sys-devel/clang-common: add baseline hardening

Add new /etc/clang/gentoo-hardened.cfg which sets hardening
options:
* -fstack-clash-protection
* -fstack-protector-strong
* -fPIE (already set by USE=pie on Clang, but this moves it out, as upstream
  prefer the config method.)
* -D_FORTIFY_SOURCE=2

Further, add USE=hardened, which controls adding -D_LIBCPP_ENABLE_ASSERTIONS=1
(analogue to libstdc++'s -D_GLIBCXX_ASSERTIONS) and -D_FORTIFY_SOURCE=3.

Bug: https://bugs.gentoo.org/851111
Signed-off-by: Sam James <sam@gentoo.org>

4 files changed, 394 insertions, 4 deletions

diff --git a/sys-devel/clang-common/clang-common-15.0.6-r1.ebuild b/sys-devel/clang-common/clang-common-15.0.6-r1.ebuild
new file mode 100644
index 000000000000..7ec66f0dd663
--- /dev/null
+++ b/sys-devel/clang-common/clang-common-15.0.6-r1.ebuild
@@ -0,0 +1,159 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit bash-completion-r1 llvm.org
+
+DESCRIPTION="Common files shared between multiple slots of clang"
+HOMEPAGE="https://llvm.org/"
+
+LICENSE="Apache-2.0-with-LLVM-exceptions UoI-NCSA"
+SLOT="0"
+KEYWORDS="~amd64 ~arm ~arm64 ~ppc ~ppc64 ~riscv ~sparc ~x86 ~amd64-linux ~ppc-macos ~x64-macos"
+IUSE="
+	default-compiler-rt default-libcxx default-lld llvm-libunwind
+	hardened stricter
+"
+
+PDEPEND="
+	sys-devel/clang:*
+	default-compiler-rt? (
+		sys-devel/clang-runtime[compiler-rt]
+		llvm-libunwind? ( sys-libs/llvm-libunwind )
+		!llvm-libunwind? ( sys-libs/libunwind )
+	)
+	!default-compiler-rt? ( sys-devel/gcc )
+	default-libcxx? ( >=sys-libs/libcxx-${PV} )
+	!default-libcxx? ( sys-devel/gcc )
+	default-lld? ( sys-devel/lld )
+	!default-lld? ( sys-devel/binutils )
+"
+IDEPEND="
+	!default-compiler-rt? ( sys-devel/gcc-config )
+	!default-libcxx? ( sys-devel/gcc-config )
+"
+
+LLVM_COMPONENTS=( clang/utils )
+llvm.org_set_globals
+
+pkg_pretend() {
+	[[ ${CLANG_IGNORE_DEFAULT_RUNTIMES} ]] && return
+
+	local flag missing_flags=()
+	for flag in default-{compiler-rt,libcxx,lld}; do
+		if ! use "${flag}" && has_version "sys-devel/clang[${flag}]"; then
+			missing_flags+=( "${flag}" )
+		fi
+	done
+
+	if [[ ${missing_flags[@]} ]]; then
+		eerror "It seems that you have the following flags set on sys-devel/clang:"
+		eerror
+		eerror "  ${missing_flags[*]}"
+		eerror
+		eerror "The default runtimes are now set via flags on sys-devel/clang-common."
+		eerror "The build is being aborted to prevent breakage.  Please either set"
+		eerror "the respective flags on this ebuild, e.g.:"
+		eerror
+		eerror "  sys-devel/clang-common ${missing_flags[*]}"
+		eerror
+		eerror "or build with CLANG_IGNORE_DEFAULT_RUNTIMES=1."
+		die "Mismatched defaults detected between sys-devel/clang and sys-devel/clang-common"
+	fi
+}
+
+src_install() {
+	newbashcomp bash-autocomplete.sh clang
+
+	insinto /etc/clang
+	newins - gentoo-runtimes.cfg <<-EOF
+		# This file is initially generated by sys-devel/clang-runtime.
+		# It is used to control the default runtimes using by clang.
+
+		--rtlib=$(usex default-compiler-rt compiler-rt libgcc)
+		--unwindlib=$(usex default-compiler-rt libunwind libgcc)
+		--stdlib=$(usex default-libcxx libc++ libstdc++)
+		-fuse-ld=$(usex default-lld lld bfd)
+	EOF
+
+	newins - gentoo-gcc-install.cfg <<-EOF
+		# This file is maintained by gcc-config.
+		# It is used to specify the selected GCC installation.
+	EOF
+
+	newins - gentoo-common.cfg <<-EOF
+		# This file contains flags common to clang, clang++ and clang-cpp.
+		@gentoo-runtimes.cfg
+		@gentoo-gcc-install.cfg
+		@gentoo-hardened.cfg
+	EOF
+
+	# Baseline hardening (bug #851111)
+	newins - gentoo-hardened.cfg <<-EOF
+		-fstack-clash-protection
+		-fstack-protector-strong
+		-fPIE
+		-include "${ESYSROOT}/usr/include/gentoo/fortify.h"
+	EOF
+
+	dodir /usr/include/gentoo
+
+	local fortify_level=$(usex hardened 3 2)
+	# We have to do this because glibc's headers warn if F_S is set
+	# without optimization and that would at the very least be very noisy
+	# during builds and at worst trigger many -Werror builds.
+	cat >> "${ED}/usr/include/gentoo/fortify.h" <<- EOF || die
+		#ifndef _FORTIFY_SOURCE
+			#if defined(__OPTIMIZE__) && __OPTIMIZE__ > 0
+				#define _FORTIFY_SOURCE ${fortify_level}
+			#endif
+		#endif
+	EOF
+
+	if use hardened ; then
+		cat >> "${ED}/etc/clang/gentoo-hardened.cfg" <<-EOF || die
+			-D_GLIBCXX_ASSERTIONS
+
+			# Analogue to GLIBCXX_ASSERTIONS
+			# https://libcxx.llvm.org/UsingLibcxx.html#assertions-mode
+			-D_LIBCPP_ENABLE_ASSERTIONS=1
+		EOF
+	fi
+
+	if use stricter; then
+		newins - gentoo-stricter.cfg <<-EOF
+			# This file increases the strictness of older clang versions
+			# to match the newest upstream version.
+
+			# clang-16 defaults
+			-Werror=implicit-function-declaration
+			-Werror=implicit-int
+			-Werror=incompatible-function-pointer-types
+		EOF
+
+		cat >> "${ED}/etc/clang/gentoo-common.cfg" <<-EOF || die
+			@gentoo-stricter.cfg
+		EOF
+	fi
+
+	local tool
+	for tool in clang{,++,-cpp}; do
+		newins - "${tool}.cfg" <<-EOF
+			# This configuration file is used by ${tool} driver.
+			@gentoo-common.cfg
+		EOF
+	done
+}
+
+pkg_preinst() {
+	if has_version -b sys-devel/gcc-config && has_version sys-devel/gcc
+	then
+		local gcc_path=$(gcc-config --get-lib-path 2>/dev/null)
+		if [[ -n ${gcc_path} ]]; then
+			cat >> "${ED}/etc/clang/gentoo-gcc-install.cfg" <<-EOF
+				--gcc-install-dir="${gcc_path%%:*}"
+			EOF
+		fi
+	fi
+}
diff --git a/sys-devel/clang-common/clang-common-15.0.6.9999.ebuild b/sys-devel/clang-common/clang-common-15.0.6.9999.ebuild
index 3e43f51a0aab..709c93681448 100644
--- a/sys-devel/clang-common/clang-common-15.0.6.9999.ebuild
+++ b/sys-devel/clang-common/clang-common-15.0.6.9999.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2022 Gentoo Authors
+# Copyright 1999-2023 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=8
@@ -13,7 +13,7 @@ SLOT="0"
 KEYWORDS=""
 IUSE="
 	default-compiler-rt default-libcxx default-lld llvm-libunwind
-	stricter
+	hardened stricter
 "
 
 PDEPEND="
@@ -86,8 +86,41 @@ src_install() {
 		# This file contains flags common to clang, clang++ and clang-cpp.
 		@gentoo-runtimes.cfg
 		@gentoo-gcc-install.cfg
+		@gentoo-hardened.cfg
 	EOF
 
+	# Baseline hardening (bug #851111)
+	newins - gentoo-hardened.cfg <<-EOF
+		-fstack-clash-protection
+		-fstack-protector-strong
+		-fPIE
+		-include "${ESYSROOT}/usr/include/gentoo/fortify.h"
+	EOF
+
+	dodir /usr/include/gentoo
+
+	local fortify_level=$(usex hardened 3 2)
+	# We have to do this because glibc's headers warn if F_S is set
+	# without optimization and that would at the very least be very noisy
+	# during builds and at worst trigger many -Werror builds.
+	cat >> "${ED}/usr/include/gentoo/fortify.h" <<- EOF || die
+		#ifndef _FORTIFY_SOURCE
+			#if defined(__OPTIMIZE__) && __OPTIMIZE__ > 0
+				#define _FORTIFY_SOURCE ${fortify_level}
+			#endif
+		#endif
+	EOF
+
+	if use hardened ; then
+		cat >> "${ED}/etc/clang/gentoo-hardened.cfg" <<-EOF || die
+			-D_GLIBCXX_ASSERTIONS
+
+			# Analogue to GLIBCXX_ASSERTIONS
+			# https://libcxx.llvm.org/UsingLibcxx.html#assertions-mode
+			-D_LIBCPP_ENABLE_ASSERTIONS=1
+		EOF
+	fi
+
 	if use stricter; then
 		newins - gentoo-stricter.cfg <<-EOF
 			# This file increases the strictness of older clang versions
diff --git a/sys-devel/clang-common/clang-common-16.0.0.9999.ebuild b/sys-devel/clang-common/clang-common-16.0.0.9999.ebuild
index e9669ee1adcc..1b9640fcebe0 100644
--- a/sys-devel/clang-common/clang-common-16.0.0.9999.ebuild
+++ b/sys-devel/clang-common/clang-common-16.0.0.9999.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2022 Gentoo Authors
+# Copyright 1999-2023 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=8
@@ -13,7 +13,7 @@ SLOT="0"
 KEYWORDS=""
 IUSE="
 	default-compiler-rt default-libcxx default-lld llvm-libunwind
-	stricter
+	hardened stricter
 "
 
 PDEPEND="
@@ -86,8 +86,41 @@ src_install() {
 		# This file contains flags common to clang, clang++ and clang-cpp.
 		@gentoo-runtimes.cfg
 		@gentoo-gcc-install.cfg
+		@gentoo-hardened.cfg
 	EOF
 
+	# Baseline hardening (bug #851111)
+	newins - gentoo-hardened.cfg <<-EOF
+		-fstack-clash-protection
+		-fstack-protector-strong
+		-fPIE
+		-include "${ESYSROOT}/usr/include/gentoo/fortify.h"
+	EOF
+
+	dodir /usr/include/gentoo
+
+	local fortify_level=$(usex hardened 3 2)
+	# We have to do this because glibc's headers warn if F_S is set
+	# without optimization and that would at the very least be very noisy
+	# during builds and at worst trigger many -Werror builds.
+	cat >> "${ED}/usr/include/gentoo/fortify.h" <<- EOF || die
+		#ifndef _FORTIFY_SOURCE
+			#if defined(__OPTIMIZE__) && __OPTIMIZE__ > 0
+				#define _FORTIFY_SOURCE ${fortify_level}
+			#endif
+		#endif
+	EOF
+
+	if use hardened ; then
+		cat >> "${ED}/etc/clang/gentoo-hardened.cfg" <<-EOF || die
+			-D_GLIBCXX_ASSERTIONS
+
+			# Analogue to GLIBCXX_ASSERTIONS
+			# https://libcxx.llvm.org/UsingLibcxx.html#assertions-mode
+			-D_LIBCPP_ENABLE_ASSERTIONS=1
+		EOF
+	fi
+
 	if use stricter; then
 		newins - gentoo-stricter.cfg <<-EOF
 			# This file increases the strictness of older clang versions
diff --git a/sys-devel/clang-common/clang-common-16.0.0_pre20230101-r1.ebuild b/sys-devel/clang-common/clang-common-16.0.0_pre20230101-r1.ebuild
new file mode 100644
index 000000000000..350245ab982e
--- /dev/null
+++ b/sys-devel/clang-common/clang-common-16.0.0_pre20230101-r1.ebuild
@@ -0,0 +1,165 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit bash-completion-r1 llvm.org
+
+DESCRIPTION="Common files shared between multiple slots of clang"
+HOMEPAGE="https://llvm.org/"
+
+LICENSE="Apache-2.0-with-LLVM-exceptions UoI-NCSA"
+SLOT="0"
+KEYWORDS=""
+IUSE="
+	default-compiler-rt default-libcxx default-lld llvm-libunwind
+	hardened stricter
+"
+
+PDEPEND="
+	sys-devel/clang:*
+	default-compiler-rt? (
+		sys-devel/clang-runtime[compiler-rt]
+		llvm-libunwind? ( sys-libs/llvm-libunwind )
+		!llvm-libunwind? ( sys-libs/libunwind )
+	)
+	!default-compiler-rt? ( sys-devel/gcc )
+	default-libcxx? ( >=sys-libs/libcxx-${PV} )
+	!default-libcxx? ( sys-devel/gcc )
+	default-lld? ( sys-devel/lld )
+	!default-lld? ( sys-devel/binutils )
+"
+IDEPEND="
+	!default-compiler-rt? ( sys-devel/gcc-config )
+	!default-libcxx? ( sys-devel/gcc-config )
+"
+
+LLVM_COMPONENTS=( clang/utils )
+llvm.org_set_globals
+
+pkg_pretend() {
+	[[ ${CLANG_IGNORE_DEFAULT_RUNTIMES} ]] && return
+
+	local flag missing_flags=()
+	for flag in default-{compiler-rt,libcxx,lld}; do
+		if ! use "${flag}" && has_version "sys-devel/clang[${flag}]"; then
+			missing_flags+=( "${flag}" )
+		fi
+	done
+
+	if [[ ${missing_flags[@]} ]]; then
+		eerror "It seems that you have the following flags set on sys-devel/clang:"
+		eerror
+		eerror "  ${missing_flags[*]}"
+		eerror
+		eerror "The default runtimes are now set via flags on sys-devel/clang-common."
+		eerror "The build is being aborted to prevent breakage.  Please either set"
+		eerror "the respective flags on this ebuild, e.g.:"
+		eerror
+		eerror "  sys-devel/clang-common ${missing_flags[*]}"
+		eerror
+		eerror "or build with CLANG_IGNORE_DEFAULT_RUNTIMES=1."
+		die "Mismatched defaults detected between sys-devel/clang and sys-devel/clang-common"
+	fi
+}
+
+src_install() {
+	newbashcomp bash-autocomplete.sh clang
+
+	insinto /etc/clang
+	newins - gentoo-runtimes.cfg <<-EOF
+		# This file is initially generated by sys-devel/clang-runtime.
+		# It is used to control the default runtimes using by clang.
+
+		--rtlib=$(usex default-compiler-rt compiler-rt libgcc)
+		--unwindlib=$(usex default-compiler-rt libunwind libgcc)
+		--stdlib=$(usex default-libcxx libc++ libstdc++)
+		-fuse-ld=$(usex default-lld lld bfd)
+	EOF
+
+	newins - gentoo-gcc-install.cfg <<-EOF
+		# This file is maintained by gcc-config.
+		# It is used to specify the selected GCC installation.
+	EOF
+
+	newins - gentoo-common.cfg <<-EOF
+		# This file contains flags common to clang, clang++ and clang-cpp.
+		@gentoo-runtimes.cfg
+		@gentoo-gcc-install.cfg
+		@gentoo-hardened.cfg
+	EOF
+
+	# Baseline hardening (bug #851111)
+	newins - gentoo-hardened.cfg <<-EOF
+		-fstack-clash-protection
+		-fstack-protector-strong
+		-fPIE
+		-include "${ESYSROOT}/usr/include/gentoo/fortify.h"
+	EOF
+
+	dodir /usr/include/gentoo
+
+	local fortify_level=$(usex hardened 3 2)
+	# We have to do this because glibc's headers warn if F_S is set
+	# without optimization and that would at the very least be very noisy
+	# during builds and at worst trigger many -Werror builds.
+	cat >> "${ED}/usr/include/gentoo/fortify.h" <<- EOF || die
+		#ifndef	_FORTIFY_SOURCE
+			#if defined(__OPTIMIZE__) && __OPTIMIZE__ > 0
+				#define _FORTIFY_SOURCE ${fortify_level}
+			#endif
+		#endif
+	EOF
+
+	if use hardened ; then
+		cat >> "${ED}/etc/clang/gentoo-hardened.cfg" <<-EOF || die
+			-D_GLIBCXX_ASSERTIONS
+
+			# Analogue to GLIBCXX_ASSERTIONS
+			# https://libcxx.llvm.org/UsingLibcxx.html#assertions-mode
+			-D_LIBCPP_ENABLE_ASSERTIONS=1
+		EOF
+	fi
+
+	if use stricter; then
+		newins - gentoo-stricter.cfg <<-EOF
+			# This file increases the strictness of older clang versions
+			# to match the newest upstream version.
+
+			# clang-16 defaults
+			-Werror=implicit-function-declaration
+			-Werror=implicit-int
+			-Werror=incompatible-function-pointer-types
+
+			# constructs banned by C2x
+			-Werror=deprecated-non-prototype
+
+			# deprecated but large blast radius
+			#-Werror=strict-prototypes
+		EOF
+
+		cat >> "${ED}/etc/clang/gentoo-common.cfg" <<-EOF || die
+			@gentoo-stricter.cfg
+		EOF
+	fi
+
+	local tool
+	for tool in clang{,++,-cpp}; do
+		newins - "${tool}.cfg" <<-EOF
+			# This configuration file is used by ${tool} driver.
+			@gentoo-common.cfg
+		EOF
+	done
+}
+
+pkg_preinst() {
+	if has_version -b sys-devel/gcc-config && has_version sys-devel/gcc
+	then
+		local gcc_path=$(gcc-config --get-lib-path 2>/dev/null)
+		if [[ -n ${gcc_path} ]]; then
+			cat >> "${ED}/etc/clang/gentoo-gcc-install.cfg" <<-EOF
+				--gcc-install-dir="${gcc_path%%:*}"
+			EOF
+		fi
+	fi
+}