Uploaded image for project: 'Mesos'
  1. Mesos
  2. MESOS-6229

Default to using hardened compilation flags

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Minor
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 1.2.0
    • Component/s: None
    • Labels:
    • Target Version/s:

      Description

      Provide a default set of hardened compilation flags to help protect against overflows and other attacks. Apply to libprocess and stout as well. Current set of flags that were discussed on slack to implement:

      -Wformat­-security
      -Wstack-protector
      -fstack-protector-strong (-fstack-protector-all might be overkill, it could be more effective to use this. Requires gcc >= 4.9 which should be reasonable. Detect compiler support and use what we can but prefer -fstack-protector-strong)
      -pie
      -fPIE
      -fPIC
      -D_FORTIFY_SOURCE=2
      ­-Wl,-z,relro,-z,now (currently not a part of the patch, this should be another JIRA)
      -fno-omit-frame-pointer

      https://reviews.apache.org/r/52645/
      https://reviews.apache.org/r/52695/
      https://reviews.apache.org/r/52696/

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                aaron.wood Aaron Wood
                Reporter:
                aaron.wood Aaron Wood
                Shepherd:
                Michael Park
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: