PR#5: Enable -fstack-clash-protection flag globally (#1515865) - rpms/redhat-rpm-config

rpms / redhat-rpm-config

#5 Enable -fstack-clash-protection flag globally (#1515865)

Closed 5 years ago by fweimer. Opened 5 years ago by fweimer.

Unknown source master into master

Enable -fstack-clash-protection flag globally (#1515865)

Florian Weimer • 5 years ago

2a6a91e

macros

file modified

+1 -1

		`@@ -155,7 +155,7 @@`
		`%_annotated_build 1`
		`%_annotated_cflags %{?_annotated_build:%{_annobin_cflags}}`

		`- %__global_compiler_flags -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches %{_hardened_cflags} %{_annotated_cflags}`
		`+ %__global_compiler_flags -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -fstack-clash-protection -grecord-gcc-switches %{_hardened_cflags} %{_annotated_cflags}`

		`%__global_cflags %{optflags}`
		`%__global_cxxflags %{optflags}`

redhat-rpm-config.spec

file modified

+4 -1

		`@@ -6,7 +6,7 @@`

		`Summary: Red Hat specific rpm configuration files`
		`Name: redhat-rpm-config`
		`- Version: 69`
		`+ Version: 70`
		`Release: 1%{?dist}`
		`# No version specified.`
		`License: GPL+`
		`@@ -150,6 +150,9 @@`
		`%{_rpmconfigdir}/macros.d/macros.kmp`

		`%changelog`
		`+ * Wed Nov 29 2017 Florian Weimer <fweimer@redhat.com> - 70-1`
		`+ - Enable -fstack-clash-protection flag globally (#1515865)`
		`+`
		`* Wed Nov 22 2017 Nick Clifton <nickc@redhat.com> - 69-1`
		`- Enable binary annotations in compiler flags`

fweimer commented 5 years ago

Enable -fstack-clash-protection globally, now that GCC has support for it.

As far as hardening goes, -fstack-clash-protection is extremely lightweight, so we can make it part of the default flags.

ignatenkobrain commented 5 years ago

LGTM.

tibbs commented 5 years ago

There was some discussion on-list about this but one comment about not being able to use -f-stack-clash-protection on all architectures is troubling, because this PR seems to turn it on for everything.

Maybe I'm misunderstanding and gcc simply ignores the flag on those architectures. Still, it seems like it's worth asking.

fweimer commented 5 years ago

Yes, I only updated the bug with this information: https://bugzilla.redhat.com/show_bug.cgi?id=1515865

Pull-Request has been closed by fweimer

5 years ago

fweimer commented 5 years ago

Canceling the pull request. We'll discuss this on the bug.