[Discussion][Security] Compiler and linker flags #4107
Comments
|
This is glibc-specific thing at all.
Btw, the line |
OK, so there's just -Oz as default option for regular builds in CFLAGS/CXXFLAGS. |
Stack protector doesn't cause build failures. It just don't work in same way as on PC. |
Hmm, in NDK 20 it works....
So we can have: Note that |
Fine. Some security improvements. Looks for me like best practice, currently. Relating -fstack-clash-protection I found out, that this isn't even supported in Clang. Leaving this open for some time, to give contributes/users the chance to comment. |
See #4107. In short: * Stack protector will be used by default. * GOT/PLT ELF sections will be read-only.
ghost
mentioned this issue
See #4107. In short: * Stack protector will be used by default. * GOT/PLT ELF sections will be read-only.
See #4107. In short: * Stack protector will be used by default. * GOT/PLT ELF sections will be read-only.
See #4107. In short: * Stack protector will be used by default. * GOT/PLT ELF sections will be read-only.
|
Done in e63524c. |
ghost
locked and limited conversation to collaborators
Didn't find another discussion, so opening.
General CFLAGS/CXXFLAGS are for both branches (termux_step_setup_toolchain.sh)
"-g3 -O1 -fstack-protector --param ssp-buffer-size=4 -D_FORTIFY_SOURCE=2"
-D_FORTIFY_SOURCE=2 => GOOD
-fstack-protector => OK
But what about some more security enhancements?
-fstack-protector-strong
-fstack-clash-protection
-fcf-protection (only x86, so probably not very useful)
-D_GLIBCXX_ASSERTIONS
What about -O2 instead -O1?
It's well tested and considered working fine. Should work better with -D_FORTIFY_SOURCE=2 AFAIK.
General LDFLAGS are:
" -Wl,-rpath=$TERMUX_PREFIX/lib -Wl,--enable-new-dtags"
Is there an option for improved linker options in Termux (likely not, I guess)?
-Wl,-z,relro
-Wl,-z,now
https://wiki.debian.org/Hardening
The text was updated successfully, but these errors were encountered: