Add opt-in security flags (#611)

Author: hanefi

src/bin/pg_autoctl/Makefile

@@ -45,6 +45,12 @@ DEFAULT_CFLAGS += -Wno-declaration-after-statement
 DEFAULT_CFLAGS += -Wno-missing-braces
 DEFAULT_CFLAGS += $(COMMON_LIBS)
 
+ifdef USE_SECURITY_FLAGS
+# Flags taken from: https://liquid.microsoft.com/Web/Object/Read/ms.security/Requirements/Microsoft.Security.SystemsADM.10203#guide
+SECURITY_CFLAGS=-fstack-protector-strong -D_FORTIFY_SOURCE=2 -O2 -z noexecstack -fpie -Wl,-pie -Wl,-z,relro -Wl,-z,now -Wformat -Wformat-security -Werror=format-security
+DEFAULT_CFLAGS += $(SECURITY_CFLAGS)
+endif
+
 override CFLAGS := $(DEFAULT_CFLAGS) $(CFLAGS)
 
 LIBS  = -L $(shell $(PG_CONFIG) --pkglibdir)

src/monitor/Makefile

@@ -33,10 +33,23 @@ DEFAULT_CFLAGS += -Wno-declaration-after-statement
 
 # Needed for OSX
 DEFAULT_CFLAGS += -Wno-missing-braces
+
+ifdef USE_SECURITY_FLAGS
+# Flags taken from: https://liquid.microsoft.com/Web/Object/Read/ms.security/Requirements/Microsoft.Security.SystemsADM.10203#guide
+SECURITY_CFLAGS=-fstack-protector-strong -D_FORTIFY_SOURCE=2 -O2 -z noexecstack -fpic -shared -Wl,-z,relro -Wl,-z,now -Wformat -Wformat-security -Werror=format-security
+DEFAULT_CFLAGS += $(SECURITY_CFLAGS)
+endif
+
 override CFLAGS := $(DEFAULT_CFLAGS) $(CFLAGS)
 
 include $(PGXS)
 
+ifdef USE_SECURITY_FLAGS
+# Flags taken from: https://liquid.microsoft.com/Web/Object/Read/ms.security/Requirements/Microsoft.Security.SystemsADM.10203#guide
+SECURITY_BITCODE_CFLAGS=-fsanitize=safe-stack -fstack-protector-strong -flto -fPIC -Wformat -Wformat-security -Werror=format-security
+override BITCODE_CFLAGS := $(BITCODE_CFLAGS) $(SECURITY_BITCODE_CFLAGS)
+endif
+
 cleanup-before-install:
 	rm -f $(DESTDIR)$(datadir)/$(datamoduledir)/pgautofailover*