Bug 1716024 p2: Flag all binaries apart from firefox, xpcshell and plugin-container as CET compatible. r=glandium

We will only run the processes in CET compatible modules only mode when not using the JIT code. So marking xul.dll as compatible should be OK. Differential Revision: https://phabricator.services.mozilla.com/D117551
2021-07-19 07:36:19 +00:00 · 2021-07-19 07:36:19 +00:00 · b2d767fbb9
--- a/browser/app/moz.build
+++ b/browser/app/moz.build
@ -94,6 +94,10 @@ if CONFIG["OS_ARCH"] == "WINNT":
        libpath_flag + OBJDIR + "/winlauncher/freestanding",
    ]

+    # Don't build firefox.exe with CETCOMPAT, because we need to be able to
+    # only enable it for processes that are not using JIT in xul.dll.
+    LINK_FLAGS["CETCOMPAT"] = []
+
 if CONFIG["MOZ_SANDBOX"] and CONFIG["OS_ARCH"] == "Darwin":
    USE_LIBS += [
        "mozsandbox",
--- a/build/moz.configure/toolchain.configure
+++ b/build/moz.configure/toolchain.configure
@ -1947,6 +1947,24 @@ set_config("MOZ_HARDENING_CFLAGS_JS", security_hardening_cflags.js_flags)
 set_config("MOZ_HARDENING_LDFLAGS_JS", security_hardening_cflags.js_ldflags)


+# Intel Control-flow Enforcement Technology
+# ==============================================================
+# We keep this separate from the hardening flags above, because we want to be
+# able to easily remove the flags in the build files for certain executables.
+@depends(c_compiler, target)
+def cet_ldflags(c_compiler, target):
+    ldflags = []
+    if (
+        c_compiler.type == "clang-cl"
+        and c_compiler.version >= "11"
+        and target.cpu == "x86_64"
+    ):
+        ldflags.append("-CETCOMPAT")
+    return ldflags
+
+
+set_config("MOZ_CETCOMPAT_LDFLAGS", cet_ldflags)
+
 # Frame pointers
 # ==============================================================
@depends(c_compiler)
--- a/ipc/app/moz.build
+++ b/ipc/app/moz.build
@ -57,6 +57,10 @@ if CONFIG["OS_ARCH"] == "WINNT":
        "xul.dll",
    ]

+    # Don't build plugin-container.exe with CETCOMPAT for the moment, so that
+    # we can enable it using a pref during testing.
+    LINK_FLAGS["CETCOMPAT"] = []
+
 if CONFIG["MOZ_SANDBOX"] and CONFIG["OS_TARGET"] == "Darwin":
    # For sandbox includes and the include dependencies those have
    LOCAL_INCLUDES += [
--- a/js/xpconnect/shell/moz.build
+++ b/js/xpconnect/shell/moz.build
@ -59,6 +59,10 @@ if CONFIG["OS_ARCH"] == "WINNT":
        "xul.dll",
    ]

+    # Don't build xpcshell.exe with CETCOMPAT, because we need to be able to
+    # only enable it for processes that are not using JIT in xul.dll.
+    LINK_FLAGS["CETCOMPAT"] = []
+
 CFLAGS += CONFIG["TK_CFLAGS"]
 CXXFLAGS += CONFIG["TK_CFLAGS"]
 OS_LIBS += CONFIG["TK_LIBS"]
--- a/python/mozbuild/mozbuild/frontend/context.py
+++ b/python/mozbuild/mozbuild/frontend/context.py
@ -465,6 +465,15 @@ class LinkFlags(BaseCompileFlags):
                ),
                ("LDFLAGS",),
            ),
+            (
+                "CETCOMPAT",
+                (
+                    context.config.substs.get("MOZ_CETCOMPAT_LDFLAGS")
+                    if context.config.substs.get("NIGHTLY_BUILD")
+                    else []
+                ),
+                ("LDFLAGS",),
+            ),
        )
        BaseCompileFlags.__init__(self, context)