Remove FORTIFY_SOURCE since it is not compatible with or used by musl libc. Switch stack protector from all to strong since strong covers the entire practical stack smashing protection threat model. Sort compiler hardening flags A-Z. Sort linker hardening flags A-Z.

2023-01-17 01:31:17 +00:00 · 2023-01-17 01:31:17 +00:00 · e2b1a669c5
commit e2b1a669c5
parent 79d9da5b59
1 changed files with 3 additions and 3 deletions
--- a/portage/env/gcc-nopie.conf
+++ b/portage/env/gcc-nopie.conf
@ -3,7 +3,7 @@
 # Copyright 2022-2023 Inference
 # SPDX-License-Identifier: BSD-3-Clause-Clear

-# Version: 1.0.0.3
+# Version: 2.0.0.4


 # Toolchain
@ -23,8 +23,8 @@ STRIP="strip"

 # Flags
 ## Hardening flags
-C_SEC="-fPIC -fstack-protector-all -fstack-clash-protection -D_FORTIFY_SOURCE=2 -fwrapv"
-LD_SEC="-Wl,--strip-all -Wl,-z,defs -Wl,-z,now -Wl,-z,relro"
+C_SEC="-fPIC -fstack-clash-protection -fstack-protector-strong -fwrapv"
+LD_SEC="-Wl,-z,defs -Wl,-z,now -Wl,-z,relro -Wl,--strip-all"
 ## Compiler flags
 CFLAGS="-march=znver3 -mtune=znver3 -O2 -pipe -flto=4 -U__gnu_linux__ ${C_SEC}"
 CXXFLAGS="-march=znver3 -mtune=znver3 -O2 -pipe -flto=4 ${C_SEC}"