From a3a799c77cbcaebfebc64bd8a3815230df052e9e Mon Sep 17 00:00:00 2001
From: Vasil Dimov <vd@FreeBSD.org>
Date: Fri, 14 Mar 2025 13:39:56 +0100
Subject: [PATCH] build: enable libc++ hardening

When `ENABLE_HARDENING` is `ON` (which is the default) and compiling
with libc++ in debug mode, then enable full libc++ hardening.

Inspired by
https://github.com/bitcoin/bitcoin/issues/31272#issuecomment-2518700939
---
 CMakeLists.txt            | 6 ++++++
 cmake/introspection.cmake | 2 ++
 2 files changed, 8 insertions(+)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index de11a4d3e0c..99e00d28f39 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -537,6 +537,12 @@ if(ENABLE_HARDENING)
     if(CMAKE_SYSTEM_NAME STREQUAL "Darwin")
       try_append_linker_flag("-Wl,-fixup_chains" TARGET hardening_interface)
     endif()
+
+    if(HAVE_LIBCPP)
+      # https://libcxx.llvm.org/Hardening.html
+      target_compile_definitions(hardening_interface INTERFACE
+        $<IF:$<CONFIG:Debug>,_LIBCPP_HARDENING_MODE=_LIBCPP_HARDENING_MODE_DEBUG,>)
+    endif()
   endif()
 endif()
 
diff --git a/cmake/introspection.cmake b/cmake/introspection.cmake
index d4ed4866b9c..9cc818d1cc9 100644
--- a/cmake/introspection.cmake
+++ b/cmake/introspection.cmake
@@ -12,6 +12,8 @@ check_include_file_cxx(sys/resources.h HAVE_SYS_RESOURCES_H)
 check_include_file_cxx(sys/vmmeter.h HAVE_SYS_VMMETER_H)
 check_include_file_cxx(vm/vm_param.h HAVE_VM_VM_PARAM_H)
 
+check_cxx_symbol_exists(_LIBCPP_VERSION "version" HAVE_LIBCPP)
+
 check_cxx_symbol_exists(O_CLOEXEC "fcntl.h" HAVE_O_CLOEXEC)
 check_cxx_symbol_exists(fdatasync "unistd.h" HAVE_FDATASYNC)
 check_cxx_symbol_exists(fork "unistd.h" HAVE_DECL_FORK)