# {C,CPP,CXX,CCAS,F,FC,LD}FLAGS that we allow in strip-flags
# Note: shell globs and character lists are allowed
setup-allowed-flags() {
- ALLOWED_FLAGS="-pipe"
- ALLOWED_FLAGS+=" -O -O1 -O2 -Os -Og -mcpu -march -mtune"
- ALLOWED_FLAGS+=" -fstack-protector* -fsanitize*"
- ALLOWED_FLAGS+=" -fbounds-check -fbounds-checking -fno-strict-overflow"
- ALLOWED_FLAGS+=" -fno-PIE -fno-pie -nopie -fno-unit-at-a-time"
- ALLOWED_FLAGS+=" -g -g[0-9] -ggdb -ggdb[0-9] -gdwarf-* gstabs -gstabs+"
- ALLOWED_FLAGS+=" -fno-ident -fpermissive -frecord-gcc-switches"
- ALLOWED_FLAGS+=" -fdiagnostics*"
- ALLOWED_FLAGS+=" -W* -w"
+ ALLOWED_FLAGS=(
+ -pipe -O '-O[12sg]' -mcpu -march -mtune
+ '-fstack-protector*' '-fsanitize*'
+ -fbounds-check -fbounds-checking -fno-strict-overflow
+ -fno-PIE -fno-pie -nopie -fno-unit-at-a-time
+ -g '-g[0-9]' -ggdb '-ggdb[0-9]' '-gdwarf-*' gstabs -gstabs+
+ -fno-ident -fpermissive -frecord-gcc-switches
+ '-fdiagnostics*'
+ '-W*' -w
+
+ # CPPFLAGS and LDFLAGS
+ '-[DUILR]*' '-Wl,*'
+ )
# allow a bunch of flags that negate features / control ABI
- ALLOWED_FLAGS+=" -fno-stack-protector* -fabi-version=* \
- -fno-strict-aliasing -fno-bounds-check -fno-bounds-checking -fstrict-overflow \
- -fno-omit-frame-pointer -fno-builtin*"
- ALLOWED_FLAGS+=" -mregparm -mno-app-regs -mapp-regs -mno-mmx -mno-sse \
- -mno-sse2 -mno-sse3 -mno-ssse3 -mno-sse4 -mno-sse4.1 -mno-sse4.2 \
- -mno-avx -mno-aes -mno-pclmul -mno-sse4a -mno-3dnow -mno-popcnt \
- -mno-abm -mips1 -mips2 -mips3 -mips4 -mips32 -mips64 -mips16 -mplt \
- -msoft-float -mno-soft-float -mhard-float -mno-hard-float -mfpu \
- -mieee -mieee-with-inexact -mschedule -mfloat-gprs -mspe -mno-spe \
- -mtls-direct-seg-refs -mno-tls-direct-seg-refs -mflat -mno-flat \
- -mno-faster-structs -mfaster-structs -m32 -m64 -mx32 -mabi \
- -mlittle-endian -mbig-endian -EL -EB -fPIC -mlive-g0 -mcmodel \
- -mstack-bias -mno-stack-bias -msecure-plt -m*-toc -mfloat-abi \
- -mfix-r10000 -mno-fix-r10000 -D* -U*"
-
- # 4.5
- ALLOWED_FLAGS+=" -mno-fma4 -mno-movbe -mno-xop -mno-lwp"
- # 4.6
- ALLOWED_FLAGS+=" -mno-fsgsbase -mno-rdrnd -mno-f16c -mno-bmi -mno-tbm"
- # 4.7
- ALLOWED_FLAGS+=" -mno-avx2 -mno-bmi2 -mno-fma -mno-lzcnt"
- # 4.8
- ALLOWED_FLAGS+=" -mno-fxsr -mno-rtm -mno-xsave -mno-xsaveopt"
- # 4.9
- ALLOWED_FLAGS+=" -mno-avx512cd -mno-avx512er -mno-avx512f -mno-avx512pf -mno-sha"
-
- # CPPFLAGS and LDFLAGS
- ALLOWED_FLAGS+=" -I* -L* -R* -Wl,*"
-
- export ALLOWED_FLAGS
- return 0
+ ALLOWED_FLAGS+=(
+ '-fno-stack-protector*' '-fabi-version=*'
+ -fno-strict-aliasing -fno-bounds-check -fno-bounds-checking -fstrict-overflow
+ -fno-omit-frame-pointer '-fno-builtin*'
+ )
+ ALLOWED_FLAGS+=(
+ -mregparm -mno-app-regs -mapp-regs -mno-mmx -mno-sse
+ -mno-sse2 -mno-sse3 -mno-ssse3 -mno-sse4 -mno-sse4.1 -mno-sse4.2
+ -mno-avx -mno-aes -mno-pclmul -mno-sse4a -mno-3dnow -mno-popcnt
+ -mno-abm -mips1 -mips2 -mips3 -mips4 -mips32 -mips64 -mips16 -mplt
+ -msoft-float -mno-soft-float -mhard-float -mno-hard-float -mfpu
+ -mieee -mieee-with-inexact -mschedule -mfloat-gprs -mspe -mno-spe
+ -mtls-direct-seg-refs -mno-tls-direct-seg-refs -mflat -mno-flat
+ -mno-faster-structs -mfaster-structs -m32 -m64 -mx32 -mabi
+ -mlittle-endian -mbig-endian -EL -EB -fPIC -mlive-g0 -mcmodel
+ -mstack-bias -mno-stack-bias -msecure-plt '-m*-toc' -mfloat-abi
+ -mfix-r10000 -mno-fix-r10000
+
+ # gcc 4.5
+ -mno-fma4 -mno-movbe -mno-xop -mno-lwp
+ # gcc 4.6
+ -mno-fsgsbase -mno-rdrnd -mno-f16c -mno-bmi -mno-tbm
+ # gcc 4.7
+ -mno-avx2 -mno-bmi2 -mno-fma -mno-lzcnt
+ # gcc 4.8
+ -mno-fxsr -mno-rtm -mno-xsave -mno-xsaveopt
+ # gcc 4.9
+ -mno-avx512cd -mno-avx512er -mno-avx512f -mno-avx512pf -mno-sha
+ )
}
# inverted filters for hardened compiler. This is trying to unpick
strip-flags() {
local x y var
+ local ALLOWED_FLAGS
setup-allowed-flags
set -f # disable pathname expansion
for x in ${!var} ; do
local flag=${x%%=*}
- for y in ${ALLOWED_FLAGS} ; do
+ for y in "${ALLOWED_FLAGS[@]}" ; do
if [[ -z ${flag%%${y}} ]] ; then
new+=( "${x}" )
break