System hardening: enable basic options (!30) · Merge requests · Turris / Turris OS / Turris Build · GitLab

GitLab now enforces expiry dates on tokens that originally had no set expiration date. Those tokens were given an expiration date of one year later. Please review your personal access tokens, project access tokens, and group access tokens to ensure you are aware of upcoming expirations. Administrators of GitLab can find more information on how to identify and mitigate interruption in our documentation.

Self sign-up has been disabled due to increased spam activity. If you want to get access, please send an email to a project owner (preferred) or at gitlab(at)nic(dot)cz. We apologize for the inconvenience.

Jan Pavlinec requested to merge hardening into master Aug 22, 2019

This PR enables hardening options for all builds.

It sets FORTIFY_SOURCE = 2 http://man7.org/linux/man-pages/man7/feature_test_macros.7.html

If _FORTIFY_SOURCE is set to 1, with compiler optimization level 1 (gcc -O1) and above, checks that shouldn't change the behavior of conforming programs are performed. With _FORTIFY_SOURCE set to 2, some more checking is added, but some conforming programs might fail.

Enables strong stackguard protection STACKPROTECTOR_STRONG https://lwn.net/Articles/584225/
Enables ASLR for user space application PKG_ASLR_PIE https://en.wikipedia.org/wiki/Address_space_layout_randomization#Linux