[openwrt/openwrt] build: Add _FORTIFY_SOURCE=3 support

LEDE Commits lede-commits at lists.infradead.org
Sat Oct 25 16:43:57 PDT 2025 

hauke pushed a commit to openwrt/openwrt.git, branch main:
https://git.openwrt.org/93f86627c45a03c2c100e54f5ef006487af3e6e3

commit 93f86627c45a03c2c100e54f5ef006487af3e6e3
Author: Hauke Mehrtens <hauke at hauke-m.de>
AuthorDate: Sun Oct 5 23:30:17 2025 +0200

    build: Add _FORTIFY_SOURCE=3 support
    
    Add support for _FORTIFY_SOURCE level 3.
    
    This is supported with glibc and with musl libc.
    
    Link: https://github.com/openwrt/openwrt/pull/20313
    Signed-off-by: Hauke Mehrtens <hauke at hauke-m.de>
---
 config/Config-build.in    | 6 ++++--
 include/hardening.mk      | 5 +++++
 toolchain/glibc/common.mk | 1 +
 3 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/config/Config-build.in b/config/Config-build.in
index 42b353ecf7..2d08f4ccd2 100644
--- a/config/Config-build.in
+++ b/config/Config-build.in
@@ -358,9 +358,11 @@ menu "Global build settings"
 		config PKG_FORTIFY_SOURCE_NONE
 			bool "None"
 		config PKG_FORTIFY_SOURCE_1
-			bool "Conservative"
+			bool "Conservative Level 1"
 		config PKG_FORTIFY_SOURCE_2
-			bool "Aggressive"
+			bool "Aggressive Level 2"
+		config PKG_FORTIFY_SOURCE_3
+			bool "Aggressive Level 3"
 	endchoice
 
 	choice
diff --git a/include/hardening.mk b/include/hardening.mk
index 4a8874261b..a2be5eabd0 100644
--- a/include/hardening.mk
+++ b/include/hardening.mk
@@ -51,6 +51,11 @@ ifdef CONFIG_PKG_FORTIFY_SOURCE_2
     TARGET_CFLAGS += -D_FORTIFY_SOURCE=2
   endif
 endif
+ifdef CONFIG_PKG_FORTIFY_SOURCE_3
+  ifeq ($(strip $(PKG_FORTIFY_SOURCE)),1)
+    TARGET_CFLAGS += -D_FORTIFY_SOURCE=3
+  endif
+endif
 ifdef CONFIG_PKG_RELRO_PARTIAL
   ifeq ($(strip $(PKG_RELRO)),1)
     TARGET_CFLAGS += -Wl,-z,relro
diff --git a/toolchain/glibc/common.mk b/toolchain/glibc/common.mk
index 02906d34b2..25d5d66aca 100644
--- a/toolchain/glibc/common.mk
+++ b/toolchain/glibc/common.mk
@@ -68,6 +68,7 @@ GLIBC_CONFIGURE:= \
 		  $(if $(CONFIG_PKG_RELRO_FULL),--enable-bind-now) \
 		  $(if $(CONFIG_PKG_FORTIFY_SOURCE_1),--enable-fortify-source=1) \
 		  $(if $(CONFIG_PKG_FORTIFY_SOURCE_2),--enable-fortify-source=2) \
+		  $(if $(CONFIG_PKG_FORTIFY_SOURCE_3),--enable-fortify-source=3) \
 		--enable-kernel=6.6.0
 
 export libc_cv_ssp=no

More information about the lede-commits mailing list