851111 – sys-devel/clang: enable SSP, FORTIFY_SOURCE=2 by default

Bug 851111 - sys-devel/clang: enable SSP, FORTIFY_SOURCE=2 by default

Summary: sys-devel/clang: enable SSP, FORTIFY_SOURCE=2 by default

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Hardened (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	The Gentoo Linux Hardened Team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2022-06-11 02:11 UTC by Sam James
Modified:	2023-08-30 21:46 UTC (History)
CC List:	4 users (show)

See Also:	https://reviews.llvm.org/D109621 https://bugs.llvm.org/show_bug.cgi?id=50322 https://bugs.llvm.org/show_bug.cgi?id=41459 868639 912223
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2022-06-11 02:11:59 UTC

Just like we do with GCC. Just filing this so I don't forget about it.

Comment 1 Sam James archtester

2022-06-18 00:56:37 UTC

I have vague recollection of us wanting to do this using the config file support.

Alternatively, we just patch it in like we do for GCC.

Comment 2 Sam James archtester

2022-06-27 02:07:59 UTC

Given https://lists.llvm.org/pipermail/cfe-dev/2015-November/045852.html, I'm not sure if we want to bother with the F_S stuff for Clang.

Comment 3 Sam James archtester

2022-09-13 21:36:45 UTC

(In reply to Sam James from comment #1)
> I have vague recollection of us wanting to do this using the config file
> support.
> 
> Alternatively, we just patch it in like we do for GCC.

See https://discourse.llvm.org/t/rfc-adding-a-default-file-location-to-config-file-support/63606/23.

Comment 4 Sam James archtester

2022-11-08 03:06:24 UTC

Updating this after a prompt from Arfrever:
- We could switch PIE from USE=pie on clang into clang-common
- We can do SSP in clang-common too, I think
- We still have to do FORTFIY_SOURCE in Clang itself because it requires >= -O1 (can't pass it unconditionally)

Comment 5 Larry the Git Cow gentoo-dev

2023-01-02 20:35:20 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1e9b3a08b9243daae1bebd6bac3da939d924df1f

commit 1e9b3a08b9243daae1bebd6bac3da939d924df1f
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2023-01-02 03:14:09 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-01-02 20:34:17 +0000

    sys-devel/clang-common: add baseline hardening
    
    Add new /etc/clang/gentoo-hardened.cfg which sets hardening
    options:
    * -fstack-clash-protection
    * -fstack-protector-strong
    * -fPIE (already set by USE=pie on Clang, but this moves it out, as upstream
      prefer the config method.)
    * -D_FORTIFY_SOURCE=2
    
    Further, add USE=hardened, which controls adding -D_LIBCPP_ENABLE_ASSERTIONS=1
    (analogue to libstdc++'s -D_GLIBCXX_ASSERTIONS) and -D_FORTIFY_SOURCE=3.
    
    Bug: https://bugs.gentoo.org/851111
    Signed-off-by: Sam James <sam@gentoo.org>

 .../clang-common/clang-common-15.0.6-r1.ebuild     | 159 ++++++++++++++++++++
 .../clang-common/clang-common-15.0.6.9999.ebuild   |  37 ++++-
 .../clang-common/clang-common-16.0.0.9999.ebuild   |  37 ++++-
 .../clang-common-16.0.0_pre20230101-r1.ebuild      | 165 +++++++++++++++++++++
 4 files changed, 394 insertions(+), 4 deletions(-)