Uploaded image for project: 'Mesos'
  1. Mesos
  2. MESOS-6229

Default to using hardened compilation flags

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • Minor
    • Resolution: Fixed
    • None
    • 1.2.0
    • None

    Description

      Provide a default set of hardened compilation flags to help protect against overflows and other attacks. Apply to libprocess and stout as well. Current set of flags that were discussed on slack to implement:

      -Wformat­-security
      -Wstack-protector
      -fstack-protector-strong (-fstack-protector-all might be overkill, it could be more effective to use this. Requires gcc >= 4.9 which should be reasonable. Detect compiler support and use what we can but prefer -fstack-protector-strong)
      -pie
      -fPIE
      -fPIC
      -D_FORTIFY_SOURCE=2
      ­-Wl,-z,relro,-z,now (currently not a part of the patch, this should be another JIRA)
      -fno-omit-frame-pointer

      https://reviews.apache.org/r/52645/
      https://reviews.apache.org/r/52695/
      https://reviews.apache.org/r/52696/

      Attachments

        Issue Links

          Activity

            People

              aaron.wood Aaron Wood
              aaron.wood Aaron Wood
              Michael Park Michael Park
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: