Re: F31 System-Wide Change proposal: Enable Compiler Security hardening flags by default in G

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 13/03/2019 11:11, Florian Weimer wrote:
* Tom Hughes:

On 13/03/2019 03:27, Huzaifa Sidhpurwala wrote:

On 3/12/19 5:40 PM, Vít Ondruch wrote:
Will it help to mitigate issues such as:

https://bugzilla.redhat.com/show_bug.cgi?id=1284684

This is related to the following change which was made in Fedora 23:
https://fedoraproject.org/wiki/Changes/Harden_All_Packages.

My proposal does not touch PIE or RELRO at all, but is related to
compiling code with protections which mitigate, format string attacks
and stack-based buffer overflows. It is pretty common to enable these
flags while compiling, its just strange that we dont enable these by
default.

We do, just not by changing the compiler defaults.

Instead they are in %{optflags} which all packages are expected
to use for their compiler flags:

https://docs.fedoraproject.org/en-US/packaging-guidelines/#_compiler_flags

Here's what %optflags looks like for F29:

-O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2
-Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong
-grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1
-specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic
-fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection

I think Huzaifa knows that. 8-)

Well that hasn't been at all clear in this thread as he keeps
talking like we're not building packages with these options at
the moment.

Tom

--
Tom Hughes (tom@xxxxxxxxxx)
http://compton.nu/
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux