1 |
On Thu, 05 Sep 2013 12:13:28 +0200 |
2 |
Agostino Sarubbo <ago@g.o> wrote: |
3 |
|
4 |
> Hello, |
5 |
> |
6 |
> during an irc debate, me and other people just noticed that the default |
7 |
> profile could use more flags to enhance the security. |
8 |
> |
9 |
> An hint is here: |
10 |
> https://wiki.ubuntu.com/ToolChain/CompilerFlags |
11 |
> |
12 |
> Please argue about what we _don't_ use. |
13 |
> |
14 |
> Note: please CC me in your response. |
15 |
|
16 |
* -fstack-protector{-all} |
17 |
No thank you. -fstack-protector has very limited coverage (which is why |
18 |
Ubuntu felt they needed to mess with the min size) and -fstack-protector-all |
19 |
has enough overhead that every distro that experimented with it dropped it in |
20 |
the end. If security is important enough to you that you are willing to take |
21 |
the hit then you should be using hardened where it's the default. |
22 |
|
23 |
There is a new option, -fstack-protector-strong, that's intended to be a |
24 |
balance between the two extremes and something that distros can enable by |
25 |
default. It was just added to mainline so it should be in GCC 4.9. So let's |
26 |
revisit this a couple years down the line. |
27 |
|
28 |
* -D_FORTIFY_SOURCE=2 |
29 |
Enabled by default since gcc-4.5.0 (patch) |
30 |
|
31 |
* -Wformat -Wformat-security |
32 |
Enabled by default since gcc 4.3.3 (patch) |
33 |
|
34 |
* -Wl,-z,relro |
35 |
Enabled by default since binutils 2.18 (and as far back as 2.15 for the HJL |
36 |
releases). (patch) |
37 |
|
38 |
* -Wl,--hash-style={both,gnu} |
39 |
Enabled by default since binutils 2.18 except on mips where it is unsupported. |
40 |
(patch sets it to "both", developer profiles set it to "gnu" for ignored LDFLAGs |
41 |
detection) |
42 |
|
43 |
* -Wl,--no-copy-dt-needed-entries/-Wl,--no-add-needed |
44 |
Enabled by default since binutils 2.22. (upstream default) |
45 |
|
46 |
* -Wl,--as-needed |
47 |
Enabled by default since July 2010 (in profiles). I think this is the upstream |
48 |
default now as well. |
49 |
|
50 |
In addition to these we also enable -Wtrampolines and warn on DT_TEXTRELs. |
51 |
|
52 |
|
53 |
|
54 |
-- |
55 |
Ryan Hill psn: dirtyepic_sk |
56 |
gcc-porting/toolchain/wxwidgets @ gentoo.org |
57 |
|
58 |
47C3 6D62 4864 0E49 8E9E 7F92 ED38 BD49 957A 8463 |