Snapcraft

hardened cflag defaults

Bug #1805216 reported by Sergio Schvezov
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Snapcraft
Fix Released
Wishlist
Sergio Schvezov

Bug Description

Reuse the hardened flags used for Ubuntu as a starting point.

Sergio Schvezov (sergiusens)
Changed in snapcraft:
importance: Undecided → Wishlist
status: New → Triaged
Revision history for this message
Alex Murray (alexmurray) wrote :

Currently we use the following flags where supported by the underlying architecture:

-Wformat -Wformat-security -fstack-protector-strong, -dFORTIFY_SOURCE=2, -Wl,-z,relro -pie, -Wl,-z,now

Sergio Schvezov (sergiusens)
Changed in snapcraft:
assignee: nobody → Sergio Schvezov (sergiusens)
milestone: none → 3.1.1
Sergio Schvezov (sergiusens)
Changed in snapcraft:
milestone: 3.1.1 → 3.2
Sergio Schvezov (sergiusens)
Changed in snapcraft:
status: Triaged → In Progress
Revision history for this message
Sergio Schvezov (sergiusens) wrote :

There is no work to be done here, it has already been done.

Changed in snapcraft:
milestone: 3.2 → none
status: In Progress → Fix Released
Revision history for this message
Alex Murray (alexmurray) wrote :

For clarification, in Ubuntu we patch gcc to enable the hardening CFLAGS etc by default - and these apply even if CFLAGS is manually specified (as is the case for snapcraft) and so snapcraft gets the hardening options for free. Verified by checking https://snapcraft.io/indicator-sensors/ built on a new bionic (base: core18) builder:

$ hardening-check /snap/indicator-sensors/current/usr/bin/indicator-sensors
/snap/indicator-sensors/current/usr/bin/indicator-sensors:
 Position Independent Executable: yes
 Stack protected: yes
 Fortify Source functions: yes
 Read-only relocations: yes
 Immediate binding: yes

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.