Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

优化加固(Hardening)参数选项 #64

Open
wineee opened this issue Apr 14, 2023 · 0 comments
Open

优化加固(Hardening)参数选项 #64

wineee opened this issue Apr 14, 2023 · 0 comments

Comments

@wineee
Copy link
Member

wineee commented Apr 14, 2023

Hardening Options 作为打包构建系统需要关注的部分,应该尽可能

在 nix 中:
可以通过 hardeningDisable/hardeningEnable 禁用/启用相关参数

比如 format 对应 “-Wformat -Wformat-security -Werror=format-security” ,该参数默认开启,但是遇到个别软件 -Wformat-security 会编译失败可以使用 hardeningDisable = [ "format" ] 关闭

在 debain 中:

同样支持类似分组,写法类似:
DEB_BUILD_MAINT_OPTIONS=hardening=+pie,-fortify
https://github.com/deepin-community/vlc/blob/c35c1a5400f55bd4f130d77e29c9cd9adbce1506/debian/rules#L3

此外还支持 DEB_BUILD_HARDENING_FORMAT 等环境变量设置

相关文档:
wiki.debian.org/Hardening
wiki.ubuntu.com/Security/Features
wiki.archlinux.org/title/Security
wiki.gentoo.org/wiki/Project:Hardened
nixos.org/manual/nixpkgs/stable/#sec-hardening-in-nixpkgs

应该参考其他发行版打包对 Hardening 的要求,对相关编译参数进一步封装

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant