Recommended compiler and linker flags for GCC when building native library

[myfirenze]

liblz4-java.so is embedded in the lz4-java library. Some security compiler and linker flags are not enabled for the Linux platform when building liblz4-java.so, which may cause security risks

FilePath	Object	BIND_NOW	NX	PIC	PIE	RELRO	SP	NO Rpath/RunPath	FS	Ftrapv	Strip
lz4-java-1.6.0.jar_/net/jpountz/util/linux/s390x/liblz4-java.so	liblz4-java.so	NO	YES	YES	UNUSED	YES	NO	NO	NO	NO	NO
lz4-java-1.6.0.jar_/net/jpountz/util/linux/i386/liblz4-java.so	liblz4-java.so	NO	YES	YES	UNUSED	NO	NO	NO	NO	NO	NO
lz4-java-1.6.0.jar_/net/jpountz/util/linux/aarch64/liblz4-java.so	liblz4-java.so	NO	YES	YES	UNUSED	YES	NO	NO	NO	NO	NO
lz4-java-1.6.0.jar_/net/jpountz/util/linux/ppc64le/liblz4-java.so	liblz4-java.so	NO	YES	YES	UNUSED	YES	YES	NO	NO	NO	NO
lz4-java-1.6.0.jar_/net/jpountz/util/linux/amd64/liblz4-java.so	liblz4-java.so	NO	YES	YES	UNUSED	YES	YES	NO	NO	NO	NO

See https://developers.redhat.com/blog/2018/03/21/compiler-and-linker-flags-gcc/

[odaira]

thanks, @myfirenze,

Among the recommended flags in the link, did you have any specific reason you picked up these six (BIND_NOW, NX, PIC, PIE, RELRO, and SP)? Are they particularly recommended flags, or are they just examples?

Also, what does NX stand for? Does SP mean stack protection?

[tcullum-rh]

thanks, @myfirenze,

Among the recommended flags in the link, did you have any specific reason you picked up these six (BIND_NOW, NX, PIC, PIE, RELRO, and SP)? Are they particularly recommended flags, or are they just examples?

Also, what does NX stand for? Does SP mean stack protection?

See this page for more thorough info on these flags: https://fedoraproject.org/wiki/Security_Features_Matrix you can also see how those distros enable them on builds and why. NX stands for "non executable memory." I don't usually see "SP" used but my guess is that it stands for "stack protector" as it's called on above page.