commit e13b7c74634c511d44603a203a328f4d67920321
Author: Christine Caulfield <ccaulfie@redhat.com>
Date:   Mon May 10 13:00:58 2021 +0100

    [build] Add -fstack-clash-protection to release builds
    
    CentOS Stream CI insists on this but it's generally a 'good thing'

diff --git a/configure.ac b/configure.ac
index e429dcc..020cbe1 100644
--- a/configure.ac
+++ b/configure.ac
@@ -173,6 +173,23 @@ AC_ARG_ENABLE([libnozzle],
 
 AM_CONDITIONAL([BUILD_LIBNOZZLE], [test x$enable_libnozzle = xyes])
 
+## local helper functions
+# this function checks if CC support options passed as
+# args. Global CPPFLAGS are ignored during this test.
+cc_supports_flag() {
+	saveCPPFLAGS="$CPPFLAGS"
+	CPPFLAGS="$@"
+	if echo $CC | grep -q clang; then
+		CPPFLAGS="-Werror $CPPFLAGS"
+	fi
+	AC_MSG_CHECKING([whether $CC supports "$@"])
+	AC_COMPILE_IFELSE([AC_LANG_PROGRAM([])],
+			  [RC=0; AC_MSG_RESULT([yes])],
+			  [RC=1; AC_MSG_RESULT([no])])
+	CPPFLAGS="$saveCPPFLAGS"
+	return $RC
+}
+
 # Checks for libraries.
 AX_PTHREAD(,[AC_MSG_ERROR([POSIX threads support is required])])
 saved_LIBS="$LIBS"
@@ -297,12 +314,20 @@ AC_ARG_WITH([testdir],
 
 AC_SUBST([TESTDIR])
 
+# Check for availablility of hardening options
+HARDENING_FLAGS="-fstack-clash-protection"
+for j in $HARDENING_FLAGS; do
+    if cc_supports_flag $j; then
+       EXTRA_HARDENING_FLAGS="$EXTRA_HARDENING_FLAGS $j";
+    fi
+done
+
 # debug build stuff
 if test "x${enable_debug}" = xyes; then
 	AC_DEFINE_UNQUOTED([DEBUG], [1], [Compiling Debugging code])
 	OPT_CFLAGS="-O0"
 else
-	OPT_CFLAGS="-O3"
+	OPT_CFLAGS="-O3 $EXTRA_HARDENING_FLAGS"
 fi
 
 # gdb flags