Opened 2 years ago

Last modified 19 months ago

#21448 new defect

Identify what build flags we should be using for security, and use them

Reported by: arthuredelstein Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-security
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description (last modified by arthuredelstein)

I think we may be able to add some configure/compiler/linker flags in Tor Browser that can improve security without many downsides. Let's figure out what those are and add them.

Child Tickets

TicketStatusOwnerSummaryComponent
#23024needs_revisiontbb-teamFlags to increase hardening on WindowsApplications/Tor Browser
#23025closedarthuredelsteinFlags to increase hardening on macOSApplications/Tor Browser
#23591newtbb-teamBuild Tor and Tor Browser with -mmitigate-ropApplications/Tor Browser

Change History (16)

comment:1 Changed 2 years ago by arthuredelstein

Using about:buildconfig, the browser reports compiler flags and configure arguments for our tor-browser.git builds. Are these a complete list of the compiler flags actually used? I don't know. In any case, here are the current reports:

Linux TBB 6.5:

target
x86_64-unknown-linux-gnu

Build tools
Compiler 	Version 	Compiler flags
gcc 	5.1.0 	-Wall -Wempty-body -Wpointer-to-int-cast -Wsign-compare -Wtype-limits -Wno-unused -Wcast-align -frandom-seed=tor -std=gnu99 -fgnu89-inline -fno-strict-aliasing -fno-math-errno -pthread -pipe
c++ 	5.1.0 	-Wall -Wempty-body -Woverloaded-virtual -Wsign-compare -Wwrite-strings -Wno-invalid-offsetof -Wcast-align -frandom-seed=tor -fno-exceptions -fno-strict-aliasing -fno-rtti -fno-exceptions -fno-math-errno -std=gnu++0x -pthread -pipe -DNDEBUG -DTRIMMED -g -freorder-blocks -Os -fomit-frame-pointer

Configure arguments
--enable-application=browser --enable-optimize --enable-official-branding --enable-tor-browser-update --enable-update-packaging --enable-signmar --enable-verify-mar --disable-strip --disable-install-strip --disable-tests --disable-debug --disable-maintenance-service --disable-crashreporter --disable-webrtc --disable-eme --disable-loop --with-tor-browser-version=6.5 --enable-update-channel=release --enable-bundled-fonts

Windows TBB 6.5:

target
i686-w64-mingw32

Build tools
Compiler    Version     Compiler flags
i686-w64-mingw32-gcc -mwindows  5.1.0   -Wall -Wempty-body -Wpointer-to-int-cast -Wsign-compare -Wtype-limits -Wno-unused -Wcast-align -Wno-format -std=gnu99 -fgnu89-inline -fno-strict-aliasing -mms-bitfields -mstackrealign -fno-keep-inline-dllexport -fno-math-errno -pipe
i686-w64-mingw32-g++ -mwindows  5.1.0   -Wall -Wempty-body -Woverloaded-virtual -Wsign-compare -Wwrite-strings -Wno-invalid-offsetof -Wcast-align -Wno-format -fno-exceptions -fno-strict-aliasing -mms-bitfields -mstackrealign -fno-keep-inline-dllexport -fno-rtti -fno-exceptions -fno-math-errno -std=gnu++0x -pipe -DNDEBUG -DTRIMMED -g -O -fomit-frame-pointer

Configure arguments 
--enable-application=browser --target=i686-w64-mingw32 --enable-default-toolkit=cairo-windows --disable-debug --enable-optimize --enable-strip --enable-official-branding --enable-tor-browser-update --enable-update-packaging --enable-signmar --enable-verify-mar --disable-sandbox --disable-eme --disable-crashreporter --disable-maintenance-service --disable-webrtc --disable-tests --disable-loop --with-tor-browser-version=6.5 --enable-update-channel=release --enable-bundled-fonts

Mac TBB 6.5:

target
x86_64-apple-darwin

Build tools
Compiler    Version     Compiler flags
/home/debian/build/tor-browser/clang/bin/clang -target x86_64-apple-darwin10 -mlinker-version=136 -B /home/debian/build/tor-browser/cctools/bin -isysroot /home/debian/build/tor-browser/MacOSX10.7.sdk     3.8.0   -Qunused-arguments -Wall -Wempty-body -Wpointer-to-int-cast -Wsign-compare -Wtype-limits -Wno-unused -std=gnu99 -fno-strict-aliasing -fno-math-errno -pthread -DNO_X11 -pipe
/home/debian/build/tor-browser/clang/bin/clang++ -target x86_64-apple-darwin10 -mlinker-version=136 -B /home/debian/build/tor-browser/cctools/bin -isysroot /home/debian/build/tor-browser/MacOSX10.7.sdk   3.8.0   -Qunused-arguments -Qunused-arguments -Wno-unused-local-typedef -Wall -Wempty-body -Woverloaded-virtual -Wsign-compare -Wwrite-strings -Wno-invalid-offsetof -Wno-inline-new-delete -Wno-unused-local-typedef -Wno-c++0x-extensions -Wno-extended-offsetof -Wno-unknown-warning-option -Wno-return-type-c-linkage -fno-exceptions -fno-strict-aliasing -fno-rtti -fno-exceptions -fno-math-errno -std=gnu++0x -pthread -DNO_X11 -pipe -DNDEBUG -DTRIMMED -g -O3 -fomit-frame-pointer

Configure arguments 
--target=x86_64-apple-darwin --with-macos-private-frameworks=/home/debian/build/tor-browser/MacOSX10.7.sdk/System/Library/PrivateFrameworks --enable-application=browser --enable-strip --enable-official-branding --enable-optimize --disable-debug --enable-tor-browser-data-outside-app-dir --enable-tor-browser-update --enable-update-packaging --enable-signmar --enable-verify-mar --disable-crashreporter --disable-maintenance-service --disable-webrtc --disable-tests --disable-eme --disable-loop --with-tor-browser-version=6.5 --enable-update-channel=release --enable-bundled-fonts

comment:2 Changed 2 years ago by arthuredelstein

For comparison, here are the current Firefox release build flags:

Linux Firefox 51.01

target
x86_64-pc-linux-gnu
Build tools
Compiler 	Version 	Compiler flags
/builds/slave/m-rel-l64-00000000000000000000/build/src/gcc/bin/gcc -std=gnu99 	4.8.5 	-Wall -Wempty-body -Wignored-qualifiers -Wpointer-arith -Wsign-compare -Wtype-limits -Wunreachable-code -Wno-error=maybe-uninitialized -Wno-error=deprecated-declarations -Wno-error=array-bounds -Wno-error=coverage-mismatch -Wno-error=free-nonheap-object -fno-strict-aliasing -ffunction-sections -fdata-sections -fno-math-errno -pthread -pipe
/builds/slave/m-rel-l64-00000000000000000000/build/src/gcc/bin/g++ -std=gnu++11 	4.8.5 	-Wall -Wc++11-compat -Wempty-body -Wignored-qualifiers -Woverloaded-virtual -Wpointer-arith -Wsign-compare -Wtype-limits -Wunreachable-code -Wwrite-strings -Wno-invalid-offsetof -Wno-error=maybe-uninitialized -Wno-error=deprecated-declarations -Wno-error=array-bounds -Wno-error=coverage-mismatch -Wno-error=free-nonheap-object -fno-exceptions -fno-strict-aliasing -fno-rtti -ffunction-sections -fdata-sections -fno-exceptions -fno-math-errno -pthread -D_GLIBCXX_USE_CXX11_ABI=0 -pipe -g -fprofile-use -fprofile-correction -Wcoverage-mismatch -O3 -fomit-frame-pointer -Werror
Configure options

MOZ_AUTOMATION=1 --enable-update-channel=release PKG_CONFIG=/builds/slave/m-rel-l64-00000000000000000000/build/src/gtk3/usr/local/bin/pkg-config --enable-js-shell --enable-default-toolkit=cairo-gtk3 --with-mozilla-api-keyfile=/builds/mozilla-desktop-geoloc-api.key --with-google-api-keyfile=/builds/gapi.data MOZ_PGO=1 CC=/builds/slave/m-rel-l64-00000000000000000000/build/src/gcc/bin/gcc CXX=/builds/slave/m-rel-l64-00000000000000000000/build/src/gcc/bin/g++ --enable-rust RUSTC=/builds/slave/m-rel-l64-00000000000000000000/build/src/rustc/bin/rustc CARGO=/builds/slave/m-rel-l64-00000000000000000000/build/src/cargo/bin/cargo MAKE=/usr/bin/gmake --enable-crashreporter --enable-elf-hack --enable-official-branding --enable-release --enable-stdcxx-compat --enable-verify-mar

Windows Firefox 51.01:

target
i686-pc-mingw32

Build tools
Compiler 	Version 	Compiler flags
c:/builds/moz2_slave/m-rel-w32-00000000000000000000/build/src/vs2015u3/VC/bin/amd64_x86/cl.EXE 	19.00.24213 	-TC -nologo -wd4091 -D_HAS_EXCEPTIONS=0 -W3 -Gy -Zc:inline -arch:SSE2 -FS -wd4244 -wd4267 -wd4819 -we4553
c:/builds/moz2_slave/m-rel-w32-00000000000000000000/build/src/vs2015u3/VC/bin/amd64_x86/cl.EXE 	19.00.24213 	-TP -nologo -wd5026 -wd5027 -Zc:sizedDealloc- -Zc:threadSafeInit- -wd4091 -wd4577 -D_HAS_EXCEPTIONS=0 -W3 -Gy -Zc:inline -arch:SSE2 -FS -wd4251 -wd4244 -wd4267 -wd4345 -wd4351 -wd4800 -wd4819 -wd4595 -we4553 -GR- -Zi -GL -wd4624 -wd4952 -O1 -Oi -Oy

Configure options
MOZ_AUTOMATION=1 'MOZILLABUILD=C:\mozilla-build' --enable-update-channel=release --enable-js-shell --enable-eme=+adobe --with-mozilla-api-keyfile=c:/builds/mozilla-desktop-geoloc-api.key --with-google-api-keyfile=c:/builds/gapi.data MOZ_PGO=1 WINDOWSSDKDIR=c:/builds/moz2_slave/m-rel-w32-00000000000000000000/build/src/vs2015u3/SDK --enable-rust RUSTC=c:/builds/moz2_slave/m-rel-w32-00000000000000000000/build/src/rustc/bin/rustc CARGO=c:/builds/moz2_slave/m-rel-w32-00000000000000000000/build/src/cargo/bin/cargo --enable-jemalloc MAKE=c:/builds/moz2_slave/m-rel-w32-00000000000000000000/build/src/mozmake.EXE --enable-crashreporter --enable-official-branding --enable-release --enable-require-all-d3dc-versions --enable-verify-mar

Mac Firefox 51.01:

target
x86_64-apple-darwin11.2.0

Build tools
Compiler    Version     Compiler flags
/usr/local/bin/ccache /builds/slave/m-rel-m64-00000000000000000000/build/src/clang/bin/clang -arch x86_64 -std=gnu99    3.8.0   -Qunused-arguments -Wall -Wempty-body -Wignored-qualifiers -Wpointer-arith -Wsign-compare -Wtype-limits -Wunreachable-code -Wclass-varargs -Wloop-analysis -Werror=non-literal-null-conversion -Wstring-conversion -Wthread-safety -Wno-error=deprecated-declarations -Wno-error=array-bounds -isysroot /Developer/SDKs/MacOSX10.7.sdk -fno-strict-aliasing -ffunction-sections -fdata-sections -fno-math-errno -pthread -pipe
/usr/local/bin/ccache /builds/slave/m-rel-m64-00000000000000000000/build/src/clang/bin/clang++ -arch x86_64 -std=gnu++11    3.8.0   -Qunused-arguments -Qunused-arguments -Wall -Wc++11-compat -Wempty-body -Wignored-qualifiers -Woverloaded-virtual -Wpointer-arith -Wsign-compare -Wtype-limits -Wunreachable-code -Wwrite-strings -Wno-invalid-offsetof -Wclass-varargs -Wloop-analysis -Wc++11-compat-pedantic -Wc++14-compat -Wc++14-compat-pedantic -Wc++1z-compat -Wimplicit-fallthrough -Werror=non-literal-null-conversion -Wstring-conversion -Wthread-safety -Wno-inline-new-delete -Wno-error=deprecated-declarations -Wno-error=array-bounds -Wno-unknown-warning-option -Wno-return-type-c-linkage -isysroot /Developer/SDKs/MacOSX10.7.sdk -fno-exceptions -fno-strict-aliasing -stdlib=libc++ -fno-rtti -ffunction-sections -fdata-sections -fno-exceptions -fno-math-errno -pthread -pipe -g -O3 -fomit-frame-pointer -Werror

Configure options 
MOZ_AUTOMATION=1 MOZ_CURRENT_PROJECT=x86_64 --target=x86_64-apple-darwin11.2.0 --enable-application=browser --enable-update-channel=release --enable-js-shell --with-mozilla-api-keyfile=/builds/mozilla-desktop-geoloc-api.key --with-google-api-keyfile=/builds/gapi.data --with-ccache 'CC=/builds/slave/m-rel-m64-00000000000000000000/build/src/clang/bin/clang -arch x86_64' 'CXX=/builds/slave/m-rel-m64-00000000000000000000/build/src/clang/bin/clang++ -arch x86_64' HOST_CC=/builds/slave/m-rel-m64-00000000000000000000/build/src/clang/bin/clang HOST_CXX=/builds/slave/m-rel-m64-00000000000000000000/build/src/clang/bin/clang++ LD=ld --enable-rust RUSTC=/builds/slave/m-rel-m64-00000000000000000000/build/src/rustc/bin/rustc CARGO=/builds/slave/m-rel-m64-00000000000000000000/build/src/cargo/bin/cargo MAKE=/usr/bin/make DSYMUTIL=/builds/slave/m-rel-m64-00000000000000000000/build/src/clang/bin/llvm-dsymutil --enable-crashreporter --enable-official-branding --enable-release --enable-verify-mar --with-macos-sdk=/Developer/SDKs/MacOSX10.7.sdk --with-unify-dist=../i386/dist

comment:3 Changed 2 years ago by arthuredelstein

Keywords: tbb-security added

comment:5 Changed 2 years ago by arthuredelstein

Description: modified (diff)

comment:6 Changed 2 years ago by arthuredelstein

Description: modified (diff)

Here are some security flags I think we can add to the gcc-based builds (Linux and mingw). There is heavy overlap with the proposed flags in https://bugzilla.mozilla.org/show_bug.cgi?id=620058. (I think we should be able to add similar flags to the clang based builds -- I will look into that after we settle on flags to add to gcc.)

-Werror=format
-Werror=format-security
-fstack-protector-strong
--param ssp-buffer-size=4
-pie -fPIE
-D_FORTIFY_SOURCE=2 -O1
-Wl,-z,relro,-z,now
-ftrapv

Note I am leaving out more advanced mitigations like -fvtable-verify=std for this iteration because getting these to work is likely to be complex.

Last edited 2 years ago by arthuredelstein (previous) (diff)

comment:7 in reply to:  6 ; Changed 2 years ago by gk

Replying to arthuredelstein:

Here are some security flags I think we can add to the gcc-based builds (Linux and mingw). There is heavy overlap with the proposed flags in https://bugzilla.mozilla.org/show_bug.cgi?id=620058. (I think we should be able to add similar flags to the clang based builds -- I will look into that after we settle on flags to add to gcc.)

-Werror=format
-Werror=format-security
-fstack-protector-strong
--param ssp-buffer-size=4
-pie -fPIE
-D_FORTIFY_SOURCE=2 -O1
-Wl,-z,relro,-z,now
-ftrapv

Uhm. We are doing already most of those things. Have you looked at our gitian build scripts? And I am not so sure we should build with ftrapv see comment:1:ticket:18310.

Note I am leaving out more advanced mitigations like -fvtable-verify=std for this iteration because getting these to work is likely to be complex.

That is broken and not working due to Mozilla internals, see: https://bugzilla.mozilla.org/show_bug.cgi?id=1046600

comment:8 in reply to:  7 ; Changed 2 years ago by arthuredelstein

Replying to gk:

Replying to arthuredelstein:

Here are some security flags I think we can add to the gcc-based builds (Linux and mingw). There is heavy overlap with the proposed flags in https://bugzilla.mozilla.org/show_bug.cgi?id=620058. (I think we should be able to add similar flags to the clang based builds -- I will look into that after we settle on flags to add to gcc.)

-Werror=format
-Werror=format-security
-fstack-protector-strong
--param ssp-buffer-size=4
-pie -fPIE
-D_FORTIFY_SOURCE=2 -O1
-Wl,-z,relro,-z,now
-ftrapv

Uhm. We are doing already most of those things. Have you looked at our gitian build scripts?

Sorry I hadn't found the existing build flags before posting this ticket. I discussed with gk what is already in our build scripts.

  • On linux, we have in gitian/descriptors/linux/gitian-firefox.yml:
    export DEB_BUILD_HARDENING=1
    export DEB_BUILD_HARDENING_STACKPROTECTOR=1
    export DEB_BUILD_HARDENING_FORTIFY=1
    export DEB_BUILD_HARDENING_FORMAT=1
    export DEB_BUILD_HARDENING_PIE=1
    

Indeed this covers most of the flags I mentioned. I'm not sure about -Wl,-z,relro,-z,now. gk, do you know how these are covered? boklm pointed me to a part of the Tor Browser test suite that seems to indicate that full relro is applied. Is that correct?

I think it would be useful also to somehow confirm that we are now using -fstack-protector-strong and not -fstack-protector; I will try to investigate that.

  • On Windows, we have in gitian/build-helpers/i686-w64-mingw32-g++:
    /home/ubuntu/install/mingw-w64/bin/i686-w64-mingw32-g++ -Wl,--dynamicbase -Wl,--nxcompat -Wl,--enable-reloc-section -fstack-protector --param ssp-buffer-size=4 -fno-strict-overflow "$@"
    
    I'm not familiar with Windows/mingw build flags, but it looks like we could possibly switch to -fstack-protector-strong. Also I wonder if -D_FORTIFY_SOURCE=2 and the relro flags make sense.
  • On Mac, we are adding -fPIE to the clang flags in gitian/descriptors/mac/gitian-firefox.yml. clang largely supports gcc's build flags so I think we could probably add most or all of the flags from comment:6 to the build. (I tried all of those flags with clang++ while building a "hello world" c++ program and confirmed that clang++ at least did not complain that any of the flags were unknown.)

And I am not so sure we should build with ftrapv see comment:1:ticket:18310.

That's interesting. I'm not sure what the right answer is. RCE seems a lot worse than DOS, though.

Note I am leaving out more advanced mitigations like -fvtable-verify=std for this iteration because getting these to work is likely to be complex.

That is broken and not working due to Mozilla internals, see: https://bugzilla.mozilla.org/show_bug.cgi?id=1046600

I read in Tice et al 2014 that there is a mechanism in the VTV code to "whitelist" some parts of the code that would otherwise fail verification. I wonder if that feature is deployed in the gcc VTV implementation and could be used to get around the problematic vtable hacking Nathan Froyd mentions in the Mozilla bug. Similarly, clang's -fsanitize has an option toblacklist certain functions so that they also don't fail verification.

Something else that occurs to me is it would be nice to document our hardening flags for each build (hardened, alpha, release) in the Tor Browser design document.

comment:9 in reply to:  8 Changed 2 years ago by gk

Replying to arthuredelstein:

Replying to gk:

Replying to arthuredelstein:

Here are some security flags I think we can add to the gcc-based builds (Linux and mingw). There is heavy overlap with the proposed flags in https://bugzilla.mozilla.org/show_bug.cgi?id=620058. (I think we should be able to add similar flags to the clang based builds -- I will look into that after we settle on flags to add to gcc.)

-Werror=format
-Werror=format-security
-fstack-protector-strong
--param ssp-buffer-size=4
-pie -fPIE
-D_FORTIFY_SOURCE=2 -O1
-Wl,-z,relro,-z,now
-ftrapv

Uhm. We are doing already most of those things. Have you looked at our gitian build scripts?

Sorry I hadn't found the existing build flags before posting this ticket. I discussed with gk what is already in our build scripts.

  • On linux, we have in gitian/descriptors/linux/gitian-firefox.yml:
    export DEB_BUILD_HARDENING=1
    export DEB_BUILD_HARDENING_STACKPROTECTOR=1
    export DEB_BUILD_HARDENING_FORTIFY=1
    export DEB_BUILD_HARDENING_FORMAT=1
    export DEB_BUILD_HARDENING_PIE=1
    

Indeed this covers most of the flags I mentioned. I'm not sure about -Wl,-z,relro,-z,now. gk, do you know how these are covered? boklm pointed me to a part of the Tor Browser test suite that seems to indicate that full relro is applied. Is that correct?

Yes, full relro is applied. I think we get the flags you mentioned by export DEB_BUILD_HARDENING=1. The other *HARDENING flags should not be needed. I opened #21565 for the clean-up.

[snip]

And I am not so sure we should build with ftrapv see comment:1:ticket:18310.

That's interesting. I'm not sure what the right answer is. RCE seems a lot worse than DOS, though.

-ftrapv is not the only means we apply to Tor Browser. A useful exercise would be to understand for which cases -ftrapv would be needed given all our other hardening flags.

[snip]

Something else that occurs to me is it would be nice to document our hardening flags for each build (hardened, alpha, release) in the Tor Browser design document.

True. I've opened #21566.

comment:10 Changed 2 years ago by cypherpunks

hardening-wrapper is obsolete and has been removed from unstable. Please use dpkg-buildflags as explained above.

https://wiki.debian.org/Hardening#hardening-wrapper

hardening-check can only check the resulting binaries and thus might not catch missing hardening flags if they are only missing in a few places. blhc is a small parser written in Perl which checks the build logs for missing hardening flags. It can be used on build logs created by dpkg-buildpackage or buildd.

http://ruderich.org/simon/blhc/

For comparison, here are the current Firefox release build flags:

For comparison we need ESR52 build options, both 32-bit and 64-bit for every OS. What about official MinGW builds?

I'm not familiar with Windows/mingw build flags, but it looks like we could possibly switch to -fstack-protector-strong.

All occurrences of -fstack-protector --param ssp-buffer-size=4 should be replaced with at least -fstack-protector=strong.
http://www.outflux.net/blog/archives/2014/01/27/fstack-protector-strong/

For those who want to protect all the functions then -fstack-protector-all is recommended.

https://wiki.debian.org/Hardening#DEB_BUILD_HARDENING_STACKPROTECTOR_.28gcc.2Fg.2B-.2B-_-fstack-protector-strong.29

Also I wonder if -D_FORTIFY_SOURCE=2 and the relro flags make sense.

-D_FORTIFY_SOURCE=2 -O1 is a

Compile-time protection against static sized buffer overflows. No known regressions or performance loss. This should be enabled system-wide.

https://wiki.debian.org/Hardening#gcc_-D_FORTIFY_SOURCE.3D2_-O1

Some info about using -Os: https://stackoverflow.com/questions/19470873/why-does-gcc-generate-15-20-faster-code-if-i-optimize-for-size-instead-of-speed?rq=1

About integer overflow checking, -ftrapv in particular:
Research: https://people.csail.mit.edu/nickolai/papers/wang-stack-tocs.pdf
-ftrapv is not the best option: https://stackoverflow.com/questions/20851061/how-to-make-gcc-ftrapv-work#20851708
Practical usage: https://danluu.com/integer-overflow/

comment:11 Changed 2 years ago by cypherpunks

#8491 seems to be a dupe.

comment:12 Changed 2 years ago by gk

A comment from #8491 noted:

UBSan for the libraries that need it would also be valuable, especially image and TLS libraries.

Closing #8491 as duplicate as this one has a more detailed discussion.

comment:13 Changed 20 months ago by arthuredelstein

After a lot of experimentation, I opened #23024 and #23025 to add some extra hardening flags for Windows and Mac respectively. In the meantime I also found several promising flags didn't work after all:

Windows (mingw cross-compile):

  • -z,relro,-z,now fails (is there an equivalent flag for Windows binaries?)
  • Werror=format throws errors (around uses of %lld)
  • -fstack-protector-strong didn't build; in #23024 I propose trying -fstack-protector-all instead.

macOS (clang-based cross compile):

  • -z,relro,-z,now fails (is there an equivalent flag for Mac binaries?)

comment:14 in reply to:  13 Changed 20 months ago by cypherpunks

Replying to arthuredelstein:
During your investigations Mozilla suddenly started to harden Firefox :0. So this looks like the third part of Tor Patch Uplifting project (next to FPI and fingerprinting). (Mark their tickets accordingly ;)

  • -z,relro,-z,now fails (is there an equivalent flag for Windows binaries?)

This is how it works on Windows by default, no equivalents required.
-Wl,-z,relro,-z,now when "Options passed to the compiler when linking executables or shared objects" or -z relro -z now "if the linker is called directly".
relro - "Create an ELF PT_GNU_RELRO segment header in the object." (i.e. Linux only)
This is https://bugzilla.mozilla.org/show_bug.cgi?id=1359912 (and dependencies!)
now - Don't use Linux-only lazy binding
This is https://bugzilla.mozilla.org/show_bug.cgi?id=1359918

  • Werror=format throws errors (around uses of %lld)

Mozilla uses -Wno-format, because "# We use mix of both POSIX and Win32 printf format across the tree, so format warnings are useless on mingw."
But, suddenly, https://bugzilla.mozilla.org/show_bug.cgi?id=1359915

This is https://bugzilla.mozilla.org/show_bug.cgi?id=620058, but have you noticed https://bugzilla.mozilla.org/show_bug.cgi?id=1359905?
-fstack-protector-all is better for security.

Also see https://gitweb.torproject.org/builders/tor-browser-bundle.git/tree/gitian/descriptors/windows/gitian-utils.yml#n129 and below... (What's up with https://bugzilla.mozilla.org/show_bug.cgi?id=1359914?)

Any thoughts about comment:10?

Last edited 19 months ago by cypherpunks (previous) (diff)

comment:15 Changed 20 months ago by cypherpunks

Tor Team is doing something similar in #22660.
This is https://bugzilla.mozilla.org/show_bug.cgi?id=1374345
But -z noexecstack needs checking whether stupid linker emits execstack by default? But -Wa,--noexecstack for assembler parts makes sense.
This is https://bugzilla.mozilla.org/show_bug.cgi?id=671426

comment:16 Changed 19 months ago by cypherpunks

Try to use -fno-plt on all platforms and check the difference.

Note: See TracTickets for help on using tickets.