From 658de71fc6d115e8d72154044f3288051ba7a97c Mon Sep 17 00:00:00 2001
From: Leonardo Grasso <me@leonardograsso.com>
Date: Wed, 7 Apr 2021 15:23:45 +0200
Subject: [PATCH 1/2] build: hardening flags

Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
---
 CMakeLists.txt | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 8efa759fc9b..528497ec408 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -69,7 +69,13 @@ if(MUSL_OPTIMIZED_BUILD)
   set(MUSL_FLAGS "-static -Os")
 endif()
 
-set(CMAKE_COMMON_FLAGS "-Wall -ggdb ${DRAIOS_FEATURE_FLAGS} ${MINIMAL_BUILD_FLAGS} ${MUSL_FLAGS}")
+# explicitly set hardening flags
+set(FALCO_SECURITY_FLAGS "-Wl,-z,relro,-z,now -fstack-protector-strong")
+if(CMAKE_BUILD_TYPE STREQUAL "release")
+  set(FALCO_SECURITY_FLAGS "${FALCO_SECURITY_FLAGS} -D_FORTIFY_SOURCE=2")
+endif()
+
+set(CMAKE_COMMON_FLAGS "${FALCO_SECURITY_FLAGS} -Wall -ggdb ${DRAIOS_FEATURE_FLAGS} ${MINIMAL_BUILD_FLAGS} ${MUSL_FLAGS}")
 
 if(BUILD_WARNINGS_AS_ERRORS)
   set(CMAKE_SUPPRESSED_WARNINGS

From a917e68cec45d09d9ed0bde9c903954421be6352 Mon Sep 17 00:00:00 2001
From: Leonardo Grasso <me@leonardograsso.com>
Date: Wed, 7 Apr 2021 16:45:31 +0200
Subject: [PATCH 2/2] build: enable ASLR for statically linked build

Co-authored-by: Lorenzo Fontana <lo@linux.com>
Signed-off-by: Leonardo Grasso <me@leonardograsso.com>
---
 CMakeLists.txt | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index 528497ec408..5510de25540 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -66,10 +66,11 @@ if(MINIMAL_BUILD)
 endif()
 
 if(MUSL_OPTIMIZED_BUILD)
-  set(MUSL_FLAGS "-static -Os")
+  set(MUSL_FLAGS "-static -Os -fPIE -pie")
 endif()
 
 # explicitly set hardening flags
+set(CMAKE_POSITION_INDEPENDENT_CODE ON)
 set(FALCO_SECURITY_FLAGS "-Wl,-z,relro,-z,now -fstack-protector-strong")
 if(CMAKE_BUILD_TYPE STREQUAL "release")
   set(FALCO_SECURITY_FLAGS "${FALCO_SECURITY_FLAGS} -D_FORTIFY_SOURCE=2")