compiler-flags-distro
compiler-flags-distro copied to clipboard
Published
20 hours ago •
jvoisin
jvoisin
Usage of enabled-by-default hardening-related compiler flags across Linux distributions
Usage of enabled-by-default hardening-related compiler flags across Linux distributions
| . | Alpine | Debian | Fedora | Gentoo | Gentoo Hardened | Ubuntu | OpenSUSE | ArchLinux | OpenBSD | Chimera Linux | Android | Google Chrome |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
-D_FORTIFY_SOURCE=2 |
yes | 2011 | 2007 | yes | superseded | 2008 | 2005 | 2021 | ? | yes | 2017 | yes |
-D_FORTIFY_SOURCE=3 |
no | no | 2023 | no | 2022 | 2024 | 2023 | not yet | ? | 2024 | no | yes |
-D_GLIBCXX_ASSERTIONS |
2023 | no | 2018 | no | 2022 | no | yes | 2021 | no | no | no | ? |
-D_LIBCPP_HARDENING_MODE_HARDENED/-flibc++-hardening |
no | no | no | no | ? | no | no | no | ? | ? | no | ? |
-D_LIBCPP_ENABLE_HARDENED_MODE (deprecated) |
not yet[^1] | no | no | no | 2023 | no | no | no | ? | ? | no | yes |
-D_LIBCXX_ENABLE_ASSERTIONS (llvm16) |
no | no | no | no | superseded | no | no | no | ? | yes | ? | yes |
-Wformat -Wformat-security/-Wformat=2 |
2023 | 2011 | 2013 | 2009 | 2009 | 2008 | yes | 2021 | ? | 2023 | 2010 | yes |
-Wl,-z,noexecstack |
yes | yes | yes | yes | yes | yes | yes | yes | yes | yes | yes | |
-Wl,-z,relro/-Wl,-z,now |
yes | yes | 2015 | no | yes | 2008 | 2006 | 2017 | ? | yes | 2013 | yes |
-fPIE/-fPIC/… |
2008 | 2011 | 2015 | yes | yes | 2016 | 2017 | 2017 | yes | yes | 2012 | yes |
-fcf-protection/-mcet[^2] |
no | 2023 | 2018 | no | 2021 | 2019 | yes | 2021 | 2023 | no | no | ? |
-fsanitize=bounds |
no | no | no | no | no | no | no | no | no | no | 2019, partial | no |
-fsanitize=cfi[^2] |
no | no | no | no | no | no | no | no | no | partial | 2018, partial | ? |
-fsanitize=safe-stack[^2] |
no | no | no | no | no | no | no | no | no | no | ? | ? |
-fsanitize=shadow-call-stack[^2] |
no | no | no | no | no | no | no | no | no | no | 2019, partial | ? |
-fsanitize=signed-integer-overflow/-ftrapv |
no | no | no | no | no | no | no | no | no | yes | 2018, partial | ? |
-fsanitize=undefined |
no | no | no | no | no | no | no | no | ? | no | ? | ? |
-fstack-clash-protection |
2023 | yes | 2018 | no | 2018 | 2019 | 2018 | 2021 | ? | yes | ? | ? |
-fstack-protector-strong |
yes | yes | yes | yes | yes | 2014 | 2006 | 2014 | yes | yes | 2015 | ? |
-fstack-protector |
superseded | superseded | superseded | superseded | superseded | superseded | superseded | superseded | superseded | superseded | 2009 | ? |
-ftrivial-auto-var-init=zero |
no | no | no | no | no | no | no | no | ? | 2023 | 2020 | ? |
-mbranch-protection=standard/-mbranch-target-enforce |
no | 2023 | 2020 | no | no | 2023 | no | no | 2023 | no | ? | ? |
-mshstk |
no | no | no | no | no | no | no | no | no | no | ? | ? |
-msign-return-address=[all/non-leaf] |
no | no | superseded | no | no | no | no | no | superseded | superseded | ? | ? |
Note that:
- some flags are incompatible between each other
- some flags are more useful than others
- some flags are superseding some others
- some libc are incompatible with some flags
- "partial" means "enabled in a lot of places, but not everywhere, with substantial caveats"
- while Google Chrome isn't a distribution, given the size of its source code, it's close enough™ to warrant inclusion in the table.
Sources and resources:
- https://src.fedoraproject.org/rpms/redhat-rpm-config//blob/rawhide/f/buildflags.md
- https://en.opensuse.org/openSUSE:Security_Features
- https://gcc.gnu.org/pipermail/gcc-patches/2023-August/628748.html
- https://wiki.gentoo.org/wiki/Hardened/Toolchain#Changes
- https://gitlab.archlinux.org/archlinux/rfcs/-/blob/master/rfcs/0003-buildflags.rst?ref_type=heads
- https://man.openbsd.org/clang-local
- https://sergesanspaille.fedorapeople.org/lpc2020.pdf
- https://wiki.ubuntu.com/Security/Features
- https://wiki.ubuntu.com/ToolChain/CompilerFlags
- https://fedoraproject.org/wiki/Security_Features_Matrix
- https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.html
[^1]: As -D_LIBCPP_ENABLE_HARDENED_MODE only works for llvm18, which isn't in Alpine yet. It replaces -D_LIBCPP_ASSERT and -D_LIBCPP_ENABLE_ASSERTIONS.
[^2]: Not supported by musl libc
jvoisin