memory-monitor: Add security flags to build process.

Introduce a set of security-related compiler and linker flags. Updated Makefile to incorporate these security flags into the build process. These flags were selected as a subset of those used in another part of the product, improving the overall security posture without a specific reason for each individual flag. Signed-off-by: Nikolay Martyanov <[email protected]>
lf-edge · Jun 19, 2024 · 1ec9d0c · 1ec9d0c
1 parent 6298be8
commit 1ec9d0c
Showing 1 changed file with 10 additions and 2 deletions.
diff --git a/pkg/memory-monitor/Makefile b/pkg/memory-monitor/Makefile
@@ -2,7 +2,15 @@
 # SPDX-License-Identifier: Apache-2.0
 
 CC=gcc
-CFLAGS=-Wall -static -O2
+CFLAGS_SEC=-fstack-protector-strong \
+           -fstack-clash-protection \
+           -fPIE \
+           -D_FORTIFY_SOURCE=2
+LDFLAGS_SEC=-Wl,-z,relro \
+            -Wl,-z,now \
+            -Wl,-z,noexecstack
+CFLAGS=-Wall -g -static -O2 $(CFLAGS_SEC)
+LDFLAGS=$(LDFLAGS_SEC)
 SRC_DIR=src
 OBJ_DIR=obj
 DIST_DIR=dist
@@ -13,7 +21,7 @@ MONITOR_SRC=$(wildcard $(MONITOR_DIR)/*.c)
 MONITOR_OBJ=$(patsubst $(SRC_DIR)/%.c,$(OBJ_DIR)/%.o,$(MONITOR_SRC))
 $(BIN_DIR)/memory-monitor: $(MONITOR_OBJ)
 	@mkdir -p $(BIN_DIR)
-	$(CC) $(CFLAGS) -o $@ $^
+	$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $^
 memory-monitor: $(BIN_DIR)/memory-monitor
 
 PRESSURE_DIR=$(SRC_DIR)/pressure