Enable PIE and SSP by default in gcc and clang

I was preparing pacman 5 and I saw these changes, I think now is the right time to discuss this topic.

https://git.archlinux.org/svntogit/packages.git/commit/trunk/makepkg.conf?h=packages/pacman&id=0cd22d4454e0e1b3ae589b95274f808001465c15

https://git.archlinux.org/svntogit/packages.git/commit/trunk?h=packages/gcc&id=5936710c764016ce306f9cb975056e5b7605a65b

https://git.archlinux.org/svntogit/packages.git/commit/trunk?h=packages/llvm&id=787823616bc31184c5fc4b2eb21ec9d899e0029f

https://lists.archlinux.org/pipermail/arch-dev-public/2017-July/thread.html

What is PIE and SSP? Here are some nice explanations:

https://lwn.net/Articles/105570/

https://wiki.gentoo.org/wiki/Hardened/Introduction_to_Hardened_Gentoo#PIE_and_SSP

SSP (Stack Smash Protector) prevents stack based buffer overflow bugs from being used to exploit programs in many cases.

PIE (Position Independent Executables)

I would also check if this config must be set: CONFIG_ARCH_HAS_FORTIFY_SOURCE=y

Currently we use this flags:
-mtune=generic -O2 -pipe -fstack-protector-strong --param=ssp-buffer-size=4
as specified here is no more required to add ssp-buffer-size with gcc >= 4.9.

Arch has added also -z now. If we follow the above hardening we should add this too. Here is an explanation of what -z now is.

So, the final question is, shall we follow the same Arch implementation? by hardening our packages? @inkane was the right guy to ask this kind of things, but I would I would like to know your thoughts, @team.

Can’t really offer any insight on this one. But are there any disadvantages in doing this?

Looks ok to me. I haven’t looked at the details though.

I’m usually in favour of sticking as close as possible to what Arch does since it minimises our maintenance cost.

2 Likes

PIE should already enable in our clang now, don’t know for gcc.

I also approve; I don’t really see any drawback in doing it from what I am reading.

it’s needless for every package because no one will infiltrate your system to delete your high score^^
perhaps for the vital packages like kernel, glibc etc

we should use for -march and -mtune x86_64 because chakra is only for x86_64 architecture available

-march=x86_64 -O2 -pipe -fstack-protector-strong --param=ssp-buffer-size=4

True, that’s a good point.
After the ISO is out I will implement this changes.

This topic was automatically closed 170 days after the last reply. New replies are no longer allowed.