Otto Kekäläinen: > So apparently the 'D_FORTIFY_SOURCE=2' is in CPPFLAGS (not read by > cmake) but not in CXXFLAGS (read by cmake)[1]. > > So maybe I should define? > CXXFLAGS=$(CXXFLAGS) $(CPPFLAGS) >
You have to with cmake, yes. I believe debhelper carries a similar work around (for CXXFLAGS + CFLAGS with cmake). > This is the current state of mysqld, should I be happy with this or is > it relevant that all functions are protected? > > hardening-check --verbose --color mysqld > [...] > > > [1] https://cmake.org/Bug/view.php?id=12928 > This is where blhc log check (where possible) is better as it will tell you if all compiler invocations had the hardening flags. If they do, then you are good. It is "perfectly" normal for a correctly hardened binary to have unhardened functions as the compiler *can* in some cases prove the hardening is unnecessary. On a related note, lintian has a list of symbols that it ignores for the purpose of assuming/checking if a binary is hardened or not and it has no hardened functions. Mind you, that list is an accuracy trade-off (to prefer false-negatives over false-positives due to the number of false-positive complaints). Thanks, ~Niels
