Details
Description
Provide a default set of hardened compilation flags to help protect against overflows and other attacks. Apply to libprocess and stout as well. Current set of flags that were discussed on slack to implement:
-Wformat-security
-Wstack-protector
-fstack-protector-strong (-fstack-protector-all might be overkill, it could be more effective to use this. Requires gcc >= 4.9 which should be reasonable. Detect compiler support and use what we can but prefer -fstack-protector-strong)
-pie
-fPIE
-fPIC
-D_FORTIFY_SOURCE=2
-Wl,-z,relro,-z,now (currently not a part of the patch, this should be another JIRA)
-fno-omit-frame-pointer
https://reviews.apache.org/r/52645/
https://reviews.apache.org/r/52695/
https://reviews.apache.org/r/52696/
Attachments
Issue Links
- depends upon
-
MESOS-6239 Fix warnings and errors produced by new hardened CXXFLAGS
- Resolved
- is blocked by
-
MESOS-6239 Fix warnings and errors produced by new hardened CXXFLAGS
- Resolved
- is related to
-
MESOS-8908 Add -fno-omit-frame-pointer to improve debugging and profiling.
- Resolved
- requires
-
MESOS-6239 Fix warnings and errors produced by new hardened CXXFLAGS
- Resolved