[arch-dev-public] Adding hardening compiler/linker flags

Stéphane Gaudreault stephane at archlinux.org
Thu May 5 14:56:10 EDT 2011

Le 4 mai 2011 11:29:17, Allan McRae a écrit :
> There have been requests for some hardening of our default
> CFLAGS/LDFLAGS (e.g. FS#18864).  I believe this was discussed on this
> list previously and there were no real objections.  So actually doing
> this has been on the table for some time but has been delayed by a
> combination of lack of time on my behalf and inconvenient timing with
> toolchain updates.  I think now would be a good time to look at doing this.
> The plan is to add "-fstack-protector-all -D_FORTIFY_SOURCE=2
> --param=ssp-buffer-size=4" to our C{XX}FLAGS and "-Wl,-z,relro" to our
> LDFLAGS.  We could also add "-Wl,-O1" and maybe "-Wl,--sort-common" to
> our LDFLAGS at the same time for some optimisation.
> I am taking the approach of adding C/CXX/LDFLAGS rather than the
> patching the default compiler options approach most other distros use as
> it is more consistent with our patching policy and will reduce my
> maintenance burden. It also make it easier to disable an option if
> necessary by just changing their values.  The disadvantage being that we
> have to make sure software listens to our CFLAGS values...
> What I do not intend to add:
> -Wl,-z,now  - has a performance hit (mainly for large programs?).
> -fPIE -pie  - large performance hit (5-10%) on i686, almost none on x86_64
> These should be enabled for individual programs as the maintainer sees
> fit.  PIE stuff is also more difficult and would probably require
> patching of the gcc specs file to start dealing with properly and would
> still lead to a bunch of issues.  So that is something that I may look
> at in the distant future for x86_64 only.
> So the plan is....
> 1) Finalise the CFLAGS/LDFLAGS
> 2) I get the toolchain built and working with these
> 3) I upload a pacman package with the changed makepkg.conf
> 4) Consider a [core] rebuild ???
> Starting with #1.  Are there any comments on the proposed CFLAGS/LDFLAGS
> or any further additions that people think might be of use at the same
> time.
> Allan

Debian has a nice "hardening-check" script [1] to verify that an ELF binary 
have hardening features enabled. Maybe we could include something similar in 
our devtools ?


[1] http://packages.debian.org/sid/hardening-includes

More information about the arch-dev-public mailing list