FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > ArchLinux > ArchLinux Development

 
 
LinkBack Thread Tools
 
Old 08-14-2011, 11:42 AM
Allan McRae
 
Default New CFLAGS/LDFLAGS plus complete toolchain rebuild

This has been discussed a couple of times previously on the mailing
lists and there were no objections so I have finally gotten around to
adding some hardening options to our CFLAGS/LDFLAGS. With
pacman-3.5.4-4 the defaults in makepkg.conf become:


CFLAGS="-march=i686 -mtune=generic -O2 -pipe -fstack-protector
--param=ssp-buffer-size=4 -D_FORTIFY_SOURCE=2"

LDFLAGS="-Wl,-O1,--sort-common,--as-needed,-z,relro,--hash-style=gnu"

As discussed previously, the addition of -Wl,-O1,--sort-common to
LDFLAGS is not hardening... but these are safe options and they do
appear to more than counter the slight overhead that stack smashing
protection adds.


These are all fairly standard flags being used to build the major
distros these days (other distros patch their toolchain to make these
the default), so there should be few issues. Probably the only thing
to watch out for is to disable them when building bootloaders.



The toolchain and all its (real) dependencies has been rebuilt with
these flags and the necessary adjustments made to the packages. See
notes below:


All toolchain dependencies (just rebuilds):
cloog-0.16.2-2
gmp-5.0.2-3
isl-0.06-2
libmpc-0.9-2
mpfr-3.0.1.p4-2
ppl-0.11.2-2
zlib-1.2.5-4

Toolchain components:
linux-api-headers-3.0.1-1 (upstream update)
binutils-2.21.1-2
gcc{,-libs}-4.6.1-3 (do not build libssp with hardening flags)
glibc-2.14-5 (do not build libraries with hardening flags)


I intend to leave this in [testing] for a couple of weeks to make sure
there are no issues. I have been running this locally for about a week
and am fairly sure I have the kinks worked out now... I will call for
the sign-off later.


Allan
 
Old 08-14-2011, 12:20 PM
Pierre Schmitz
 
Default New CFLAGS/LDFLAGS plus complete toolchain rebuild

On Sun, 14 Aug 2011 21:42:37 +1000, Allan McRae wrote:
> This has been discussed a couple of times previously on the mailing
> lists and there were no objections so I have finally gotten around to
> adding some hardening options to our CFLAGS/LDFLAGS. With
> pacman-3.5.4-4 the defaults in makepkg.conf become:
>
> CFLAGS="-march=i686 -mtune=generic -O2 -pipe -fstack-protector
> --param=ssp-buffer-size=4 -D_FORTIFY_SOURCE=2"
> LDFLAGS="-Wl,-O1,--sort-common,--as-needed,-z,relro,--hash-style=gnu"

Note: you need at least devtools 0.9.25 in order to build with these
flags using the wrapper tools.

--
Pierre Schmitz, https://users.archlinux.de/~pierre
 

Thread Tools




All times are GMT. The time now is 06:32 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org