From Fedora Project Wiki

Revision as of 17:19, 19 March 2019 by Bcotton (talk | contribs) (Change submitted to FESCo https://pagure.io/fesco/issue/2110)


Enable Compiler Security hardening flags by default in GCC

Summary

By Default enable a few security hardening flags which are used with GCC.

Owner

Current status

  • Targeted release: Fedora 31
  • Last updated: 2019-03-19

Detailed Description

Currently GCC does not enable any security hardening flags by default. They have to be explicitly enabled by the developers one-by-one. Ubuntu (https://wiki.ubuntu.com/ToolChain/CompilerFlags) however enables them and therefore has a hardened compiler by default. Each of these options can be explicitly disabled if required by the developer via a GCC command line flag. I am currently proposing the following flags be enabled by default.

-Wformat -Wformat-security -fstack-protector-strong -D_FORTIFY_SOURCE=2 -O

No Flag Use How to disable
1 -Wformat Check calls to "printf" and "scanf", etc., to make sure that the arguments supplied have types appropriate to the format string specified, and that the conversions specified in the format string make sense. -Wno-format
2 -Wformat-security If -Wformat is specified, also warn about uses of format functions that represent possible security problems. -Wno-format should disable this as well
3 -fstack-protector-strong Like -fstack-protector but includes additional functions to be protected --- those that have local array definitions, or have references to local frame addresses. -fno-stack-protector


Benefit to Fedora

We provide better security both for our packages and for applications/programs which users are building.

Scope

  • Proposal owners: Patch gcc to enable these options by default. Patch should be very simple, since the compile/link code isnt actually touched. Also glibc needs to be patched "because of pesky warning it prints without optimization."
  • Other developers: Developers need to ensure that Fedora package is built and if any build failures they are corrected
  • Release engineering: #8204
  • Policies and guidelines: The policies and guidelines do not need to be updated.
  • Trademark approval: Not needed for this change

Upgrade/compatibility impact

None

How To Test

Run "gcc -Q -v <foo.c>" to check if these flags are enabled by default

User Experience

Fedora is more secure because the entire distribution is compiled with the correct security technologies enabled. Developers dont have to worry about enabling the right flags when they compile their application in Fedora because the compiler has them enabled by default.

Dependencies

All packages will be rebuild with new GCC options.

Contingency Plan

  • Contingency mechanism: Roll back the GCC options and use the default ones.
  • Contingency deadline: Beta Feeze
  • Blocks release? No

Documentation

Release Notes

  • Release Notes tracking: <will be assigned by the Wrangler>