Merge pull request #19521 from Homebrew/pac-bti

Use PAC+BTI where possible on arm64 Linux

Library/Homebrew/extend/ENV/super.rb

@@ -120,6 +120,7 @@ module Superenv
     # o - Pass `-oso_prefix` to `ld` whenever it is invoked
     # c - Pass `-ld_classic` to `ld` whenever it is invoked
     #     with `-dead_strip_dylibs`
+    # b - Pass `-mbranch-protection=standard` to the compiler
     #
     # These flags will also be present:
     # a - apply fix for apr-1-config path

Library/Homebrew/extend/os/linux/extend/ENV/super.rb

@@ -31,6 +31,11 @@ module Superenv
     self["HOMEBREW_RPATH_PATHS"] = determine_rpath_paths(@formula)
     m4_path_deps = ["libtool", "bison"]
     self["M4"] = "#{HOMEBREW_PREFIX}/opt/m4/bin/m4" if deps.any? { m4_path_deps.include?(_1.name) }
+
+    # Pointer authentication and BTI are hardening techniques most distros
+    # use by default on their packages. arm64 Linux we're packaging
+    # everything from scratch so the entire dependency tree can have it.
+    append_to_cccfg "b" if Hardware::CPU.arch == :arm64 && DevelopmentTools.gcc_version("gcc") >= 9
   end
 
   def homebrew_extra_paths

Library/Homebrew/shims/super/cc

@@ -331,6 +331,7 @@ class Cmd
     # Ideally this would be -ffile-prefix-map, but that requires a minimum of GCC 8, LLVM Clang 10 or Apple Clang 12
     # and detecting the version dynamically based on what `HOMEBREW_CC` may have been rewritten to point to is awkward
     args << "-fdebug-prefix-map=#{formula_buildpath}=." if formula_buildpath && !debug_symbols?
+    args << "-mbranch-protection=standard" if branch_protection?
     args
   end
 
@@ -444,6 +445,10 @@ class Cmd
     config.include?("D")
   end
 
+  def branch_protection?
+    config.include?("b")
+  end
+
   def linker_flags
     @args.select { |arg| arg.start_with?("-Wl,") }
          .flat_map { |arg| arg.delete_prefix("-Wl,").split(",") }