Jack Howarth <howa...@bromo.med.uc.edu> writes: > On Fri, Jun 17, 2011 at 07:30:43AM -0700, Ian Lance Taylor wrote: >> >> For PCH what matters is not whether gcc defaults to generating PIE, but >> whether gcc itself is compiled as a PIE. In general I believe that a >> PIE gcc will not support PCH--it will work most of the time, but will >> occasionally fail. However, I have not actually tested this. If I'm >> right about this limitation, it would be quite difficult to fix given >> the current PCH implementation. Fortunately, as far as I can see, the >> kind of attacks which PIE protects against are unimportant when >> attacking gcc, as gcc simply runs under your own user ID on your own >> system. Anything the user can somehow suborn gcc into doing, the user >> can do anyhow. So I see no reason to build gcc as a PIE. Of course >> those considerations would change if somebody is running a compilation >> server on the net which invokes gcc; such a setup might get some small >> benefit from building gcc as a PIE, but such a setup would be unlikely >> to support PCH in any case. > > I found some interesting information on what Gentoo Hardened Linux > is doing with their toolchain here... > > http://www.gentoo.org/proj/en/hardened/hardened-toolchain.xml > > It appears that they consider JIT to be a major security risk and disable it > by default... > > http://www.gentoo.org/proj/en/hardened/hardenedfaq.xml#jitflag > > as well as passing... > > CFLAGS="-fPIE -fstack-protector-all -D_FORTIFY_SOURCE=2" LDFLAGS="-Wl,-z,now > -Wl,-z,relro" > > automatically on builds.
Those web pages are about whether gcc defaults to generating PIE. As I said, for PCH what matters is whether gcc itself is compiled as a PIE. > Also, apparently -O3 is considered problematic when SSP is in use. > > http://www.gentoo.org/proj/en/hardened/hardenedfaq.xml#Othreessp It would be interesting to find out what the problem is here. Ian