Enable PIE and SSP by default in gcc and clang

I was preparing pacman 5 and I saw these changes, I think now is the right time to discuss this topic.





What is PIE and SSP? Here are some nice explanations:



SSP (Stack Smash Protector) prevents stack based buffer overflow bugs from being used to exploit programs in many cases.

PIE (Position Independent Executables)

I would also check if this config must be set: CONFIG_ARCH_HAS_FORTIFY_SOURCE=y

Currently we use this flags:
-mtune=generic -O2 -pipe -fstack-protector-strong --param=ssp-buffer-size=4
as specified here is no more required to add ssp-buffer-size with gcc >= 4.9.

Arch has added also -z now. If we follow the above hardening we should add this too. Here is an explanation of what -z now is.

So, the final question is, shall we follow the same Arch implementation? by hardening our packages? @inkane was the right guy to ask this kind of things, but I would I would like to know your thoughts, @team.

Can’t really offer any insight on this one. But are there any disadvantages in doing this?

Looks ok to me. I haven’t looked at the details though.

I’m usually in favour of sticking as close as possible to what Arch does since it minimises our maintenance cost.


PIE should already enable in our clang now, don’t know for gcc.

I also approve; I don’t really see any drawback in doing it from what I am reading.

it’s needless for every package because no one will infiltrate your system to delete your high score^^
perhaps for the vital packages like kernel, glibc etc

we should use for -march and -mtune x86_64 because chakra is only for x86_64 architecture available

-march=x86_64 -O2 -pipe -fstack-protector-strong --param=ssp-buffer-size=4

True, that’s a good point.
After the ISO is out I will implement this changes.

This topic was automatically closed 170 days after the last reply. New replies are no longer allowed.