[arch-dev-public] New CFLAGS/LDFLAGS plus complete toolchain rebuild
Allan McRae
allan at archlinux.org
Sun Aug 14 07:42:37 EDT 2011
This has been discussed a couple of times previously on the mailing
lists and there were no objections so I have finally gotten around to
adding some hardening options to our CFLAGS/LDFLAGS. With
pacman-3.5.4-4 the defaults in makepkg.conf become:
CFLAGS="-march=i686 -mtune=generic -O2 -pipe -fstack-protector
--param=ssp-buffer-size=4 -D_FORTIFY_SOURCE=2"
LDFLAGS="-Wl,-O1,--sort-common,--as-needed,-z,relro,--hash-style=gnu"
As discussed previously, the addition of -Wl,-O1,--sort-common to
LDFLAGS is not hardening... but these are safe options and they do
appear to more than counter the slight overhead that stack smashing
protection adds.
These are all fairly standard flags being used to build the major
distros these days (other distros patch their toolchain to make these
the default), so there should be few issues. Probably the only thing
to watch out for is to disable them when building bootloaders.
The toolchain and all its (real) dependencies has been rebuilt with
these flags and the necessary adjustments made to the packages. See
notes below:
All toolchain dependencies (just rebuilds):
cloog-0.16.2-2
gmp-5.0.2-3
isl-0.06-2
libmpc-0.9-2
mpfr-3.0.1.p4-2
ppl-0.11.2-2
zlib-1.2.5-4
Toolchain components:
linux-api-headers-3.0.1-1 (upstream update)
binutils-2.21.1-2
gcc{,-libs}-4.6.1-3 (do not build libssp with hardening flags)
glibc-2.14-5 (do not build libraries with hardening flags)
I intend to leave this in [testing] for a couple of weeks to make sure
there are no issues. I have been running this locally for about a week
and am fairly sure I have the kinks worked out now... I will call for
the sign-off later.
Allan
More information about the arch-dev-public
mailing list