10ignored-flags checks to make sure the use flags are set, but not if they are effective or not. For example, if the user CFLAGS are "-O1" this will pass: floppym@cisdev ~ $ gcc -o hello -O1 -frecord-gcc-switches -O2 -Os -O3 hello.c floppym@cisdev ~ $ readelf -p .GCC.command.line hello String dump of section '.GCC.command.line': [ 0] hello.c [ 8] -mtune=generic [ 17] -march=x86-64 [ 25] -O1 [ 29] -O2 [ 2d] -Os [ 31] -O3 [ 35] -frecord-gcc-switches Granted, this is a hard problem to solve, since we don't nessesarily know which cflags override which other cflags. My suggestion is to at least solve the simple case where we check if "-Osomething" is in the user CFLAGS, pick the last "-Osomething" from the use cflags (in case of CFLAGS="-O1 -O2" set by user) and then check to make sure that no -Osomethingelse is after -Osomething in the binary. Even though this would miss many cases, it will catch the most obvious case and help signal to devs that things are being injected.
Currently the check is very simplistic, it only uses -frecord-gcc-switches as a watermark for scanelf to detect.
in that case we should verify all our cflags make it in, not just -frecord-gcc-switched.
(In reply to Rick Farina (Zero_Chaos) from comment #2) > in that case we should verify all our cflags make it in, not just > -frecord-gcc-switched. We might have to add a scanelf option for that, or create another tool to implement the check.