[arch-projects] [PATCH][devtools] Include more hardening in standard build flags

Allan McRae allan at archlinux.org
Sat Oct 29 09:04:50 UTC 2016 

Adds -fstack-check to C{,XX}FLAGS and -z,now to LDFLAGS.  Disabling lazy
loading also allows us to add the -fno-plt optimisation.

Signed-off-by: Allan McRae <allan at archlinux.org>
---
 makepkg-i686.conf   | 6 +++---
 makepkg-x86_64.conf | 6 +++---
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/makepkg-i686.conf b/makepkg-i686.conf
index c565795..16d0bfb 100644
--- a/makepkg-i686.conf
+++ b/makepkg-i686.conf
@@ -37,9 +37,9 @@ CHOST="i686-pc-linux-gnu"
 # -march (or -mcpu) builds exclusively for an architecture
 # -mtune optimizes for an architecture, but builds for whole processor family
 CPPFLAGS="-D_FORTIFY_SOURCE=2"
-CFLAGS="-march=i686 -mtune=generic -O2 -pipe -fstack-protector-strong"
-CXXFLAGS="-march=i686 -mtune=generic -O2 -pipe -fstack-protector-strong"
-LDFLAGS="-Wl,-O1,--sort-common,--as-needed,-z,relro"
+CFLAGS="-march=i686 -mtune=generic -O2 -pipe -fstack-protector-strong -fstack-check -fno-plt"
+CXXFLAGS="-march=i686 -mtune=generic -O2 -pipe -fstack-protector-strong -fstack-check -fno-plt"
+LDFLAGS="-Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now"
 #-- Make Flags: change this for DistCC/SMP systems
 #MAKEFLAGS="-j2"
 #-- Debugging flags
diff --git a/makepkg-x86_64.conf b/makepkg-x86_64.conf
index 058da9b..127e088 100644
--- a/makepkg-x86_64.conf
+++ b/makepkg-x86_64.conf
@@ -37,9 +37,9 @@ CHOST="x86_64-pc-linux-gnu"
 # -march (or -mcpu) builds exclusively for an architecture
 # -mtune optimizes for an architecture, but builds for whole processor family
 CPPFLAGS="-D_FORTIFY_SOURCE=2"
-CFLAGS="-march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong"
-CXXFLAGS="-march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong"
-LDFLAGS="-Wl,-O1,--sort-common,--as-needed,-z,relro"
+CFLAGS="-march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong -fstack-check -fno-plt "
+CXXFLAGS="-march=x86-64 -mtune=generic -O2 -pipe -fstack-protector-strong -fstack-check -fno-plt"
+LDFLAGS="-Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now"
 #-- Make Flags: change this for DistCC/SMP systems
 #MAKEFLAGS="-j2"
 #-- Debugging flags
-- 
2.10.1

More information about the arch-projects mailing list