From c15587edc21edaf32d8e2b7add5ff20716232f85 Mon Sep 17 00:00:00 2001 From: Simon Clark Date: Apr 26 2018 16:19:13 +0000 Subject: Add #92 'Hardening Flags Updates for Fedora 28' --- diff --git a/en-US/developers/Development_Tools.adoc b/en-US/developers/Development_Tools.adoc index 10484f0..a10572c 100644 --- a/en-US/developers/Development_Tools.adoc +++ b/en-US/developers/Development_Tools.adoc @@ -13,3 +13,15 @@ Fedora 28 comes with *GCC 8.1* as the primary compiler. See link:http://gcc.gnu. == Binutils rebased to 2.29.1 The *binutils* collection of tools has been rebased from version 2.29 to 2.29.1. This minor release does not introduce any new features, but it includes a number of important bug fixes. In addition, the default build flags have been changed to include `-z defs`, so that undefined symbols result in errors. The benefit is that this prevents shipping dynamic shared objects (DSO) that are not correctly linked because they refer to versioned symbols as plain undefined symbols without specifying a symbol version. + +[[sect-development-tools-]] +== Hardening Flags Updates + +Fedora 28 has been built with updated hardening flags, as provided by the GNU toolchain. +Compared to previous releases, the following changes have been made to the way programs are built: + +* Stack clash protection is enabled. +* Lightweight assertions have been switched on in the C++ standard run-time library. +* On x86-64, binaries have been built in such a way that they will support Control Flow Enforcement Technology (CET) in the future. +* On systems which support memory protection keys, lazy binding now uses a read-only GOT. +* By default the toolchain generates PIE executables to further harden Fedora executables from attacks.