You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@mesos.apache.org by "Aaron Wood (JIRA)" <ji...@apache.org> on 2016/09/22 23:04:21 UTC
[jira] [Commented] (MESOS-6229) Default to using hardened
compilation flags
[ https://issues.apache.org/jira/browse/MESOS-6229?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15514731#comment-15514731 ]
Aaron Wood commented on MESOS-6229:
-----------------------------------
I think -fstack-protector-all might be way too much. I'm going to benchmark the difference between -fstack-protector and -fstack-protector-strong
> Default to using hardened compilation flags
> -------------------------------------------
>
> Key: MESOS-6229
> URL: https://issues.apache.org/jira/browse/MESOS-6229
> Project: Mesos
> Issue Type: Improvement
> Reporter: Aaron Wood
> Assignee: Aaron Wood
> Priority: Minor
> Labels: c++, clang, gcc, security
>
> Provide a default set of hardened compilation flags to help protect against overflows and other attacks. Apply to libprocess and stout as well. Current set of flags that were discussed on slack to implement:
> -Wformat-security
> -Wstack-protector
> -fstack-protector-all
> -pie
> -fPIE
> -D_FORTIFY_SOURCE=2
> -O2 (possibly -O3 for greater optimizations, up for discussion)
> -Wl,-z,relro,-z,now
> -fno-omit-frame-pointer
> -fstack-protector-strong (-fstack-protector-all might be overkill, it could be more effective to use this. Requires gcc >= 4.9)
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)