hardened-config: build with fortify source

NixOS · Sep 15, 2017 · dd170cd · dd170cd
1 parent 9a763f8
commit dd170cd
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/pkgs/os-specific/linux/kernel/hardened-config.nix b/pkgs/os-specific/linux/kernel/hardened-config.nix
@@ -106,4 +106,9 @@ INET_DIAG n # Has been used for heap based attacks in the past
 # Use -fstack-protector-strong (gcc 4.9+) for best stack canary coverage.
 CC_STACKPROTECTOR_REGULAR n
 CC_STACKPROTECTOR_STRONG y
+
+# Enable compile/run-time buffer overflow detection ala glibc's _FORTIFY_SOURCE
+${optionalString (versionAtLeast version "4.13") ''
+  FORTIFY_SOURCE y
+''}
 ''