KDECompilerSettings: Build with -fhardened if available (!493) · Merge requests · Frameworks / Extra CMake Modules

Nicolas Fella requested to merge work/nico/hardened into master Nov 25, 2024

This enables a bunch of (security) hardening features in GCC, some of which are already applied in downstream builds.

Add it here so that developer builds also benefit from it

Quoting from https://gcc.gnu.org/onlinedocs/gcc/Instrumentation-Options.html

Enable a set of flags for C and C++ that improve the security of the generated code without affecting its ABI. The precise flags enabled may change between major releases of GCC, but are currently:

-D_FORTIFY_SOURCE=3 -D_GLIBCXX_ASSERTIONS -ftrivial-auto-var-init=zero -fPIE -pie -Wl,-z,relro,-z,now -fstack-protector-strong -fstack-clash-protection -fcf-protection=full (x86 GNU/Linux only)

The list of options enabled by -fhardened can be generated using the --help=hardened option.

When the system glibc is older than 2.35, -D_FORTIFY_SOURCE=2 is used instead.

This option is intended to be used in production builds, not merely in debug builds.

Currently, -fhardened is only supported on GNU/Linux targets.

-fhardened only enables a particular option if it wasn’t already specified anywhere on the command line. For instance, -fhardened -fstack-protector will only enable -fstack-protector, but not -fstack-protector-strong.

Edited Nov 25, 2024 by Nicolas Fella

KDECompilerSettings: Build with -fhardened if available

Merge request reports