From e22b9eb7e499f61b85e50a0ad2261528ddf4e1eb Mon Sep 17 00:00:00 2001 From: Allen Wittenauer Date: Fri, 23 Jun 2017 11:39:37 -0700 Subject: [PATCH] YARN-6721. container-executor should have stack checking --- .../src/CMakeLists.txt | 36 ++++++++++++++++++++++ 1 file changed, 36 insertions(+) diff --git a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/CMakeLists.txt b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/CMakeLists.txt index 7f2b00d0e95..4ad7cfbb9d6 100644 --- a/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/CMakeLists.txt +++ b/hadoop-yarn-project/hadoop-yarn/hadoop-yarn-server/hadoop-yarn-server-nodemanager/src/CMakeLists.txt @@ -53,6 +53,42 @@ if(APPLE) set(EXTRA_LIBS ${COCOA_LIBRARY}) endif(APPLE) +include(CheckCCompilerFlag) + +# we are building setuid, better enable stack protection +IF(CMAKE_C_COMPILER_ID STREQUAL "GNU") + CHECK_C_COMPILER_FLAG("-fstack-check" STACKRESULT) + IF(STACKRESULT) + SET (CMAKE_C_FLAGS "-fstack-check ${CMAKE_C_FLAGS}") + ENDIF() +ELSEIF(CMAKE_C_COMPILER_ID STREQUAL "Clang" OR + CMAKE_C_COMPILER_ID STREQUAL "AppleClang") + + # clang is a bit difficult here: + # - some versions don't support the flag + # - some versions support the flag, despite not having + # the library that is actually required (!) + # Notably, Xcode is a problem here. + # In the end, this is needlessly complex. :( + + SET(PRE_SANITIZE ${CMAKE_REQUIRED_FLAGS}) + SET(CMAKE_REQUIRED_FLAGS "-fsanitize=safe-stack") + CHECK_C_COMPILER_FLAG("" STACKRESULT) + SET(CMAKE_REQUIRED_FLAGS ${PRE_SANITIZE}) + IF(STACKRESULT) + SET(CMAKE_C_FLAGS "-fsanitize=safe-stack ${CMAKE_C_FLAGS}") + ENDIF() +ELSEIF(CMAKE_C_COMPILER_ID STREQUAL "SunPro") + CHECK_C_COMPILER_FLAG("-xcheck-stkovf" STACKRESULT) + IF(STACKRESULT) + SET (CMAKE_C_FLAGS "-xcheck-stkovf ${CMAKE_C_FLAGS}") + ENDIF() +ENDIF() + +IF(NOT STACKRESULT) + MESSAGE(WARNING "Stack Clash security protection is not suported.") +ENDIF() + function(output_directory TGT DIR) set_target_properties(${TGT} PROPERTIES RUNTIME_OUTPUT_DIRECTORY "${CMAKE_BINARY_DIR}/${DIR}") -- 2.13.0