On Monday, September 07, 2015 9:38:25 PM Michael Orlitzky wrote: > On 09/07/2015 09:15 PM, walt wrote: > > > > Full SSP is something I want and I'll gladly suffer the speed penalty > > to get it. Can I just add -fstack-protector-all to my CFLAGS in > > make.conf? > > > > Basically, but to save yourself some headaches, you should switch to a > hardened profile instead. Otherwise you'll get build failures of things > like glibc. The profile takes care of that for you, but otherwise > enables full SSP.
I have -fstack-protector-all enabled in my router/firewall for over a year and I don't remember any build failures. I don't have a lot of packages in it but I certainly have glibc. I think it just overrides the setting. > The binary distros are all moving towards -fstack-protector-strong now > so support for this stuff is getting better upstream. > > > > Hmm. Quoting from the gcc man page: > > > > -fstack-protector-strong > > Like -fstack-protector but includes additional functions to > > be protected --- those that have local array definitions, or > > have references to local frame addresses. > > > > NOTE: In Gentoo GCC 4.9.0 and later versions this option is > > enabled by default for C, C++, ObjC, ObjC++, if neither > > -fno-stack-protector, -nostdlib, -ffreestanding, > > -fstack-protector, -fstack-protector-strong or > > -fstack-protector-all are found. <===== are found *where*? > > > > English is my native tongue and I confess I can't make any sense of > > that advice. > > > > You'll get the "strong" stack protection unless you ask for some other > level of protection via CFLAGS or CXXFLAGS or wherever else. Note that > "strong" is still less than "all"! > > > -- Fernando Rodriguez
