From ff0ba7becae3d5f5b1474ac4c80093711f6e9f6c Mon Sep 17 00:00:00 2001 From: Marc Auberer Date: Sat, 5 Oct 2024 15:24:52 +0200 Subject: [PATCH] Remove security options and ensure security in CI (#666) --- .github/workflows/publish.yml | 6 +++++- Options.cmake | 18 ------------------ 2 files changed, 5 insertions(+), 19 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 9f5d4ec94..a6fc11d64 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -92,7 +92,7 @@ jobs: sudo apt install gcc-aarch64-linux-gnu g++-aarch64-linux-gnu - name: Setup Dependencies - run: sudo apt-get install ninja-build uuid-dev + run: sudo apt-get install ninja-build uuid-dev checksec jq - name: Setup CCache uses: hendrikmuhs/ccache-action@v1 @@ -137,6 +137,10 @@ jobs: mv ./src/spice spice chmod +x spice + - name: Run Checksec + working-directory: bin + run: checksec --file=./spice --output=json | jq + - name: Upload artifact uses: actions/upload-artifact@v4 with: diff --git a/Options.cmake b/Options.cmake index ad9c62c56..713830ddd 100644 --- a/Options.cmake +++ b/Options.cmake @@ -137,21 +137,3 @@ if (SPICE_OVERLOAD_NEW_DELETE) else () message(STATUS "Spice: New and delete operators are not overloaded") endif () - -# RELRO (relocation read-only) security hardening -option(SPICE_RELRO "Enable relocation read-only (RELRO) hardening" ON) -if (SPICE_RELRO) - message(STATUS "Spice: RELRO hardening enabled (release build only)") - set(CMAKE_CXX_FLAGS_RELEASE "${CMAKE_CXX_FLAGS_RELEASE} -Wl,-z,relro,-z,now") -else () - message(STATUS "Spice: RELRO hardening disabled") -endif () - -# Stack canary security hardening -option(SPICE_STACK_PROTECTION "Enable stack canary security hardening" ON) -if (SPICE_STACK_PROTECTION) - message(STATUS "Spice: Stack canaries enabled (release build only)") - set(CMAKE_CXX_FLAGS_RELEASE "${CMAKE_CXX_FLAGS_RELEASE} -fstack-protector") -else () - message(STATUS "Spice: Stack canaries disabled") -endif ()