Mar 29, 2022, 10:15 by l...@gnu.org: > Hi, > > Maxim Cournoyer <maxim.courno...@gmail.com> skribis: > >> Maxime Devos <maximede...@telenet.be> writes: >> >>> zimoun schreef op ma 21-03-2022 om 14:34 [+0100]: >>> >>>> > * gcc can be compiled with `--enable-default-ssp --enable-default- >>>> > pie` >>>> > to enforce ssp and pic >>>> >>>> You wrote [1]: >>>> >>>> --8<---------------cut here---------------start------------->8--- >>>> (define-public gcc >>>> (package >>>> (inherit gcc) >>>> (arguments >>>> (substitute-keyword-arguments (package-arguments gcc) >>>> ((#:configure-flags flags >>>> `(append (list "--enable-default-ssp" "--enable-default-pie") >>>> ,flags))))))) >>>> --8<---------------cut here---------------end--------------->8--- >>>> >>> >>> I think it would be a lot simpler to just add this to the 'standard' >>> gcc configure flags, in (gnu packages gcc), given that probably the >>> idea is to do this hardening for all packages? Needs a world-rebuild >>> though. >>> >> >> +1. The whole distribution can probably benefit from this hardening. >> > > That’s something worth trying in a branch off ‘core-updates’. > > Stack smashing protection (SSP) may incur measurable run-time overhead > though so enabling that one by default may be less consensual. > We could do it like how NixOS does it [1]. There can be a `harden?` list in the build system that contains a default set of flags. Packages that need to have less hardening for performance or other reasons can modify that list. I believe this was discussed in an old email (not this thread).
> There are other things that could be done in this area, often with no or > little overhead, such as building with -D_FORTIFY_SOURCE. Doing that > transparently (without changing build systems) is a bit of a challenge > though. > > Ludo’. > Where and how should the default make and ldflags be set? I guess they could be set in the build-system/*.scm. [1] https://blog.mayflower.de/5800-Hardening-Compiler-Flags-for-NixOS.html
