From d91d5d51588f6059e0b9a29320734464b6e891c8 Mon Sep 17 00:00:00 2001 From: inference Date: Tue, 17 Jan 2023 01:49:32 +0000 Subject: [PATCH] Remove FORTIFY_SOURCE since it is not compatible with or used by musl libc. Switch stack protector from all to strong since strong covers the entire practical stack smashing protection threat model. Switch -ftrivial-auto-var-init from pattern to zero since it is no longer being removed from Clang and is more suitable for hardening. Sort compiler flags A-Z. --- portage/env/nopie.conf | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/portage/env/nopie.conf b/portage/env/nopie.conf index 4c36d20..6987ae9 100644 --- a/portage/env/nopie.conf +++ b/portage/env/nopie.conf @@ -3,15 +3,15 @@ # Copyright 2022-2023 Inference # SPDX-License-Identifier: BSD-3-Clause-Clear -# Version: 1.0.0.2 +# Version: 2.0.0.3 # Flags ## Hardening flags -C_SEC="-fPIE -fPIC -fstack-protector-all -fstack-clash-protection -D_FORTIFY_SOURCE=2 -ftrivial-auto-var-init=pattern -fwrapv" +C_SEC="-fPIC -fPIE -fstack-clash-protection -fstack-protector-strong -ftrivial-auto-var-init=zero -fwrapv" LD_SEC="-Wl,--strip-all -Wl,-z,defs -Wl,-z,now -Wl,-z,relro" ## Compiler flags -CFLAGS="-march=znver3 -mtune=znver3 -O2 -pipe -flto=thin -U__gnu_linux__ ${C_SEC}" -CXXFLAGS="-march=znver3 -mtune=znver3 -O2 -pipe -flto=thin ${C_SEC}" +CFLAGS="-flto=thin -march=znver3 -mtune=znver3 -O2 -pipe -U__gnu_linux__ ${C_SEC}" +CXXFLAGS="-flto=thin -march=znver3 -mtune=znver3 -O2 -pipe ${C_SEC}" ## Linker flags LDFLAGS="-fuse-ld=lld -rtlib=compiler-rt -unwindlib=libunwind -Wl,--thinlto-jobs=4 ${LD_SEC}"