= System Wide Change: Hardening Flags Updates for Fedora 28 = https://fedoraproject.org/wiki/Changes/HardeningFlags28 Change owner(s): * Florian Weimer <fweimer AT redhat DOT com> This system-wide change covers changes to the hardening flags in Fedora 28. == Detailed Description == * Compile all binaries with stack clash protection (-fstack-clash-protection). As a result, all stack overflows (i.e., situations where the allocated stack is completely exhausted) will reliably result in crashes. * Enable C++ standard library hardening with -D_GLIBCXX_ASSERTIONS. This turns on cheap range checks for C++ arrays, vectors, and strings. * Enable control flow protection on x86-64 using -fcf-protection=full -mcet. * Enable .got.plt isolation in binutils, to support a read-only GOT with lazy binding on systems which provide support for memory protection keys. == Scope == * Proposal owners: Propose changes to redhat-rpm-config to implement the new flags. redhat-rpm-config: Enable -fstack-clash-protection * Other developers: The redhat-rpm-config changes need to be merged. For packages which bypass the RPM compiler flags injection mechanism, developers need to manually implement the new flags. * Release engineering: #7220: https://pagure.io/releng/issue/7220 * List of deliverables: Not affected * Policies and guidelines: N/A (not needed for this Change; covered by the existing Packaging Guidelines) * Trademark approval: N/A (not needed for this Change) -- Jan Kuřík Platform & Fedora Program Manager Red Hat Czech s.r.o., Purkynova 99/71, 612 45 Brno, Czech Republic _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
