From aefd67eb8af1821dc01e01db148d0dd60ec5197f Mon Sep 17 00:00:00 2001
From: Leonardo Grasso <me@leonardograsso.com>
Date: Wed, 7 Apr 2021 15:23:45 +0200
Subject: [PATCH] build: hardening flags

Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
---
 CMakeLists.txt | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 8efa759f..528497ec 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -69,7 +69,13 @@ if(MUSL_OPTIMIZED_BUILD)
   set(MUSL_FLAGS "-static -Os")
 endif()
 
-set(CMAKE_COMMON_FLAGS "-Wall -ggdb ${DRAIOS_FEATURE_FLAGS} ${MINIMAL_BUILD_FLAGS} ${MUSL_FLAGS}")
+# explicitly set hardening flags
+set(FALCO_SECURITY_FLAGS "-Wl,-z,relro,-z,now -fstack-protector-strong")
+if(CMAKE_BUILD_TYPE STREQUAL "release")
+  set(FALCO_SECURITY_FLAGS "${FALCO_SECURITY_FLAGS} -D_FORTIFY_SOURCE=2")
+endif()
+
+set(CMAKE_COMMON_FLAGS "${FALCO_SECURITY_FLAGS} -Wall -ggdb ${DRAIOS_FEATURE_FLAGS} ${MINIMAL_BUILD_FLAGS} ${MUSL_FLAGS}")
 
 if(BUILD_WARNINGS_AS_ERRORS)
   set(CMAKE_SUPPRESSED_WARNINGS