturn-type',
-      '-Wold-style-definition',
-      '-Wmissing-declarations',
-      '-Wmissing-prototypes',
-      '-Wstrict-prototypes',
-      '-Wredundant-decls',
-      '-Wbad-function-cast',
-      '-Wwrite-strings',
-      '-fdiagnostics-show-option',
-      '-fstrict-aliasing',
-      '-Wmissing-noreturn',
+      '-fcf-protection=full',
+      '-fstack-protector-strong',
     ]
-    if cc_name == 'clang'
-      cc_flags += '-Qunused-arguments'
-    endif
-    ld_flags += ['-Wl,-z,relro', '-Wl,-z,now']
+    ld_flags += ['-Wl,-z,relro', '-Wl,-z,now', '-Wl,-z,noexecstack']
     if os_name == 'windows'
       ld_flags += ['-Wl,--dynamicbase', '-Wl,--nxcompat']
+    else
+      # https://gcc.gnu.org/bugzilla/show_bug.cgi?id=90458
+      cc_flags += '-fstack-clash-protection'
     endif
   endif
 endif
@@ -148,3 +165,11 @@ run_target('lint', command: [
   python,
   '@SOURCE_ROOT@/lint.py',
 ])
+
+if meson_version.version_compare('>=0.53')
+  summary({
+    'prefix': prefix,
+    'sandbox': cdata.has('HAVE_SANDBOX'),
+    'watchdog': cdata.has('HAVE_WATCHDOG'),
+  }, bool_yn: true, section: 'System')
+endif