[arch-dev-public] Adding hardening compiler/linker flags

Allan McRae allan at archlinux.org
Wed May 4 11:29:17 EDT 2011


There have been requests for some hardening of our default 
CFLAGS/LDFLAGS (e.g. FS#18864).  I believe this was discussed on this 
list previously and there were no real objections.  So actually doing 
this has been on the table for some time but has been delayed by a 
combination of lack of time on my behalf and inconvenient timing with 
toolchain updates.  I think now would be a good time to look at doing this.

The plan is to add "-fstack-protector-all -D_FORTIFY_SOURCE=2 
--param=ssp-buffer-size=4" to our C{XX}FLAGS and "-Wl,-z,relro" to our 
LDFLAGS.  We could also add "-Wl,-O1" and maybe "-Wl,--sort-common" to 
our LDFLAGS at the same time for some optimisation.

I am taking the approach of adding C/CXX/LDFLAGS rather than the 
patching the default compiler options approach most other distros use as 
it is more consistent with our patching policy and will reduce my 
maintenance burden. It also make it easier to disable an option if 
necessary by just changing their values.  The disadvantage being that we 
have to make sure software listens to our CFLAGS values...

What I do not intend to add:

-Wl,-z,now  - has a performance hit (mainly for large programs?).
-fPIE -pie  - large performance hit (5-10%) on i686, almost none on x86_64

These should be enabled for individual programs as the maintainer sees 
fit.  PIE stuff is also more difficult and would probably require 
patching of the gcc specs file to start dealing with properly and would 
still lead to a bunch of issues.  So that is something that I may look 
at in the distant future for x86_64 only.


So the plan is....

1) Finalise the CFLAGS/LDFLAGS
2) I get the toolchain built and working with these
3) I upload a pacman package with the changed makepkg.conf
4) Consider a [core] rebuild ???


Starting with #1.  Are there any comments on the proposed CFLAGS/LDFLAGS 
or any further additions that people think might be of use at the same time.

Allan


More information about the arch-dev-public mailing list