| 1 |
On Thu, 05 Sep 2013 12:13:28 +0200 |
| 2 |
Agostino Sarubbo <ago@g.o> wrote: |
| 3 |
|
| 4 |
> Hello, |
| 5 |
> |
| 6 |
> during an irc debate, me and other people just noticed that the default |
| 7 |
> profile could use more flags to enhance the security. |
| 8 |
> |
| 9 |
> An hint is here: |
| 10 |
> https://wiki.ubuntu.com/ToolChain/CompilerFlags |
| 11 |
> |
| 12 |
> Please argue about what we _don't_ use. |
| 13 |
> |
| 14 |
> Note: please CC me in your response. |
| 15 |
|
| 16 |
* -fstack-protector{-all} |
| 17 |
No thank you. -fstack-protector has very limited coverage (which is why |
| 18 |
Ubuntu felt they needed to mess with the min size) and -fstack-protector-all |
| 19 |
has enough overhead that every distro that experimented with it dropped it in |
| 20 |
the end. If security is important enough to you that you are willing to take |
| 21 |
the hit then you should be using hardened where it's the default. |
| 22 |
|
| 23 |
There is a new option, -fstack-protector-strong, that's intended to be a |
| 24 |
balance between the two extremes and something that distros can enable by |
| 25 |
default. It was just added to mainline so it should be in GCC 4.9. So let's |
| 26 |
revisit this a couple years down the line. |
| 27 |
|
| 28 |
* -D_FORTIFY_SOURCE=2 |
| 29 |
Enabled by default since gcc-4.5.0 (patch) |
| 30 |
|
| 31 |
* -Wformat -Wformat-security |
| 32 |
Enabled by default since gcc 4.3.3 (patch) |
| 33 |
|
| 34 |
* -Wl,-z,relro |
| 35 |
Enabled by default since binutils 2.18 (and as far back as 2.15 for the HJL |
| 36 |
releases). (patch) |
| 37 |
|
| 38 |
* -Wl,--hash-style={both,gnu} |
| 39 |
Enabled by default since binutils 2.18 except on mips where it is unsupported. |
| 40 |
(patch sets it to "both", developer profiles set it to "gnu" for ignored LDFLAGs |
| 41 |
detection) |
| 42 |
|
| 43 |
* -Wl,--no-copy-dt-needed-entries/-Wl,--no-add-needed |
| 44 |
Enabled by default since binutils 2.22. (upstream default) |
| 45 |
|
| 46 |
* -Wl,--as-needed |
| 47 |
Enabled by default since July 2010 (in profiles). I think this is the upstream |
| 48 |
default now as well. |
| 49 |
|
| 50 |
In addition to these we also enable -Wtrampolines and warn on DT_TEXTRELs. |
| 51 |
|
| 52 |
|
| 53 |
|
| 54 |
-- |
| 55 |
Ryan Hill psn: dirtyepic_sk |
| 56 |
gcc-porting/toolchain/wxwidgets @ gentoo.org |
| 57 |
|
| 58 |
47C3 6D62 4864 0E49 8E9E 7F92 ED38 BD49 957A 8463 |
Archives