gh-121996: Introduce --disable-safety and --enable-slower-safety options (#122054)

corona10 · web-flow · commit a9bb3c7b3bd8 · 2024-07-23T09:22:04.000+09:00
* gh-121996: Introduce --disable-safty and --enable-slower-safty * Update GA * fix * Address code review * Update CI
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -307,7 +307,7 @@ jobs:
       with:
         save: false
     - name: Configure CPython
-      run: ./configure --config-cache --with-pydebug --with-openssl=$OPENSSL_DIR
+      run: ./configure --config-cache --enable-slower-safety --with-pydebug --with-openssl=$OPENSSL_DIR
     - name: Build CPython
       run: make -j4
     - name: Display build info
@@ -380,6 +380,7 @@ jobs:
         ../cpython-ro-srcdir/configure \
           --config-cache \
           --with-pydebug \
+          --enable-slower-safety \
           --with-openssl=$OPENSSL_DIR
     - name: Build CPython out-of-tree
       working-directory: ${{ env.CPYTHON_BUILDDIR }}
diff --git a/.github/workflows/reusable-macos.yml b/.github/workflows/reusable-macos.yml
@@ -53,6 +53,7 @@ jobs:
         ./configure \
           --config-cache \
           --with-pydebug \
+          --enable-slower-safety \
           ${{ inputs.free-threading && '--disable-gil' || '' }} \
           --prefix=/opt/python-dev \
           --with-openssl="$(brew --prefix openssl@3.0)"
diff --git a/.github/workflows/reusable-ubuntu.yml b/.github/workflows/reusable-ubuntu.yml
@@ -69,6 +69,7 @@ jobs:
         ../cpython-ro-srcdir/configure
         --config-cache
         --with-pydebug
+        --enable-slower-safety
         --with-openssl=$OPENSSL_DIR
         ${{ fromJSON(inputs.free-threading) && '--disable-gil' || '' }}
     - name: Build CPython out-of-tree
diff --git a/Doc/using/configure.rst b/Doc/using/configure.rst
@@ -907,6 +907,25 @@ Security Options
       The settings ``python`` and *STRING* also set TLS 1.2 as minimum
       protocol version.
 
+.. option:: --disable-safety
+
+   Disable compiler options that are recommended by `OpenSSF`_ for security reasons with no performance overhead.
+   If this option is not enabled, CPython will be built based on safety compiler options with no slow down.
+
+   .. _OpenSSF: https://openssf.org/
+
+   .. versionadded:: 3.14
+
+.. option:: --enable-slower-safety
+
+   Enable compiler options that are recommended by `OpenSSF`_ for security reasons which require overhead.
+   If this option is not enabled, CPython will not be built based on safety compiler options which performance impact.
+
+   .. _OpenSSF: https://openssf.org/
+
+   .. versionadded:: 3.14
+
+
 macOS Options
 -------------
 
diff --git a/Misc/NEWS.d/next/Build/2024-07-19-10-14-31.gh-issue-121996.IEb2sz.rst b/Misc/NEWS.d/next/Build/2024-07-19-10-14-31.gh-issue-121996.IEb2sz.rst
@@ -0,0 +1,2 @@
+Introduce ./configure --disable-safety and --enable-slower-safety options.
+Patch by Donghee Na.
diff --git a/configure b/configure
diff --git a/configure.ac b/configure.ac
@@ -2499,9 +2499,28 @@ AS_VAR_IF([with_strict_overflow], [yes],
 
 # Enable flags that warn and protect for potential security vulnerabilities.
 # These flags should be enabled by default for all builds.
-AX_CHECK_COMPILE_FLAG([-fstack-protector-strong], [BASECFLAGS="$BASECFLAGS -fstack-protector-strong"], [AC_MSG_WARN([-fstack-protector-strong not supported])], [-Werror])
-AX_CHECK_COMPILE_FLAG([-Wtrampolines], [BASECFLAGS="$BASECFLAGS -Wtrampolines"], [AC_MSG_WARN([-Wtrampolines not supported])], [-Werror])
-AX_CHECK_COMPILE_FLAG([-D_FORTIFY_SOURCE=3], [BASECFLAGS="$BASECFLAGS -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3"], [AC_MSG_WARN([-D_FORTIFY_SOURCE=3 not supported])])
+
+AC_MSG_CHECKING([for --disable-safety])
+AC_ARG_ENABLE([safety],
+  [AS_HELP_STRING([--disable-safety], [disable usage of the security compiler options with no performance overhead])],
+  [AS_VAR_IF([enable_safety], [yes], [disable_safety=no], [disable_saftey=yes])], [disable_saftey=no])
+AC_MSG_RESULT([$disable_safety])
+
+if test "$disable_safety" = "no"
+then
+  AX_CHECK_COMPILE_FLAG([-fstack-protector-strong], [BASECFLAGS="$BASECFLAGS -fstack-protector-strong"], [AC_MSG_WARN([-fstack-protector-strong not supported])], [-Werror])
+  AX_CHECK_COMPILE_FLAG([-Wtrampolines], [BASECFLAGS="$BASECFLAGS -Wtrampolines"], [AC_MSG_WARN([-Wtrampolines not supported])], [-Werror])
+fi
+
+AC_MSG_CHECKING([for --enable-slower-safety])
+AC_ARG_ENABLE([slower-safety],
+  [AS_HELP_STRING([--enable-slower-safety], [enable usage of the security compiler options with performance overhead])],[])
+AC_MSG_RESULT([$enable_slower_safety])
+
+if test "$enable_slower_safety" = "yes"
+then
+  AX_CHECK_COMPILE_FLAG([-D_FORTIFY_SOURCE=3], [BASECFLAGS="$BASECFLAGS -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=3"], [AC_MSG_WARN([-D_FORTIFY_SOURCE=3 not supported])])
+fi
 
 case $GCC in
 yes)

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+Introduce ./configure --disable-safety and --enable-slower-safety options.`
	`2`	`+Patch by Donghee Na.`