[MCOL-579] Enabled harderning compile flags Created: 2017-02-18  Updated: 2017-12-01  Resolved: 2017-09-06

Status: Closed
Project: MariaDB ColumnStore
Component/s: None
Affects Version/s: None
Fix Version/s: 1.1.0

Type: Task Priority: Major
Reporter: Andrew Hutchings (Inactive) Assignee: Daniel Lee (Inactive)
Resolution: Fixed Votes: 0
Labels: None

Sprint: 2017-15, 2017-16, 2017-17, 2017-18

 Description   

For security we should add the harderning flags used in MariaDB. The section in their CMake is:

# enable security hardening features, like most distributions do
 
# in our benchmarks that costs about ~1% of performance, depending on the load
 
IF(CMAKE_C_COMPILER_VERSION VERSION_LESS "4.6")
 
  SET(security_default OFF)
 
ELSE()
 
  SET(security_default ON)
 
ENDIF()
 
OPTION(SECURITY_HARDENED "Use security-enhancing compiler features (stack protector, relro, etc)" ${security_default})
 
IF(SECURITY_HARDENED)
 
  # security-enhancing flags
 
  MY_CHECK_AND_SET_COMPILER_FLAG("-pie -fPIC")
 
  MY_CHECK_AND_SET_COMPILER_FLAG("-Wl,-z,relro,-z,now")
 
  MY_CHECK_AND_SET_COMPILER_FLAG("-fstack-protector --param=ssp-buffer-size=4")
 
  MY_CHECK_AND_SET_COMPILER_FLAG("-D_FORTIFY_SOURCE=2" RELEASE RELWITHDEBINFO)
 
ENDIF()



 Comments   
Comment by Andrew Hutchings (Inactive) [ 2017-09-05 ]

For QA: regression suite should still work after this change. We are improving memory/stack protection.

Comment by Daniel Lee (Inactive) [ 2017-09-06 ]

Build verified: 1.1.0 Github source

[root@localhost ~]# cat mariadb-columnstore-1.1.0-1-centos7.x86_64.bin.tar.txt
/root/columnstore/mariadb-columnstore-server
commit 9e855a6415e0edd6771c449a6591c21c3915bfec
Merge: 6ed33d1 c206e51
Author: David.Hall <david.hall@mariadb.com>
Date: Tue Sep 5 09:43:29 2017 -0500

Merge pull request #68 from mariadb-corporation/MCOL-887

MCOL-887 Merge MariaDB 10.2.8

/root/columnstore/mariadb-columnstore-server/mariadb-columnstore-engine
commit 4441206050b07986f31402652c3299d36007d78d
Merge: 90353b9 230d013
Author: Andrew Hutchings <andrew@linuxjedi.co.uk>
Date: Tue Sep 5 20:36:02 2017 +0100

Merge pull request #247 from mariadb-corporation/MCOL-579

Add compiler flag checks and hardening flags

Regression tests passed.

Generated at Thu Feb 08 02:22:09 UTC 2024 using Jira 8.20.16#820016-sha1:9d11dbea5f4be3d4cc21f03a88dd11d8c8687422.