safe hardening flags for GCC

[Shadow_Fury]

I've been thinking about adding hardening flags to my make.conf and i found the following things:

https://security.stackexchange.com/questions/24444/what-is-the-most-hardened-set-of-options-for-gcc-compiling-c-c
https://developers.redhat.com/blog/2018/03/21/compiler-and-linker-flags-gcc

i was wondering which, if any, of the flags contained within would be safe to apply globally, and which would be likely to brick the system, as well as if any are applied by default/the "hardened" Gentoo profile.

for example: would the system break if i added the LD flag that marks the entire stack as non-executable etc..

any help is appreciated.

as for why, I just like experimenting with hardening my system, nothing else.

-S

[sam_]

Good question!

Most interesting things are set by default on the hardened profile. I've recently added and improved a table on the wiki to explain what is set already.

What you can do yourself:

• Try -D_GLIBCXX_ASSERTIONS in CXXFLAGS (we're likely to add this to hardened profile soon)
  
• Possibly try -D_FORTIFY_SOURCE=3 with GCC 12 (this is very early days and experimental, see bug 847148; this one is further out but will be added eventually to the hardened profile)
  
• If you have a CET-capable CPU, enable USE=cet and USE=hardened on gcc, glibc, and binutils.
  
• Check build logs for implicit function declarations and file bugs (upstream too!). Fixes are usually easy.
  

As for some of the things on the pages you linked:

• -fvtable-verify=* (rejected for Gentoo, see bug 544980). I'm not aware of any distros turning this on. You could just try it.
  
• -ftrapv (described as broken by GCC)
  
• -mmitigate-rop -mindirect-branch=thunk -mfunction-return=thunk. Feel free to set these.
  

I don't think any of the other stuff mentioned is useful, it's already set by default. Some stuff like -fexceptions might be worth trying.