Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 876893 - [toolchain] Adopt -D_FORTIFY_SOURCE=3 for hardened by default
Summary: [toolchain] Adopt -D_FORTIFY_SOURCE=3 for hardened by default
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Profiles (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Toolchain Maintainers
URL:
Whiteboard:
Keywords: PullRequest
Depends on:
Blocks: future-profile
  Show dependency tree
 
Reported: 2022-10-12 21:43 UTC by Sam James
Modified: 2023-12-21 15:04 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-10-12 21:43:30 UTC
I think it's probably ready for hardened profiles.
Comment 1 Larry the Git Cow gentoo-dev 2022-12-28 19:35:45 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/proj/gcc-patches.git/commit/?id=224f6241ec785ccc386eb191df36d919e9b62351

commit 224f6241ec785ccc386eb191df36d919e9b62351
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-12-28 17:54:22 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-12-28 17:54:22 +0000

    12.2.0: add patches for FORTIFY_SOURCE=3, default GLIBCXX_ASSERTIONS
    
    Bug: https://bugs.gentoo.org/876895
    Bug: https://bugs.gentoo.org/884417
    Bug: https://bugs.gentoo.org/847148
    Bug: https://bugs.gentoo.org/876893
    Signed-off-by: Sam James <sam@gentoo.org>

 12.2.0/gentoo/01_all_default-fortify-source.patch        |  8 ++++++--
 12.2.0/gentoo/15_all_DEF_GENTOO_GLIBCXX_ASSERTIONS.patch | 14 ++++++++++++++
 12.2.0/gentoo/README.history                             |  4 ++++
 3 files changed, 24 insertions(+), 2 deletions(-)
Comment 2 Larry the Git Cow gentoo-dev 2022-12-31 23:49:34 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a40e388337e2fc6847c6cd48fc1b19eafc55b1c6

commit a40e388337e2fc6847c6cd48fc1b19eafc55b1c6
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-12-28 19:18:19 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-12-31 23:47:03 +0000

    sys-devel/gcc: add 12.2.1_p20221231, USE=hardened changes
    
    USE=hardened will now imply:
    - default -D_FORTIFY_SOURCE=3 (instead of 2 for normal profiles)
    - default -D_GLIBCXX_ASSERTIONS
    
    Bug: https://bugs.gentoo.org/876895
    Bug: https://bugs.gentoo.org/884417
    Bug: https://bugs.gentoo.org/847148
    Bug: https://bugs.gentoo.org/876893
    Signed-off-by: Sam James <sam@gentoo.org>

 sys-devel/gcc/Manifest                    |  2 ++
 sys-devel/gcc/gcc-12.2.1_p20221231.ebuild | 52 +++++++++++++++++++++++++++++++
 2 files changed, 54 insertions(+)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=288bc9aff2e91f6a443e8c09f080ffc9f633b07e

commit 288bc9aff2e91f6a443e8c09f080ffc9f633b07e
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-12-28 19:17:12 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-12-31 23:30:45 +0000

    toolchain.eclass: prepare for USE=hardened => FORTIFY_SOURCE=3, assertions
    
    USE=hardened will now imply:
    - default -D_FORTIFY_SOURCE=3 (instead of 2 for normal profiles)
    - default -D_GLIBCXX_ASSERTIONS
    
    Bug: https://bugs.gentoo.org/876895
    Bug: https://bugs.gentoo.org/884417
    Bug: https://bugs.gentoo.org/847148
    Bug: https://bugs.gentoo.org/876893
    Signed-off-by: Sam James <sam@gentoo.org>

 eclass/toolchain.eclass | 4 ++++
 1 file changed, 4 insertions(+)
Comment 3 Larry the Git Cow gentoo-dev 2023-01-01 21:16:51 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/gentoo-news.git/commit/?id=469c078b8ada3bc00da386bd2eaa2dc3410e3323

commit 469c078b8ada3bc00da386bd2eaa2dc3410e3323
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2022-12-28 19:33:34 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-01-01 21:16:42 +0000

    2023-01-01-hardening-fortify-assertions: add item
    
    Bug: https://bugs.gentoo.org/876893
    Bug: https://bugs.gentoo.org/876895
    Signed-off-by: Sam James <sam@gentoo.org>

 .../2023-01-01-hardening-fortify-assertions.en.txt | 57 ++++++++++++++++++++++
 1 file changed, 57 insertions(+)
Comment 4 Larry the Git Cow gentoo-dev 2023-01-30 17:37:18 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f06cb39a5d25c754c01e96313f76dc802e361995

commit f06cb39a5d25c754c01e96313f76dc802e361995
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2023-01-30 01:05:55 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-01-30 17:37:03 +0000

    toolchain-funcs.eclass: add tc-enables-fortify-source for FORTIFY_SOURCE
    
    As Zero_Chaos reported on IRC, the check we had wasn't good enough in systemd*
    (before we were able to remove it), as it wouldn't fire for e.g. -Os. While we
    could've changed it to fail safe (always unset, then set a lower F_S if possible),
    let's add a proper helper instead to the eclass.
    
    Bug: https://bugs.gentoo.org/841770
    Bug: https://bugs.gentoo.org/847148
    Bug: https://bugs.gentoo.org/876893
    Signed-off-by: Sam James <sam@gentoo.org>

 eclass/toolchain-funcs.eclass | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)