Add some compile time checks for arrays, see
https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.html
Details
Details
- Reviewers
- None
- Group Reviewers
fortify source security
All of this runs since some months on a jail host with mysql, postgresql,
redis, named, unbound, openldap, postfix, rspamd, dovecot, php 8.3,
python, various java based services, squid, nginx, samba, ...
Diff Detail
Diff Detail
- Repository
- rG FreeBSD src repository
- Lint
Lint Skipped - Unit
Tests Skipped
Event Timeline
Comment Actions
I'd like to see this committed as separated changes, so that if a user encounters trouble we could suggest reverting just one part. Adding -fstack-clash-protection lgtm.
| share/mk/bsd.sys.mk | ||
|---|---|---|
| 312–313 | Where is _GLIBCXX_ASSERTIONS checked? | |
Comment Actions
I'll split the two parts up and try to come up with something for the docs.
| share/mk/bsd.sys.mk | ||
|---|---|---|
| 312–313 | This started in November with a discussion in freebsd-current@ (https://lists.freebsd.org/archives/freebsd-current/2024-November/006659.html). Our libc++ is already using -D_LIBCPP_HARDENING_MODE=_LIBCPP_HARDENING_MODE_EXTENSIVE, and _GLIBCXX_ASSERTIONS is doing something similar for libstdc++ which we don't have (yet) in base. There where questions in IIRC hackers@ about interest to have the possibility to use libstdc++ to some extend. I thought it is better to move this here. For _GLIBCXX_ASSERTIONS we can remove it (as not used), or we can keep it (if we get support for libstdc++, we want to have it at a similar level than libc++). There was no feedback regarding this in the email thread. | |