add support for building positions independent executables by default #22476
Labels
bugzilla
Issues migrated from bugzilla
clang:driver
'clang' and 'clang++' user-facing binaries. Not 'clang-cl'
Comments
|
GCC now has support for this via ./configure --enable-default-pie in GCC6, and it is being adopted by Linux distributions. |
|
@MaskRay implemented CLANG_DEFAULT_PIE_ON_LINUX in commit 1042de9 ("[Driver] Add CLANG_DEFAULT_PIE_ON_LINUX to emulate GCC --enable-default-pie") since clang-14. @MaskRay 's commit ca68038 ("Reland "[Driver] Default CLANG_DEFAULT_PIE_ON_LINUX to ON""") |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Extended Description
It's currently not possible to enable PIE (full ASLR) across the board without either patching the compiler or wrapping it behind a script. Other hardening flags can simply be set via CFLAGS/LDFLAGS as most build systems respect them.
The -fPIE switch needs to be passed when -f{no}-{pic,pie,PIC} is not and -pie needs to be passed for linking executables but not libraries along with some other exceptions. The list in the pending GCC patch is likely enough for Clang too:
https://gcc.gnu.org/ml/gcc-patches/2014-07/msg02231.html
Recent improvements to gcc/binutils (PIE copy relocs) means that PIE has ~0% overhead in most cases on x86_64 rather than ~1-5%, although this may not be implemented in LLVM yet. The main blocker to distributions taking advantage of it is simply making it easy to turn on.
The text was updated successfully, but these errors were encountered: