Jeffrey Walton <noloader@xxxxxxxxx> writes: > $ ./configure CFLAGS="-Wall -Wextra -Wconversion -fPIE > -Wno-unused-parameter -Wformat=2 -Wformat-security > -fstack-protector-all -Wstrict-overflow -Wl,-pie -Wl,-z,noexecstack > -Wl,-z,relro -Wl,-z,now" The thing that jumps out at me as different between what Debian uses for its normal hardening flags and what you're using is the -Wl,-pie flag in CFLAGS. Debian just uses -fPIE in CFLAGS and then adds -fPIE -pie to LDFLAGS. I'm not sure if that would make a difference. You in general want to avoid ever using -Wl if you can help it, since you're hiding the flag from the compiler by using that. If the compiler needed to know that you were linking that way so that it could do other magic itself, you break that support by using -Wl. Here's what Debian is using: CFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security CPPFLAGS=-D_FORTIFY_SOURCE=2 CXXFLAGS=-g -O2 -fPIE -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security FFLAGS=-g -O2 LDFLAGS=-fPIE -pie -Wl,-z,relro -Wl,-z,now Also, you should generally not add -Wall -Wextra to the configure flags, and instead add it after configure completes, since many of the tricks configure has to use will result in warnings when you turn on all the compiler warnings, which can confuse configure. -- Russ Allbery (rra@xxxxxxxxxxxx) <http://www.eyrie.org/~eagle/> _______________________________________________ Autoconf mailing list Autoconf@xxxxxxx https://lists.gnu.org/mailman/listinfo/autoconf
