From: Frederic Berat <fberat@redhat.com>
To: Adhemerval Zanella Netto <adhemerval.zanella@linaro.org>
Cc: Andreas Schwab <schwab@suse.de>,
Siddhesh Poyarekar <siddhesh@gotplt.org>,
libc-alpha@sourceware.org
Subject: Re: [PATCH v3 16/16] Add --enable-fortify-source option
Date: Tue, 4 Jul 2023 14:40:57 +0200 [thread overview]
Message-ID: <CAObJKZra=-wRP_7UOoP-J5dt69u6HYV3MnxHNK2YvKU3F6nRmQ@mail.gmail.com> (raw)
In-Reply-To: <74d8f503-e056-254c-6a01-8d50cfc9f6f0@linaro.org>
[-- Attachment #1: Type: text/plain, Size: 2186 bytes --]
On Mon, Jul 3, 2023 at 2:51 PM Adhemerval Zanella Netto <
adhemerval.zanella@linaro.org> wrote:
>
>
> On 03/07/23 05:50, Andreas Schwab wrote:
> > On Jun 30 2023, Siddhesh Poyarekar wrote:
> >
> >> On 2023-06-28 04:42, Frédéric Bérat wrote:
> >>> It is now possible to enable fortification through a configure option.
> >>> The level may be given as parameter, if none is provided, the configure
> >>> script will determine what is the highest level possible that can be
> set
> >>> considering GCC built-ins availability and set it.
> >>> If level is explicitly set to 3, configure checks if the compiler
> >>> supports the built-in function necessary for it or raise an error if it
> >>> isn't.
> >>> The result of the configure checks is a new variables,
> ${fortify_source}
> >>> that can be used to appropriately populate CFLAGS.
> >>> Updated NEWS and INSTALL.
> >>> Adding dedicated x86_64 variant that enables the configuration.
> >>
> >> Adhemerval, do you still think we should drop this and only look at
> >> CFLAGS? I am still not a 100% convinced that we should only look at
> >> CFLAGS (it gives much less control which makes me uneasy) but I see your
> >> point. We'll be setting CFLAGS in Fedora anyway (which I guess will be
> >> true for Ubuntu, Gentoo, Debian, etc. too) and the pre-commit CI will
> >> likely have _FORTIFY_SOURCE disabled so we may have adequate coverage.
> >
> > I prefer a configure option, mirroring --enable-stack-protector. Since
> > glibc has very strict requirements wrt compiler flags it needs to handle
> > it specially anyway, and making it explicit is cleaner.
> >
>
> Fair enough, I am aiming to simplify the configure options and thus the
> build permutation that arise for multiple option; but I see that following
> current practice should be ok.
>
>
That would mean for me to do the following on this patch:
- if "--enable-fortify-source" is set, set -D_FORTIFY_SOURCE accordingly
(already done).
- if "--enable-fortify-source" is NOT set (i.e. assume
"--disable-fortify-source"), forcibly undefine _FORTIFY_SOURCE (currently
not done).
Do you all agree with that ?
Fred.
next prev parent reply other threads:[~2023-07-04 12:41 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-28 8:42 [PATCH v3 00/16] Allow glibc to be built with _FORTIFY_SOURCE Frédéric Bérat
2023-06-28 8:42 ` [PATCH v3 01/16] " Frédéric Bérat
2023-06-28 14:48 ` Joseph Myers
2023-06-28 8:42 ` [PATCH v3 02/16] Exclude routines from fortification Frédéric Bérat
2023-06-30 14:55 ` Siddhesh Poyarekar
2023-07-03 15:16 ` Frederic Berat
2023-07-04 16:04 ` Siddhesh Poyarekar
2023-06-28 8:42 ` [PATCH v3 03/16] sysdeps: Ensure ieee128*_chk routines to be properly named Frédéric Bérat
2023-06-30 14:58 ` Siddhesh Poyarekar
2023-06-30 15:55 ` Paul E Murphy
2023-06-30 15:57 ` Frederic Berat
2023-06-28 8:42 ` [PATCH v3 04/16] string: Ensure *_chk routines have their hidden builtin definition available Frédéric Bérat
2023-06-30 15:06 ` Siddhesh Poyarekar
2023-06-28 8:42 ` [PATCH v3 05/16] stdio: " Frédéric Bérat
2023-06-30 15:09 ` Siddhesh Poyarekar
2023-06-28 8:42 ` [PATCH v3 06/16] asprintf_chk: Ensure compatibility for both s390x and ppc64le Frédéric Bérat
2023-06-30 15:11 ` Siddhesh Poyarekar
2023-06-30 16:08 ` Rajalakshmi Srinivasaraghavan
2023-06-30 17:51 ` Paul E Murphy
2023-07-03 5:35 ` Frederic Berat
2023-06-28 8:42 ` [PATCH v3 07/16] misc/sys/cdefs.h: Create FORTIFY redirects for internal calls Frédéric Bérat
2023-06-30 15:13 ` Siddhesh Poyarekar
2023-06-28 8:42 ` [PATCH v3 08/16] wchar: Avoid PLT entries with _FORTIFY_SOURCE Frédéric Bérat
2023-06-30 15:17 ` Siddhesh Poyarekar
2023-06-30 15:26 ` Frederic Berat
2023-06-28 8:42 ` [PATCH v3 09/16] posix/bits/unistd.h: Clearly separate declaration from definitions Frédéric Bérat
2023-06-30 15:19 ` Siddhesh Poyarekar
2023-06-28 8:42 ` [PATCH v3 10/16] unistd: Avoid PLT entries with _FORTIFY_SOURCE Frédéric Bérat
2023-06-30 15:25 ` Siddhesh Poyarekar
2023-06-28 8:42 ` [PATCH v3 11/16] misc/bits/select2.h: Clearly separate declaration from definitions Frédéric Bérat
2023-06-30 15:26 ` Siddhesh Poyarekar
2023-06-28 8:42 ` [PATCH v3 12/16] misc/bits/syslog.h: Clearly separate declaration from definition Frédéric Bérat
2023-06-30 15:28 ` Siddhesh Poyarekar
2023-06-28 8:42 ` [PATCH v3 13/16] libio/bits/stdio2.h: Clearly separate declaration from definitions Frédéric Bérat
2023-06-30 15:29 ` Siddhesh Poyarekar
2023-06-28 8:42 ` [PATCH v3 14/16] libio/bits/stdio2-decl.h: Avoid PLT entries with _FORTIFY_SOURCE Frédéric Bérat
2023-06-30 15:30 ` Siddhesh Poyarekar
2023-06-30 15:38 ` Frederic Berat
2023-06-30 15:48 ` Siddhesh Poyarekar
2023-06-30 17:08 ` Siddhesh Poyarekar
2023-06-28 8:42 ` [PATCH v3 15/16] sysdeps/ieee754/ldbl-128ibm-compat: Fix warn unused result Frédéric Bérat
2023-06-30 15:33 ` Siddhesh Poyarekar
2023-06-28 8:42 ` [PATCH v3 16/16] Add --enable-fortify-source option Frédéric Bérat
2023-06-30 13:51 ` Siddhesh Poyarekar
2023-07-03 8:50 ` Andreas Schwab
2023-07-03 12:51 ` Adhemerval Zanella Netto
2023-07-04 12:40 ` Frederic Berat [this message]
2023-07-04 15:59 ` Siddhesh Poyarekar
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAObJKZra=-wRP_7UOoP-J5dt69u6HYV3MnxHNK2YvKU3F6nRmQ@mail.gmail.com' \
--to=fberat@redhat.com \
--cc=adhemerval.zanella@linaro.org \
--cc=libc-alpha@sourceware.org \
--cc=schwab@suse.de \
--cc=siddhesh@gotplt.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).