From: Michael Orlitzky <mjo@gentoo.org>
To: gentoo-user@lists.gentoo.org
Subject: Re: [gentoo-user] Re: Anyone running a hardened profile?
Date: Mon, 7 Sep 2015 21:38:25 -0400 [thread overview]
Message-ID: <55EE3C11.9020104@gentoo.org> (raw)
In-Reply-To: <20150907181506.6565ff2a@a6>
On 09/07/2015 09:15 PM, walt wrote:
>
> Full SSP is something I want and I'll gladly suffer the speed penalty
> to get it. Can I just add -fstack-protector-all to my CFLAGS in
> make.conf?
>
Basically, but to save yourself some headaches, you should switch to a
hardened profile instead. Otherwise you'll get build failures of things
like glibc. The profile takes care of that for you, but otherwise
enables full SSP.
The binary distros are all moving towards -fstack-protector-strong now
so support for this stuff is getting better upstream.
> Hmm. Quoting from the gcc man page:
>
> -fstack-protector-strong
> Like -fstack-protector but includes additional functions to
> be protected --- those that have local array definitions, or
> have references to local frame addresses.
>
> NOTE: In Gentoo GCC 4.9.0 and later versions this option is
> enabled by default for C, C++, ObjC, ObjC++, if neither
> -fno-stack-protector, -nostdlib, -ffreestanding,
> -fstack-protector, -fstack-protector-strong or
> -fstack-protector-all are found. <===== are found *where*?
>
> English is my native tongue and I confess I can't make any sense of
> that advice.
>
You'll get the "strong" stack protection unless you ask for some other
level of protection via CFLAGS or CXXFLAGS or wherever else. Note that
"strong" is still less than "all"!
next prev parent reply other threads:[~2015-09-08 1:38 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-09-06 20:15 [gentoo-user] Anyone running a hardened profile? walt
2015-09-06 20:52 ` [gentoo-user] " James
2015-09-06 20:59 ` [gentoo-user] " Hinnerk van Bruinehsen
2015-09-06 21:53 ` Fernando Rodriguez
2015-09-07 17:02 ` wabenbau
2015-09-08 1:07 ` Fernando Rodriguez
2015-09-06 22:06 ` Michael Orlitzky
2015-09-07 17:10 ` wabenbau
2015-09-07 18:27 ` Michael Orlitzky
2015-09-08 1:15 ` [gentoo-user] " walt
2015-09-08 1:34 ` Fernando Rodriguez
2015-09-08 1:38 ` Michael Orlitzky [this message]
2015-09-08 20:42 ` Fernando Rodriguez
2015-09-06 23:09 ` [gentoo-user] " Andreas K. Huettel
2015-09-07 17:07 ` wabenbau
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=55EE3C11.9020104@gentoo.org \
--to=mjo@gentoo.org \
--cc=gentoo-user@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox