Remove FORTIFY_SOURCE since it is not compatible with or used by musl libc. Switch stack protector from all to strong since strong covers the entire practical stack smashing protection threat model. Sort compiler hardening flags A-Z. Sort linker hardening flags A-Z.

2023-01-17 01:33:37 +00:00 · 2023-01-17 01:33:37 +00:00 · 35095be95d
commit 35095be95d
parent e2b1a669c5
1 changed files with 3 additions and 3 deletions
--- a/portage/env/gcc.conf
+++ b/portage/env/gcc.conf
@ -3,7 +3,7 @@
 # Copyright 2022-2023 Inference
 # SPDX-License-Identifier: BSD-3-Clause-Clear

-# Version: 1.0.0.2
+# Version: 2.0.0.3


 # Toolchain
@ -22,8 +22,8 @@ STRIP="strip"

 # Flags
 ## Hardening flags
-C_SEC="-fPIE -fPIC -fstack-protector-all -fstack-clash-protection -D_FORTIFY_SOURCE=2 -fwrapv"
-LD_SEC="-Wl,-pie -Wl,--strip-all -Wl,-z,defs -Wl,-z,now -Wl,-z,relro"
+C_SEC="-fPIE -fPIC -fstack-clash-protection -fstack-protector-strong -fwrapv"
+LD_SEC="-Wl,-z,defs -Wl,-z,now -Wl,-pie -Wl,-z,relro -Wl,--strip-all"
 ## Compiler flags
 CFLAGS="-march=znver3 -mtune=znver3 -O2 -pipe -flto=4 -U__gnu_linux__ ${C_SEC}"
 CXXFLAGS="-march=znver3 -mtune=znver3 -O2 -pipe -flto=4 ${C_SEC}"