build: fix "warning: "_FORTIFY_SOURCE" redefined" (#6283)

The warning is being produced on Arch since pacman 6.1, which changed
`-D_FORTIFY_SOURCE=2` to `-D_FORTIFY_SOURCE=3` in CFLAGS in
makepkg.conf:

    $ pacman -Q gcc pacman
    gcc 13.2.1-5
    pacman 6.1.0-3
    $ makepkg
    [...]
    make -C src/lib
    gcc [...] -D_FORTIFY_SOURCE=2 [...] -Wp,-D_FORTIFY_SOURCE=3 [...] -c ../../src/lib/common.c -o ../../src/lib/common.o
    <command-line>: warning: "_FORTIFY_SOURCE" redefined
    <command-line>: note: this is the location of the previous definition

To fix this, only add `-D_FORTIFY_SOURCE` to EXTRA_CFLAGS if it does not
cause any warnings with CFLAGS and CPPFLAGS during compilation.

The effect remains the same: The build system still defines the macro by
default (if there are no warnings) and the user/distribution can still
override it through CFLAGS/CPPFLAGS.

Fixes #6282.

Reported-by: @glitsj16

config.mk.in

@@ -91,7 +91,7 @@ COMMON_CFLAGS = \
 	-ggdb -O2 -DVERSION='"$(VERSION)"' \
 	-Wall -Wextra $(HAVE_FATAL_WARNINGS) \
 	-Wformat -Wformat-security \
-	-fstack-protector-all -D_FORTIFY_SOURCE=2 \
+	-fstack-protector-all \
 	-DPREFIX='"$(prefix)"' -DSYSCONFDIR='"$(sysconfdir)/firejail"' \
 	-DLIBDIR='"$(libdir)"' -DBINDIR='"$(bindir)"' \
 	-DVARDIR='"/var/lib/firejail"'

configure

@@ -3506,6 +3506,49 @@ else $as_nop
 fi
 
 
+as_CACHEVAR=`printf "%s\n" "ax_cv_check_cflags_$CFLAGS $CPPFLAGS -Werror_-D_FORTIFY_SOURCE=2" | $as_tr_sh`
+{ printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -D_FORTIFY_SOURCE=2" >&5
+printf %s "checking whether C compiler accepts -D_FORTIFY_SOURCE=2... " >&6; }
+if eval test \${$as_CACHEVAR+y}
+then :
+  printf %s "(cached) " >&6
+else $as_nop
+
+  ax_check_save_flags=$CFLAGS
+  CFLAGS="$CFLAGS $CFLAGS $CPPFLAGS -Werror -D_FORTIFY_SOURCE=2"
+  cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+/* end confdefs.h.  */
+
+int
+main (void)
+{
+
+  ;
+  return 0;
+}
+_ACEOF
+if ac_fn_c_try_compile "$LINENO"
+then :
+  eval "$as_CACHEVAR=yes"
+else $as_nop
+  eval "$as_CACHEVAR=no"
+fi
+rm -f core conftest.err conftest.$ac_objext conftest.beam conftest.$ac_ext
+  CFLAGS=$ax_check_save_flags
+fi
+eval ac_res=\$$as_CACHEVAR
+	       { printf "%s\n" "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5
+printf "%s\n" "$ac_res" >&6; }
+if eval test \"x\$"$as_CACHEVAR"\" = x"yes"
+then :
+
+	EXTRA_CFLAGS="$EXTRA_CFLAGS -D_FORTIFY_SOURCE=2"
+
+else $as_nop
+  :
+fi
+
+
 HAVE_SPECTRE="no"
 { printf "%s\n" "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -mindirect-branch=thunk" >&5
 printf %s "checking whether C compiler accepts -mindirect-branch=thunk... " >&6; }

configure.ac

@@ -30,6 +30,10 @@ AX_CHECK_COMPILE_FLAG([-MMD -MP], [
 	DEPS_CFLAGS="$DEPS_CFLAGS -MMD -MP"
 ])
 
+AX_CHECK_COMPILE_FLAG([-D_FORTIFY_SOURCE=2], [
+	EXTRA_CFLAGS="$EXTRA_CFLAGS -D_FORTIFY_SOURCE=2"
+], [], [$CFLAGS $CPPFLAGS -Werror])
+
 HAVE_SPECTRE="no"
 AX_CHECK_COMPILE_FLAG([-mindirect-branch=thunk], [
 	HAVE_SPECTRE="yes"