build: Add _FORTIFY_SOURCE=3 support

Add support for _FORTIFY_SOURCE level 3.

This is supported with glibc and with musl libc.

Link: https://github.com/openwrt/openwrt/pull/20313
Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>

3 files changed, 10 insertions, 2 deletions

diff --git a/config/Config-build.in b/config/Config-build.in
index 42b353ecf7..2d08f4ccd2 100644
--- a/config/Config-build.in
+++ b/config/Config-build.in
@@ -358,9 +358,11 @@ menu "Global build settings"
 		config PKG_FORTIFY_SOURCE_NONE
 			bool "None"
 		config PKG_FORTIFY_SOURCE_1
-			bool "Conservative"
+			bool "Conservative Level 1"
 		config PKG_FORTIFY_SOURCE_2
-			bool "Aggressive"
+			bool "Aggressive Level 2"
+		config PKG_FORTIFY_SOURCE_3
+			bool "Aggressive Level 3"
 	endchoice
 
 	choice
diff --git a/include/hardening.mk b/include/hardening.mk
index 4a8874261b..a2be5eabd0 100644
--- a/include/hardening.mk
+++ b/include/hardening.mk
@@ -51,6 +51,11 @@ ifdef CONFIG_PKG_FORTIFY_SOURCE_2
     TARGET_CFLAGS += -D_FORTIFY_SOURCE=2
   endif
 endif
+ifdef CONFIG_PKG_FORTIFY_SOURCE_3
+  ifeq ($(strip $(PKG_FORTIFY_SOURCE)),1)
+    TARGET_CFLAGS += -D_FORTIFY_SOURCE=3
+  endif
+endif
 ifdef CONFIG_PKG_RELRO_PARTIAL
   ifeq ($(strip $(PKG_RELRO)),1)
     TARGET_CFLAGS += -Wl,-z,relro
diff --git a/toolchain/glibc/common.mk b/toolchain/glibc/common.mk
index 02906d34b2..25d5d66aca 100644
--- a/toolchain/glibc/common.mk
+++ b/toolchain/glibc/common.mk
@@ -68,6 +68,7 @@ GLIBC_CONFIGURE:= \
 		  $(if $(CONFIG_PKG_RELRO_FULL),--enable-bind-now) \
 		  $(if $(CONFIG_PKG_FORTIFY_SOURCE_1),--enable-fortify-source=1) \
 		  $(if $(CONFIG_PKG_FORTIFY_SOURCE_2),--enable-fortify-source=2) \
+		  $(if $(CONFIG_PKG_FORTIFY_SOURCE_3),--enable-fortify-source=3) \
 		--enable-kernel=6.6.0
 
 export libc_cv_ssp=no