Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 7 Nov 2011 00:29:04 +0400
From: Solar Designer <solar@...nwall.com>
To: owl-dev@...ts.openwall.com
Subject: Re: %optflags for new gcc

On Sat, Nov 05, 2011 at 08:13:58PM +0400, Dmitry V. Levin wrote:
> In Sisyphus, I changed gcc LINK_COMMAND_SPEC to pass -z relro to the
> linker by default.  That was more than 3 years ago.

Don't you think this would be better done in binutils, such as to take
care of packages that invoke ld directly?

> In Sisyphus, I changed gcc spec to use -D_FORTIFY_SOURCE=2 and
> -fstack-protector by default.  That was more than 5 years ago.
> There were some workarounds made in several packages, but
> I don't remember any details.

Wow.  I did not realize you had made those changes in Sisyphus.

I guess -D_FORTIFY_SOURCE=2 and -fstack-protector would cause issues
when building kernel modules.  Did ALT Linux receive (m)any problem
reports from users trying to build additional kernel modules, such as
hardware vendors'?  How do you recommend we deal with this?

I just took a look at http://sisyphus.ru/en/srpm/Sisyphus/gcc4.5/patches
The patches to consider in this context appear to be:

gcc44-alt-escalate-always-overflow.patch
gcc45-alt-defaults-relro.patch
gcc45-alt-defaults-stack-protector.patch
gcc43-alt-spp-buffer-size.patch
gcc43-alt-defaults-FORTIFY_SOURCE.patch
gcc45-deb-alt-defaults-format-security.patch
gcc45-deb-alt-testsuite-printf.patch
gcc45-deb-alt-testsuite-format.patch

Thanks,

Alexander

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ