[ 
https://issues.apache.org/jira/browse/MESOS-6229?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Aaron Wood updated MESOS-6229:
------------------------------
    Description: 
Provide a default set of hardened compilation flags to help protect against 
overflows and other attacks. Apply to libprocess and stout as well. Current set 
of flags that were discussed on slack to implement:

-Wformat­-security
-Wstack-protector
-fstack-protector-strong (-fstack-protector-all might be overkill, it could be 
more effective to use this. Requires gcc >= 4.9 which should be reasonable. 
Detect compiler support and use what we can but prefer -fstack-protector-strong)
-pie
-fPIE 
-fPIC
-D_FORTIFY_SOURCE=2
­-Wl,-z,relro,-z,now (currently not a part of the patch, this should be another 
JIRA)
-fno-omit-frame-pointer

https://reviews.apache.org/r/52645/
https://reviews.apache.org/r/52695/
https://reviews.apache.org/r/52696/


  was:
Provide a default set of hardened compilation flags to help protect against 
overflows and other attacks. Apply to libprocess and stout as well. Current set 
of flags that were discussed on slack to implement:

-Wformat­-security
-Wstack-protector
-fstack-protector-strong (-fstack-protector-all might be overkill, it could be 
more effective to use this. Requires gcc >= 4.9 which should be reasonable)
-pie
-fPIE 
-fPIC
-D_FORTIFY_SOURCE=2
­-Wl,-z,relro,-z,now (currently not a part of the patch)
-fno-omit-frame-pointer

https://reviews.apache.org/r/52645/
https://reviews.apache.org/r/52695/
https://reviews.apache.org/r/52696/



> Default to using hardened compilation flags
> -------------------------------------------
>
>                 Key: MESOS-6229
>                 URL: https://issues.apache.org/jira/browse/MESOS-6229
>             Project: Mesos
>          Issue Type: Improvement
>            Reporter: Aaron Wood
>            Assignee: Aaron Wood
>            Priority: Minor
>              Labels: c++, clang, gcc, security
>
> Provide a default set of hardened compilation flags to help protect against 
> overflows and other attacks. Apply to libprocess and stout as well. Current 
> set of flags that were discussed on slack to implement:
> -Wformat­-security
> -Wstack-protector
> -fstack-protector-strong (-fstack-protector-all might be overkill, it could 
> be more effective to use this. Requires gcc >= 4.9 which should be 
> reasonable. Detect compiler support and use what we can but prefer 
> -fstack-protector-strong)
> -pie
> -fPIE 
> -fPIC
> -D_FORTIFY_SOURCE=2
> ­-Wl,-z,relro,-z,now (currently not a part of the patch, this should be 
> another JIRA)
> -fno-omit-frame-pointer
> https://reviews.apache.org/r/52645/
> https://reviews.apache.org/r/52695/
> https://reviews.apache.org/r/52696/



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to