diff options
| author |   Sam James <sam@gentoo.org> | 2022-12-28 19:33:34 +0000 |
|---|---|---|
| committer | Sam James <sam@gentoo.org> | 2023-01-01 21:16:42 +0000 |
| commit | 469c078b8ada3bc00da386bd2eaa2dc3410e3323 (patch) | |
| tree | b773079d7a3d2d383326629744cfbfe53da2db21 /2023-01-01-hardening-fortify-assertions | |
| parent | 2022-12-27-alternatives-introduction: note it's ok if nothing to depclean (diff) | |
| download | gentoo-news-469c078b8ada3bc00da386bd2eaa2dc3410e3323.tar.gz gentoo-news-469c078b8ada3bc00da386bd2eaa2dc3410e3323.tar.bz2 gentoo-news-469c078b8ada3bc00da386bd2eaa2dc3410e3323.zip | |
2023-01-01-hardening-fortify-assertions: add item
Bug: https://bugs.gentoo.org/876893
Bug: https://bugs.gentoo.org/876895
Signed-off-by: Sam James <sam@gentoo.org>
Diffstat (limited to '2023-01-01-hardening-fortify-assertions')
| -rw-r--r-- | 2023-01-01-hardening-fortify-assertions/2023-01-01-hardening-fortify-assertions.en.txt | 57 |
1 files changed, 57 insertions, 0 deletions
diff --git a/2023-01-01-hardening-fortify-assertions/2023-01-01-hardening-fortify-assertions.en.txt b/2023-01-01-hardening-fortify-assertions/2023-01-01-hardening-fortify-assertions.en.txt new file mode 100644 index 0000000..dfe9127 --- /dev/null +++ b/2023-01-01-hardening-fortify-assertions/2023-01-01-hardening-fortify-assertions.en.txt @@ -0,0 +1,57 @@ +Title: Hardened profiles improvements +Author: Sam James <sam@gentoo.org> +Posted: 2023-01-01 +Revision: 1 +News-Item-Format: 2.0 +Display-If-Profile: features/hardened +Display-If-Profile: default/linux/ppc64le/17.0/musl/hardened +Display-If-Profile: default/linux/ppc/17.0/musl/hardened +Display-If-Profile: default/linux/amd64/17.0/no-multilib/hardened +Display-If-Profile: default/linux/amd64/17.0/hardened +Display-If-Profile: default/linux/amd64/17.0/musl/hardened +Display-If-Profile: default/linux/amd64/17.1/hardened +Display-If-Profile: default/linux/amd64/17.1/no-multilib/hardened +Display-If-Profile: default/linux/x86/17.0/hardened +Display-If-Profile: default/linux/arm/17.0/musl/armv7a/hardened +Display-If-Profile: default/linux/arm/17.0/musl/armv6j/hardened +Display-If-Profile: default/linux/arm/17.0/armv7a/hardened +Display-If-Profile: default/linux/arm/17.0/armv6j/hardened +Display-If-Profile: default/linux/ppc64/17.0/musl/hardened +Display-If-Profile: default/linux/arm64/17.0/hardened +Display-If-Profile: default/linux/arm64/17.0/musl/hardened + +Gentoo's hardened profiles are adopting two new modern toolchain hardening +techniques: +1. Level 3 fortification (-D_FORTIFY_SOURCE=3) [0] +2. libstdc++ assertions (-D_GLIBCXX_ASSERTIONS) [1] + +These will both be enabled by default with USE=hardened on sys-devel/gcc +for >=sys-devel/gcc-12.2.1_p20221224-r1. + +To view the existing list of hardening changes applied by the profiles, +see the wiki [2]. + +Stable users may wish to add sys-devel/gcc-12.2.1_p20221224-r1 into +/etc/portage/package.accept_keywords if they wish to take advantage +of these improvements early, before GCC 12 is marked stable. + +## Migration + +To fully take advantage of these new settings, GCC must first +be upgraded, and then all packages must be re-emerged: +1. emerge --sync +2. emerge --verbose --oneshot ">=sys-devel/gcc-12.2.1_p20221224-r1" +3. emerge --verbose --emptytree @world + +## Troubleshooting + +In the event that some packages fail at runtime, please file a bug +with the full details. To temporarily workaround the problem, +it should be possible to recompile broken packages with the +following *FLAGS: +CFLAGS="${CFLAGS} -D_FORTIFY_SOURCE=2" +CXXFLAGS="${CXXFLAGS} -D_FORTIFY_SOURCE=2 -U_GLIBCXX_ASSERTIONS" + +[0] https://bugs.gentoo.org/876893 +[1] https://bugs.gentoo.org/876895 +[2] https://wiki.gentoo.org/wiki/Hardened/Toolchain#Changes |