build: Add _FORTIFY_SOURCE=3 support

Add support for _FORTIFY_SOURCE level 3. This is supported with glibc and with musl libc. Link: https://github.com/openwrt/openwrt/pull/20313 Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
2026-03-13 13:22:09 +01:00 · 2025-10-05 23:30:17 +02:00 · 2025-10-05 23:30:17 +02:00 · 93f86627c4
commit 93f86627c4
parent 6268692bd2
3 changed files with 10 additions and 2 deletions
--- a/config/Config-build.in
+++ b/config/Config-build.in
@ -358,9 +358,11 @@ menu "Global build settings"
 		config PKG_FORTIFY_SOURCE_NONE
 			bool "None"
 		config PKG_FORTIFY_SOURCE_1
-			bool "Conservative"
+			bool "Conservative Level 1"
 		config PKG_FORTIFY_SOURCE_2
-			bool "Aggressive"
+			bool "Aggressive Level 2"
+		config PKG_FORTIFY_SOURCE_3
+			bool "Aggressive Level 3"
 	endchoice

 	choice
--- a/include/hardening.mk
+++ b/include/hardening.mk
@ -51,6 +51,11 @@ ifdef CONFIG_PKG_FORTIFY_SOURCE_2
    TARGET_CFLAGS += -D_FORTIFY_SOURCE=2
  endif
 endif
+ifdef CONFIG_PKG_FORTIFY_SOURCE_3
+  ifeq ($(strip $(PKG_FORTIFY_SOURCE)),1)
+    TARGET_CFLAGS += -D_FORTIFY_SOURCE=3
+  endif
+endif
 ifdef CONFIG_PKG_RELRO_PARTIAL
  ifeq ($(strip $(PKG_RELRO)),1)
    TARGET_CFLAGS += -Wl,-z,relro
--- a/toolchain/glibc/common.mk
+++ b/toolchain/glibc/common.mk
@ -68,6 +68,7 @@ GLIBC_CONFIGURE:= \
 		  $(if $(CONFIG_PKG_RELRO_FULL),--enable-bind-now) \
 		  $(if $(CONFIG_PKG_FORTIFY_SOURCE_1),--enable-fortify-source=1) \
 		  $(if $(CONFIG_PKG_FORTIFY_SOURCE_2),--enable-fortify-source=2) \
+		  $(if $(CONFIG_PKG_FORTIFY_SOURCE_3),--enable-fortify-source=3) \
 		--enable-kernel=6.6.0

 export libc_cv_ssp=no