-
-
Notifications
You must be signed in to change notification settings - Fork 2.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Discussion][Security] Compiler and linker flags #4107
Comments
|
This is glibc-specific thing at all.
Btw, the line |
OK, so there's just -Oz as default option for regular builds in CFLAGS/CXXFLAGS. |
Stack protector doesn't cause build failures. It just don't work in same way as on PC. |
Fine. Some security improvements. Looks for me like best practice, currently. Relating -fstack-clash-protection I found out, that this isn't even supported in Clang. Leaving this open for some time, to give contributes/users the chance to comment. |
See #4107. In short: * Stack protector will be used by default. * GOT/PLT ELF sections will be read-only.
See #4107. In short: * Stack protector will be used by default. * GOT/PLT ELF sections will be read-only.
See #4107. In short: * Stack protector will be used by default. * GOT/PLT ELF sections will be read-only.
See #4107. In short: * Stack protector will be used by default. * GOT/PLT ELF sections will be read-only.
Done in e63524c. |
Didn't find another discussion, so opening.
General CFLAGS/CXXFLAGS are for both branches (termux_step_setup_toolchain.sh)
"-g3 -O1 -fstack-protector --param ssp-buffer-size=4 -D_FORTIFY_SOURCE=2"
-D_FORTIFY_SOURCE=2 => GOOD
-fstack-protector => OK
But what about some more security enhancements?
-fstack-protector-strong
-fstack-clash-protection
-fcf-protection (only x86, so probably not very useful)
-D_GLIBCXX_ASSERTIONS
What about -O2 instead -O1?
It's well tested and considered working fine. Should work better with -D_FORTIFY_SOURCE=2 AFAIK.
General LDFLAGS are:
" -Wl,-rpath=$TERMUX_PREFIX/lib -Wl,--enable-new-dtags"
Is there an option for improved linker options in Termux (likely not, I guess)?
-Wl,-z,relro
-Wl,-z,now
https://wiki.debian.org/Hardening
The text was updated successfully, but these errors were encountered: