gh-121996: Introduce --disable-safety and --enable-slower-safety options (#122054)

* gh-121996: Introduce --disable-safty and --enable-slower-safty * Update GA * fix * Address code review * Update CI
2024-07-23 09:22:04 +09:00 · 2024-07-23 09:22:04 +09:00 · a9bb3c7b3b
parent 2762c6cc5e
commit a9bb3c7b3b
7 changed files with 93 additions and 7 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -307,7 +307,7 @@ jobs:
      with:
        save: false
    - name: Configure CPython
-      run: ./configure --config-cache --with-pydebug --with-openssl=$OPENSSL_DIR
+      run: ./configure --config-cache --enable-slower-safety --with-pydebug --with-openssl=$OPENSSL_DIR
    - name: Build CPython
      run: make -j4
    - name: Display build info
@ -380,6 +380,7 @@ jobs:
        ../cpython-ro-srcdir/configure \
          --config-cache \
          --with-pydebug \
+          --enable-slower-safety \
          --with-openssl=$OPENSSL_DIR
    - name: Build CPython out-of-tree
      working-directory: ${{ env.CPYTHON_BUILDDIR }}
--- a/.github/workflows/reusable-macos.yml
+++ b/.github/workflows/reusable-macos.yml
@ -53,6 +53,7 @@ jobs:
        ./configure \
          --config-cache \
          --with-pydebug \
+          --enable-slower-safety \
          ${{ inputs.free-threading && '--disable-gil' || '' }} \
          --prefix=/opt/python-dev \
          --with-openssl="$(brew --prefix openssl@3.0)"
--- a/.github/workflows/reusable-ubuntu.yml
+++ b/.github/workflows/reusable-ubuntu.yml
@ -69,6 +69,7 @@ jobs:
        ../cpython-ro-srcdir/configure
        --config-cache
        --with-pydebug
+        --enable-slower-safety
        --with-openssl=$OPENSSL_DIR
        ${{ fromJSON(inputs.free-threading) && '--disable-gil' || '' }}
    - name: Build CPython out-of-tree
--- a/Doc/using/configure.rst
+++ b/Doc/using/configure.rst
@ -907,6 +907,25 @@ Security Options
      The settings ``python`` and *STRING* also set TLS 1.2 as minimum
      protocol version.

+.. option:: --disable-safety
+
+   Disable compiler options that are recommended by `OpenSSF`_ for security reasons with no performance overhead.
+   If this option is not enabled, CPython will be built based on safety compiler options with no slow down.
+
+   .. _OpenSSF: https://openssf.org/
+
+   .. versionadded:: 3.14
+
+.. option:: --enable-slower-safety
+
+   Enable compiler options that are recommended by `OpenSSF`_ for security reasons which require overhead.
+   If this option is not enabled, CPython will not be built based on safety compiler options which performance impact.
+
+   .. _OpenSSF: https://openssf.org/
+
+   .. versionadded:: 3.14
+
+
 macOS Options
 -------------

--- a/Misc/NEWS.d/next/Build/2024-07-19-10-14-31.gh-issue-121996.IEb2sz.rst
+++ b/Misc/NEWS.d/next/Build/2024-07-19-10-14-31.gh-issue-121996.IEb2sz.rst
@ -0,0 +1,2 @@
+Introduce ./configure --disable-safety and --enable-slower-safety options.
+Patch by Donghee Na.
--- a/43
+++ b/43
@ -1094,6 +1094,8 @@ enable_optimizations
 with_lto
 enable_bolt
 with_strict_overflow
+enable_safety
+enable_slower_safety
 with_dsymutil
 with_address_sanitizer
 with_memory_sanitizer
@ -1826,6 +1828,10 @@ Optional Features:
                          (default is no)
  --enable-bolt           enable usage of the llvm-bolt post-link optimizer
                          (default is no)
+  --disable-safety        disable usage of the security compiler options with
+                          no performance overhead
+  --enable-slower-safety  enable usage of the security compiler options with
+                          performance overhead
  --enable-loadable-sqlite-extensions
                          support loadable extensions in the sqlite3 module,
                          see Doc/library/sqlite3.rst (default is no)
@ -9666,6 +9672,27 @@ fi

 # Enable flags that warn and protect for potential security vulnerabilities.
 # These flags should be enabled by default for all builds.
+
+{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for --disable-safety" >&5
+printf %s "checking for --disable-safety... " >&6; }
+# Check whether --enable-safety was given.
+if test ${enable_safety+y}
+then :
+  enableval=$enable_safety; if test "x$enable_safety" = xyes
+then :
+  disable_safety=no
+else $as_nop
+  disable_saftey=yes
+fi
+else $as_nop
+  disable_saftey=no
+fi
+
+{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $disable_safety" >&5
+printf "%s\n" "$disable_safety" >&6; }
+
+if test "$disable_safety" = "no"
+then
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -fstack-protector-strong" >&5
 printf %s "checking whether C compiler accepts -fstack-protector-strong... " >&6; }
 if test ${ax_cv_check_cflags__Werror__fstack_protector_strong+y}
@ -9744,6 +9771,21 @@ else $as_nop
 printf "%s\n" "$as_me: WARNING: -Wtrampolines not supported" >&2;}
 fi

+fi
+
+{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking for --enable-slower-safety" >&5
+printf %s "checking for --enable-slower-safety... " >&6; }
+# Check whether --enable-slower-safety was given.
+if test ${enable_slower_safety+y}
+then :
+  enableval=$enable_slower_safety;
+fi
+
+{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $enable_slower_safety" >&5
+printf "%s\n" "$enable_slower_safety" >&6; }
+
+if test "$enable_slower_safety" = "yes"
+then
  { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -D_FORTIFY_SOURCE=3" >&5
 printf %s "checking whether C compiler accepts -D_FORTIFY_SOURCE=3... " >&6; }
 if test ${ax_cv_check_cflags___D_FORTIFY_SOURCE_3+y}
@ -9783,6 +9825,7 @@ else $as_nop
 printf "%s\n" "$as_me: WARNING: -D_FORTIFY_SOURCE=3 not supported" >&2;}
 fi

+fi

 case $GCC in
 yes)
--- a/configure.ac
+++ b/configure.ac
@ -2499,9 +2499,28 @@ AS_VAR_IF([with_strict_overflow], [yes],

 # Enable flags that warn and protect for potential security vulnerabilities.
 # These flags should be enabled by default for all builds.
+
+AC_MSG_CHECKING([for --disable-safety])
+AC_ARG_ENABLE([safety],
+  [AS_HELP_STRING([--disable-safety], [disable usage of the security compiler options with no performance overhead])],
+  [AS_VAR_IF([enable_safety], [yes], [disable_safety=no], [disable_saftey=yes])], [disable_saftey=no])
+AC_MSG_RESULT([$disable_safety])
+
+if test "$disable_safety" = "no"
+then
  AX_CHECK_COMPILE_FLAG([-fstack-protector-strong], [BASECFLAGS="$BASECFLAGS -fstack-protector-strong"], [AC_MSG_WARN([-fstack-protector-strong not supported])], [-Werror])
  AX_CHECK_COMPILE_FLAG([-Wtrampolines], [BASECFLAGS="$BASECFLAGS -Wtrampolines"], [AC_MSG_WARN([-Wtrampolines not supported])], [-Werror])
+fi
+
+AC_MSG_CHECKING([for --enable-slower-safety])
+AC_ARG_ENABLE([slower-safety],
+  [AS_HELP_STRING([--enable-slower-safety], [enable usage of the security compiler options with performance overhead])],[])
+AC_MSG_RESULT([$enable_slower_safety])
+
+if test "$enable_slower_safety" = "yes"
+then
  AX_CHECK_COMPILE_FLAG([-D_FORTIFY_SOURCE=3], [BASECFLAGS="$BASECFLAGS -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3"], [AC_MSG_WARN([-D_FORTIFY_SOURCE=3 not supported])])
+fi

 case $GCC in
 yes)