[MESOS-6229] Default to using hardened compilation flags - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Minor
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 1.2.0
Component/s: None
Labels:
- c++
- clang
- gcc
- security

Target Version/s:

1.2.0

Description

Provide a default set of hardened compilation flags to help protect against overflows and other attacks. Apply to libprocess and stout as well. Current set of flags that were discussed on slack to implement:

-Wformat-security
-Wstack-protector
-fstack-protector-strong (-fstack-protector-all might be overkill, it could be more effective to use this. Requires gcc >= 4.9 which should be reasonable. Detect compiler support and use what we can but prefer -fstack-protector-strong)
-pie
-fPIE
-fPIC
-D_FORTIFY_SOURCE=2
-Wl,-z,relro,-z,now (currently not a part of the patch, this should be another JIRA)
-fno-omit-frame-pointer

https://reviews.apache.org/r/52645/
https://reviews.apache.org/r/52695/
https://reviews.apache.org/r/52696/

Attachments

Issue Links

depends upon

MESOS-6239 Fix warnings and errors produced by new hardened CXXFLAGS

Resolved

is blocked by

MESOS-6239 Fix warnings and errors produced by new hardened CXXFLAGS

Resolved

is related to

MESOS-8908 Add -fno-omit-frame-pointer to improve debugging and profiling.

Resolved

requires

MESOS-6239 Fix warnings and errors produced by new hardened CXXFLAGS

Resolved

Activity

People

Assignee:: Aaron Wood

Reporter:: Aaron Wood

Shepherd:: Michael Park

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 22/Sep/16 20:28

Updated:: 11/May/18 21:22

Resolved:: 21/Dec/16 03:12