| Summary: | [toolchain] Adopt -D_FORTIFY_SOURCE=3 for hardened by default | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | Sam James <sam> |
| Component: | Profiles | Assignee: | Gentoo Toolchain Maintainers <toolchain> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | bertrand, hardened |
| Priority: | Normal | Keywords: | PullRequest |
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| See Also: |
https://bugs.gentoo.org/show_bug.cgi?id=847148 https://github.com/gentoo/gentoo/pull/28875 |
||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | |||
| Bug Blocks: | 750917 | ||
|
Description
Sam James
2022-10-12 21:43:30 UTC
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/proj/gcc-patches.git/commit/?id=224f6241ec785ccc386eb191df36d919e9b62351 commit 224f6241ec785ccc386eb191df36d919e9b62351 Author: Sam James <sam@gentoo.org> AuthorDate: 2022-12-28 17:54:22 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-12-28 17:54:22 +0000 12.2.0: add patches for FORTIFY_SOURCE=3, default GLIBCXX_ASSERTIONS Bug: https://bugs.gentoo.org/876895 Bug: https://bugs.gentoo.org/884417 Bug: https://bugs.gentoo.org/847148 Bug: https://bugs.gentoo.org/876893 Signed-off-by: Sam James <sam@gentoo.org> 12.2.0/gentoo/01_all_default-fortify-source.patch | 8 ++++++-- 12.2.0/gentoo/15_all_DEF_GENTOO_GLIBCXX_ASSERTIONS.patch | 14 ++++++++++++++ 12.2.0/gentoo/README.history | 4 ++++ 3 files changed, 24 insertions(+), 2 deletions(-) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a40e388337e2fc6847c6cd48fc1b19eafc55b1c6 commit a40e388337e2fc6847c6cd48fc1b19eafc55b1c6 Author: Sam James <sam@gentoo.org> AuthorDate: 2022-12-28 19:18:19 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-12-31 23:47:03 +0000 sys-devel/gcc: add 12.2.1_p20221231, USE=hardened changes USE=hardened will now imply: - default -D_FORTIFY_SOURCE=3 (instead of 2 for normal profiles) - default -D_GLIBCXX_ASSERTIONS Bug: https://bugs.gentoo.org/876895 Bug: https://bugs.gentoo.org/884417 Bug: https://bugs.gentoo.org/847148 Bug: https://bugs.gentoo.org/876893 Signed-off-by: Sam James <sam@gentoo.org> sys-devel/gcc/Manifest | 2 ++ sys-devel/gcc/gcc-12.2.1_p20221231.ebuild | 52 +++++++++++++++++++++++++++++++ 2 files changed, 54 insertions(+) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=288bc9aff2e91f6a443e8c09f080ffc9f633b07e commit 288bc9aff2e91f6a443e8c09f080ffc9f633b07e Author: Sam James <sam@gentoo.org> AuthorDate: 2022-12-28 19:17:12 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-12-31 23:30:45 +0000 toolchain.eclass: prepare for USE=hardened => FORTIFY_SOURCE=3, assertions USE=hardened will now imply: - default -D_FORTIFY_SOURCE=3 (instead of 2 for normal profiles) - default -D_GLIBCXX_ASSERTIONS Bug: https://bugs.gentoo.org/876895 Bug: https://bugs.gentoo.org/884417 Bug: https://bugs.gentoo.org/847148 Bug: https://bugs.gentoo.org/876893 Signed-off-by: Sam James <sam@gentoo.org> eclass/toolchain.eclass | 4 ++++ 1 file changed, 4 insertions(+) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/gentoo-news.git/commit/?id=469c078b8ada3bc00da386bd2eaa2dc3410e3323 commit 469c078b8ada3bc00da386bd2eaa2dc3410e3323 Author: Sam James <sam@gentoo.org> AuthorDate: 2022-12-28 19:33:34 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-01-01 21:16:42 +0000 2023-01-01-hardening-fortify-assertions: add item Bug: https://bugs.gentoo.org/876893 Bug: https://bugs.gentoo.org/876895 Signed-off-by: Sam James <sam@gentoo.org> .../2023-01-01-hardening-fortify-assertions.en.txt | 57 ++++++++++++++++++++++ 1 file changed, 57 insertions(+) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f06cb39a5d25c754c01e96313f76dc802e361995 commit f06cb39a5d25c754c01e96313f76dc802e361995 Author: Sam James <sam@gentoo.org> AuthorDate: 2023-01-30 01:05:55 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-01-30 17:37:03 +0000 toolchain-funcs.eclass: add tc-enables-fortify-source for FORTIFY_SOURCE As Zero_Chaos reported on IRC, the check we had wasn't good enough in systemd* (before we were able to remove it), as it wouldn't fire for e.g. -Os. While we could've changed it to fail safe (always unset, then set a lower F_S if possible), let's add a proper helper instead to the eclass. Bug: https://bugs.gentoo.org/841770 Bug: https://bugs.gentoo.org/847148 Bug: https://bugs.gentoo.org/876893 Signed-off-by: Sam James <sam@gentoo.org> eclass/toolchain-funcs.eclass | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) |