hardened-c++ - g++ wrapper to enforce hardening toolchain improvements
SYNOPSIS
export DEB_BUILD_HARDENING=1
g++...
DESCRIPTION
The
hardened-c++
wrapper is normally used by calling
g++
as usual when
DEB_BUILD_HARDENING
is set to 1. It will configure the necessary toolchain hardening
features. By default, all features are enabled. If a given feature does not
work correctly and needs to be disabled, the corresponding environment
variables mentioned below can be set to 0.
ENVIRONMENT
DEB_BUILD_HARDENING=1
Enable hardening features.
DEB_BUILD_HARDENING_DEBUG=1
Print the full resulting g++ command line to STDERR before calling g++.
DEB_BUILD_HARDENING_STACKPROTECTOR=0
Disable stack overflow protection. See README.Debian for details.
DEB_BUILD_HARDENING_RELRO=0
Disable read-only linker sections. See README.Debian for details.
DEB_BUILD_HARDENING_FORTIFY=0
Don't fortify several standard functions. See README.Debian for details.
DEB_BUILD_HARDENING_PIE=0
Don't build position independent executables. See README.Debian for details.
DEB_BUILD_HARDENING_FORMAT=0
Disable unsafe format string usage errors. See README.Debian for details.
NOTES
System-wide settings can be added to
/etc/hardening-wrapper.conf,
one per line.
The real
g++
symlinks are renamed
g++.real,
and a diversion is
registered with
dpkg-divert(1).
Thus
hardened-c++'s
idea of the default
g++
is dictated by whatever package installed
/usr/bin/g++.