Summary: | sys-devel/clang: enable SSP, FORTIFY_SOURCE=2 by default | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Sam James <sam> |
Component: | Hardened | Assignee: | The Gentoo Linux Hardened Team <hardened> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | herrtimson, llvm, matthew, telans |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: |
https://reviews.llvm.org/D109621 https://bugs.llvm.org/show_bug.cgi?id=50322 https://bugs.llvm.org/show_bug.cgi?id=41459 https://bugs.gentoo.org/show_bug.cgi?id=868639 https://bugs.gentoo.org/show_bug.cgi?id=912223 |
||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Sam James
2022-06-11 02:11:59 UTC
I have vague recollection of us wanting to do this using the config file support. Alternatively, we just patch it in like we do for GCC. Given https://lists.llvm.org/pipermail/cfe-dev/2015-November/045852.html, I'm not sure if we want to bother with the F_S stuff for Clang. (In reply to Sam James from comment #1) > I have vague recollection of us wanting to do this using the config file > support. > > Alternatively, we just patch it in like we do for GCC. See https://discourse.llvm.org/t/rfc-adding-a-default-file-location-to-config-file-support/63606/23. Updating this after a prompt from Arfrever: - We could switch PIE from USE=pie on clang into clang-common - We can do SSP in clang-common too, I think - We still have to do FORTFIY_SOURCE in Clang itself because it requires >= -O1 (can't pass it unconditionally) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1e9b3a08b9243daae1bebd6bac3da939d924df1f commit 1e9b3a08b9243daae1bebd6bac3da939d924df1f Author: Sam James <sam@gentoo.org> AuthorDate: 2023-01-02 03:14:09 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-01-02 20:34:17 +0000 sys-devel/clang-common: add baseline hardening Add new /etc/clang/gentoo-hardened.cfg which sets hardening options: * -fstack-clash-protection * -fstack-protector-strong * -fPIE (already set by USE=pie on Clang, but this moves it out, as upstream prefer the config method.) * -D_FORTIFY_SOURCE=2 Further, add USE=hardened, which controls adding -D_LIBCPP_ENABLE_ASSERTIONS=1 (analogue to libstdc++'s -D_GLIBCXX_ASSERTIONS) and -D_FORTIFY_SOURCE=3. Bug: https://bugs.gentoo.org/851111 Signed-off-by: Sam James <sam@gentoo.org> .../clang-common/clang-common-15.0.6-r1.ebuild | 159 ++++++++++++++++++++ .../clang-common/clang-common-15.0.6.9999.ebuild | 37 ++++- .../clang-common/clang-common-16.0.0.9999.ebuild | 37 ++++- .../clang-common-16.0.0_pre20230101-r1.ebuild | 165 +++++++++++++++++++++ 4 files changed, 394 insertions(+), 4 deletions(-) |