Remove FORTIFY_SOURCE since it is not compatible with or used by musl libc. Switch stack protector from all to strong since strong covers the entire practical stack smashing protection threat model. Sort compiler hardening flags A-Z. Sort linker hardening flags A-Z.

2023-01-17 01:27:42 +00:00 · 2023-01-17 01:27:42 +00:00 · d1106991fd
commit d1106991fd
parent 749da8ae12
1 changed files with 3 additions and 3 deletions
--- a/portage/env/gcc-nolto-nopie.conf
+++ b/portage/env/gcc-nolto-nopie.conf
@ -3,7 +3,7 @@
 # Copyright 2022-2023 Inference
 # SPDX-License-Identifier: BSD-3-Clause-Clear

-# Version: 1.0.0.2
+# Version: 2.0.0.3


 # Toolchain.
@ -23,8 +23,8 @@ STRIP="strip"

 # Flags
 ## Hardening flags
-C_SEC="-fPIC -fstack-protector-all -fstack-clash-protection -D_FORTIFY_SOURCE=2 -fwrapv"
-LD_SEC="-Wl,--strip-all -Wl,-z,defs -Wl,-z,now -Wl,-z,relro"
+C_SEC="-fPIC -fstack-clash=protection -fstack-protector-strong -fwrapv"
+LD_SEC="-Wl,-z,defs -Wl,-z,now -Wl,-z,relro -Wl,--strip-all"
 ## Compiler flags
 CFLAGS="-march=znver3 -mtune=znver3 -O2 -pipe -U__gnu_linux__ ${C_SEC}"
 CXXFLAGS="-march=znver3 -mtune=znver3 -O2 -pipe ${C_SEC}"