Hi, after readinghttps://security.googleblog.com/2024/11/retrofitting-spatial-safety-to-hundreds.html
https://libcxx.llvm.org/Hardening.html
https://best.openssf.org/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.html
I played around a bit with some of the flags there (in CFLAGS).
What doesn't work:- -fstrict-flex-arrays=3 (variable array issue in IIRC a tool for ath) - -fstrict-flex-arrays=2 (issue in another area, haven't checked further)
What works and results in a world+kernel which is able to boot: - -D_GLIBCXX_ASSERTIONS - -fstrict-flex-arrays=1 - -fstack-clash-protection - -D_LIBCPP_HARDENING_MODE=_LIBCPP_HARDENING_MODE_EXTENSIVEDoes someone has any reason / argument why some of those shouldn't be used when building FreeBSD? Should something like this be optional, and if yes, enabled by default, or disabled by default?
Bye, Alexander. -- http://www.Leidinger.net alexan...@leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.org netch...@freebsd.org : PGP 0x8F31830F9F2772BF
signature.asc
Description: OpenPGP digital signature
