Add some hardening compiler / linker flags to dependencies.

Telegram/build/docker/centos_env/Dockerfile

@@ -26,6 +26,7 @@ SHELL [ "scl", "enable", "devtoolset-9", "--", "bash", "-c" ]
 RUN ln -s cmake3 /usr/bin/cmake
 
 ENV LibrariesPath /usr/src/Libraries
+ENV HFLAGS "-fstack-protector-all -fstack-clash-protection -fPIC -D_FORTIFY_SOURCE=2"
 WORKDIR $LibrariesPath
 
 FROM builder AS patches
@@ -59,7 +60,7 @@ FROM builder AS zlib
 RUN git clone -b v1.2.11 --depth=1 $GIT/madler/zlib.git
 
 WORKDIR zlib
-RUN ./configure
+RUN CFLAGS=\"-O3 $HFLAGS\" ./configure --static
 RUN make -j$(nproc)
 RUN make DESTDIR="$LibrariesPath/zlib-cache" install
 
@@ -70,7 +71,8 @@ FROM builder AS xz
 RUN git clone -b v5.2.5 https://git.tukaani.org/xz.git
 
 WORKDIR xz
-RUN cmake3 -B build . -DCMAKE_BUILD_TYPE=Release
+RUN CFLAGS=\"$HFLAGS\" \
+	cmake3 -B build . -DCMAKE_BUILD_TYPE=Release
 RUN cmake3 --build build -j$(nproc)
 RUN DESTDIR="$LibrariesPath/xz-cache" cmake3 --install build
 
@@ -98,7 +100,7 @@ RUN git clone -b 0.4.17 --depth=1 $GIT/libproxy/libproxy.git
 
 WORKDIR libproxy
 RUN git apply ../patches/libproxy.patch
-RUN cmake3 -B build . \
+RUN CFLAGS=\"$HFLAGS\" CXXFLAGS=\"$HFLAGS\" cmake3 -B build . \
 	-DCMAKE_BUILD_TYPE=Release \
 	-DWITH_DBUS=OFF \
 	-DWITH_NM=OFF \
@@ -114,7 +116,7 @@ FROM builder AS mozjpeg
 RUN git clone -b v4.0.1-rc2 --depth=1 $GIT/mozilla/mozjpeg.git
 
 WORKDIR mozjpeg
-RUN cmake3 -B build . \
+RUN CFLAGS=\"$HFLAGS\" cmake3 -B build . \
 	-DCMAKE_BUILD_TYPE=Release \
 	-DCMAKE_INSTALL_PREFIX=/usr/local \
 	-DWITH_JPEG8=ON \
@@ -131,7 +133,7 @@ RUN git clone -b v1.3 --depth=1 $GIT/xiph/opus.git
 
 WORKDIR opus
 RUN ./autogen.sh
-RUN ./configure
+RUN CFLAGS=\"-g -O2 $HFLAGS\" ./configure
 RUN make -j$(nproc)
 RUN make DESTDIR="$LibrariesPath/opus-cache" install
 
@@ -142,7 +144,7 @@ FROM builder AS rnnoise
 RUN git clone -b master --depth=1 $GIT/desktop-app/rnnoise
 
 WORKDIR rnnoise
-RUN cmake3 -B build . \
+RUN CFLAGS=\"$HFLAGS\" cmake3 -B build . \
 	-DCMAKE_BUILD_TYPE=Release
 
 RUN cmake3 --build build -j$(nproc)
@@ -158,7 +160,7 @@ FROM builder AS xcb-proto
 RUN git clone -b xcb-proto-1.14 --depth=1 https://gitlab.freedesktop.org/xorg/proto/xcbproto.git
 
 WORKDIR xcbproto
-RUN ./autogen.sh --enable-static
+RUN ./autogen.sh
 RUN make -j$(nproc)
 RUN make DESTDIR="$LibrariesPath/xcb-proto-cache" install
 
@@ -171,7 +173,7 @@ COPY --from=xcb-proto ${LibrariesPath}/xcb-proto-cache /
 RUN git clone -b libxcb-1.14 --depth=1 https://gitlab.freedesktop.org/xorg/lib/libxcb.git
 
 WORKDIR libxcb
-RUN ./autogen.sh --enable-static
+RUN CFLAGS=\"-g -O2 $HFLAGS\" ./autogen.sh --enable-static
 RUN make -j$(nproc)
 RUN make DESTDIR="$LibrariesPath/xcb-cache" install
 
@@ -202,7 +204,7 @@ COPY --from=xcb-util ${LibrariesPath}/xcb-util-cache /
 RUN git clone -b 0.4.0 --depth=1 --recursive https://gitlab.freedesktop.org/xorg/lib/libxcb-image.git
 
 WORKDIR libxcb-image
-RUN ./autogen.sh --enable-static
+RUN CFLAGS=\"-g -O2 $HFLAGS\" ./autogen.sh --enable-static
 RUN make -j$(nproc)
 RUN make DESTDIR="$LibrariesPath/xcb-image-cache" install
 
@@ -211,7 +213,7 @@ FROM builder AS xcb-keysyms
 RUN git clone -b 0.4.0 --depth=1 --recursive https://gitlab.freedesktop.org/xorg/lib/libxcb-keysyms.git
 
 WORKDIR libxcb-keysyms
-RUN ./autogen.sh --enable-static
+RUN CFLAGS=\"-g -O2 $HFLAGS\" ./autogen.sh --enable-static
 RUN make -j$(nproc)
 RUN make DESTDIR="$LibrariesPath/xcb-keysyms-cache" install
 
@@ -220,7 +222,7 @@ FROM builder AS xcb-render-util
 RUN git clone -b 0.3.9 --depth=1 --recursive https://gitlab.freedesktop.org/xorg/lib/libxcb-render-util.git
 
 WORKDIR libxcb-render-util
-RUN ./autogen.sh --enable-static
+RUN CFLAGS=\"-g -O2 $HFLAGS\" ./autogen.sh --enable-static
 RUN make -j$(nproc)
 RUN make DESTDIR="$LibrariesPath/xcb-render-util-cache" install
 
@@ -228,7 +230,7 @@ FROM builder AS libXext
 RUN git clone -b libXext-1.3.4 --depth=1 https://gitlab.freedesktop.org/xorg/lib/libxext.git
 
 WORKDIR libxext
-RUN ./autogen.sh --enable-static
+RUN CFLAGS=\"-g -O2 $HFLAGS\" ./autogen.sh --enable-static
 RUN make -j$(nproc)
 RUN make DESTDIR="$LibrariesPath/libXext-cache" install
 
@@ -239,7 +241,7 @@ FROM builder AS libXtst
 RUN git clone -b libXtst-1.2.3 --depth=1 https://gitlab.freedesktop.org/xorg/lib/libxtst.git
 
 WORKDIR libxtst
-RUN ./autogen.sh --enable-static
+RUN CFLAGS=\"-g -O2 $HFLAGS\" ./autogen.sh --enable-static
 RUN make -j$(nproc)
 RUN make DESTDIR="$LibrariesPath/libXtst-cache" install
 
@@ -250,7 +252,7 @@ FROM builder AS libXfixes
 RUN git clone -b libXfixes-5.0.3 --depth=1 https://gitlab.freedesktop.org/xorg/lib/libxfixes.git
 
 WORKDIR libxfixes
-RUN ./autogen.sh --enable-static
+RUN CFLAGS=\"-g -O2 $HFLAGS\" ./autogen.sh --enable-static
 RUN make -j$(nproc)
 RUN make DESTDIR="$LibrariesPath/libXfixes-cache" install
 
@@ -274,7 +276,7 @@ FROM builder AS libXrandr
 RUN git clone -b libXrandr-1.5.2 --depth=1 https://gitlab.freedesktop.org/xorg/lib/libxrandr.git
 
 WORKDIR libxrandr
-RUN ./autogen.sh --enable-static
+RUN CFLAGS=\"-g -O2 $HFLAGS\" ./autogen.sh --enable-static
 RUN make -j$(nproc)
 RUN make DESTDIR="$LibrariesPath/libXrandr-cache" install
 
@@ -285,7 +287,7 @@ FROM builder AS libXrender
 RUN git clone -b libXrender-0.9.10 --depth=1 https://gitlab.freedesktop.org/xorg/lib/libxrender.git
 
 WORKDIR libxrender
-RUN ./autogen.sh --enable-static
+RUN CFLAGS=\"-g -O2 $HFLAGS\" ./autogen.sh --enable-static
 RUN make -j$(nproc)
 RUN make DESTDIR="$LibrariesPath/libXrender-cache" install
 
@@ -296,7 +298,7 @@ FROM builder AS libXdamage
 RUN git clone -b libXdamage-1.1.5 --depth=1 https://gitlab.freedesktop.org/xorg/lib/libxdamage.git
 
 WORKDIR libxdamage
-RUN ./autogen.sh --enable-static
+RUN CFLAGS=\"-g -O2 $HFLAGS\" ./autogen.sh --enable-static
 RUN make -j$(nproc)
 RUN make DESTDIR="$LibrariesPath/libXdamage-cache" install
 
@@ -307,7 +309,7 @@ FROM builder AS libXcomposite
 RUN git clone -b libXcomposite-0.4.5 --depth=1 https://gitlab.freedesktop.org/xorg/lib/libxcomposite.git
 
 WORKDIR libxcomposite
-RUN ./autogen.sh --enable-static
+RUN CFLAGS=\"-g -O2 $HFLAGS\" ./autogen.sh --enable-static
 RUN make -j$(nproc)
 RUN make DESTDIR="$LibrariesPath/libXcomposite-cache" install
 
@@ -396,7 +398,7 @@ COPY --from=drm ${LibrariesPath}/drm-cache /
 RUN git clone -b 2.10.0 --depth=1 $GIT/intel/libva.git
 
 WORKDIR libva
-RUN ./autogen.sh \
+RUN CFLAGS=\"-g -O2 $HFLAGS\" ./autogen.sh \
 	--enable-static \
 	--sysconfdir=/etc \
 	--with-drivers-path=/usr/lib/dri
@@ -440,8 +442,8 @@ RUN git clone -b release/4.4 --depth=1 $GIT/FFmpeg/FFmpeg.git ffmpeg
 
 WORKDIR ffmpeg
 RUN ./configure \
-	--extra-cflags="-DCONFIG_SAFE_BITSTREAM_READER=1" \
-	--extra-cxxflags="-DCONFIG_SAFE_BITSTREAM_READER=1" \
+	--extra-cflags=\"-DCONFIG_SAFE_BITSTREAM_READER=1 $HFLAGS\" \
+	--extra-cxxflags=\"-DCONFIG_SAFE_BITSTREAM_READER=1 $HFLAGS\" \
 	--disable-debug \
 	--disable-programs \
 	--disable-doc \
@@ -553,7 +555,7 @@ ADD https://api.github.com/repos/telegramdesktop/openal-soft/git/refs/heads/fix_
 RUN git clone -b fix_pulse_default --depth=1 $GIT/telegramdesktop/openal-soft.git
 
 WORKDIR openal-soft
-RUN cmake3 -B build . \
+RUN CFLAGS=\"$HFLAGS\" CXXFLAGS=\"$HFLAGS\" cmake3 -B build . \
 	-DCMAKE_BUILD_TYPE=Release \
 	-DLIBTYPE:STRING=STATIC \
 	-DALSOFT_EXAMPLES=OFF \
@@ -627,7 +629,7 @@ RUN git clone -b 2.10.6 --depth=1 $GIT/libsigcplusplus/libsigcplusplus.git
 WORKDIR libsigcplusplus
 ENV ACLOCAL_PATH="/usr/local/share/aclocal"
 RUN NOCONFIGURE=1 ./autogen.sh
-RUN ./configure --enable-maintainer-mode --enable-static --disable-documentation
+RUN CFLAGS=\"-g -O2 $HFLAGS\" CXXFLAGS=\"-g -O2 $HFLAGS\" ./configure --enable-maintainer-mode --enable-static --disable-documentation
 RUN make -j$(nproc)
 RUN make DESTDIR="$LibrariesPath/libsigcplusplus-cache" install
 
@@ -646,7 +648,7 @@ WORKDIR glibmm
 RUN git apply ../patches/glibmm.patch
 ENV ACLOCAL_PATH="/usr/local/share/aclocal"
 RUN NOCONFIGURE=1 ./autogen.sh
-RUN CC=\"gcc -flto\" CXX=\"g++ -flto\" AR=gcc-ar RANLIB=gcc-ranlib ./configure \
+RUN CC=\"gcc -flto $HFLAGS\" CXX=\"g++ -flto $HFLAGS\" AR=gcc-ar RANLIB=gcc-ranlib ./configure \
 	--enable-maintainer-mode \
 	--enable-static \
 	--disable-documentation
@@ -810,7 +812,7 @@ RUN meson build
 
 WORKDIR ../../..
 
-RUN cmake3 -B out/Release . \
+RUN CFLAGS=\"$HFLAGS\" CXXFLAGS=\"$HFLAGS\" cmake3 -B out/Release . \
 	-DCMAKE_BUILD_TYPE=Release \
 	-DTG_OWT_BUILD_AUDIO_BACKENDS=OFF \
 	-DTG_OWT_SPECIAL_TARGET=linux \
@@ -821,7 +823,7 @@ RUN cmake3 -B out/Release . \
 
 RUN cmake3 --build out/Release -- -j$(nproc)
 
-RUN cmake3 -B out/Debug . \
+RUN CFLAGS=\"$HFLAGS\" CXXFLAGS=\"$HFLAGS\" cmake3 -B out/Debug . \
 	-DCMAKE_BUILD_TYPE=Debug \
 	-DTG_OWT_SPECIAL_TARGET=linux \
 	-DTG_OWT_LIBJPEG_INCLUDE_PATH=/usr/local/include \

cmake

@@ -1 +1 @@
-Subproject commit 1dacc0ac4fe2a5cb0237e7c89fe5dd8906e1593f
+Subproject commit f3a611c82bfee860f950d5ca6563d8d68262b38d