diff options
| author | Theodore Ts'o <tytso@mit.edu> | 2024-04-25 13:23:55 -0400 |
|---|---|---|
| committer | Theodore Ts'o <tytso@mit.edu> | 2024-04-25 13:23:55 -0400 |
| commit | 784c469575d5c75b24d0b3ee092331c7e1f7505e (patch) | |
| tree | 7c6288d02c631fd0d858060dfae75dfd0d1826c8 | |
| parent | 7b76a84fd8f75fb53849a751db27d7dfd17bd8b6 (diff) | |
| download | e2fsprogs-784c469575d5c75b24d0b3ee092331c7e1f7505e.tar.gz | |
configure: Use FORTIFY_SOURCE=3 when hardening is enabled
FORTIFY_SOURCE=3 provides much more robust checks for buffer overruns
and other memory bugs[1]. It requires gcc 12 and glibc 2.34 which
should be available on most modern distributions (which are the ones
that use --enable-hardening).
[1] https://developers.redhat.com/articles/2022/09/17/gccs-new-fortification-level
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
| -rwxr-xr-x | configure | 4 | ||||
| -rw-r--r-- | configure.ac | 4 |
2 files changed, 4 insertions, 4 deletions
@@ -1596,7 +1596,7 @@ Optional Features: --enable-bsd-shlibs select BSD shared libraries --enable-profile build profiling libraries --enable-gcov build for coverage testing using gcov - --enable-hardening build for coverage testing using gcov + --enable-hardening build with hardening flags such as fortify --enable-jbd-debug enable journal debugging --enable-blkid-debug enable blkid debugging --disable-testio-debug disable the use of the test I/O manager for @@ -5961,7 +5961,7 @@ if test ${enable_hardening+y} then : enableval=$enable_hardening; if test "$enableval" = "yes" then - HARDEN_CFLAGS="-D_FORTIFY_SOURCE=2 -fstack-protector-strong" + HARDEN_CFLAGS="-D_FORTIFY_SOURCE=3 -fstack-protector-strong" HARDEN_LDFLAGS="-Wl,-z,relro -Wl,-z,now" CFLAGS="$CFLAGS $HARDEN_CFLAGS -fPIE" CFLAGS_SHLIB="$CFLAGS_SHLIB $HARDEN_CFLAGS" diff --git a/configure.ac b/configure.ac index e4a17b952..cc204031d 100644 --- a/configure.ac +++ b/configure.ac @@ -365,10 +365,10 @@ CFLAGS_STLIB="${CFLAGS_STLIB:-$CFLAGS}" LDFLAGS_SHLIB=${LDFLAGS_SHLIB:-$LDFLAGS} LDFLAGS_STATIC=${LDFLAGS_STATIC:-$LDFLAGS} AC_ARG_ENABLE([hardening], -AS_HELP_STRING([--enable-hardening],[build for coverage testing using gcov]), +AS_HELP_STRING([--enable-hardening],[build with hardening flags such as fortify]), if test "$enableval" = "yes" then - HARDEN_CFLAGS="-D_FORTIFY_SOURCE=2 -fstack-protector-strong" + HARDEN_CFLAGS="-D_FORTIFY_SOURCE=3 -fstack-protector-strong" HARDEN_LDFLAGS=["-Wl,-z,relro -Wl,-z,now"] CFLAGS="$CFLAGS $HARDEN_CFLAGS -fPIE" CFLAGS_SHLIB="$CFLAGS_SHLIB $HARDEN_CFLAGS" |