On 09/07/2015 09:15 PM, walt wrote: > > Full SSP is something I want and I'll gladly suffer the speed penalty > to get it. Can I just add -fstack-protector-all to my CFLAGS in > make.conf? >
Basically, but to save yourself some headaches, you should switch to a hardened profile instead. Otherwise you'll get build failures of things like glibc. The profile takes care of that for you, but otherwise enables full SSP. The binary distros are all moving towards -fstack-protector-strong now so support for this stuff is getting better upstream. > Hmm. Quoting from the gcc man page: > > -fstack-protector-strong > Like -fstack-protector but includes additional functions to > be protected --- those that have local array definitions, or > have references to local frame addresses. > > NOTE: In Gentoo GCC 4.9.0 and later versions this option is > enabled by default for C, C++, ObjC, ObjC++, if neither > -fno-stack-protector, -nostdlib, -ffreestanding, > -fstack-protector, -fstack-protector-strong or > -fstack-protector-all are found. <===== are found *where*? > > English is my native tongue and I confess I can't make any sense of > that advice. > You'll get the "strong" stack protection unless you ask for some other level of protection via CFLAGS or CXXFLAGS or wherever else. Note that "strong" is still less than "all"!
