SYNOPSIS

export DEB_BUILD_HARDENING=1

gcc ...

DESCRIPTION

The hardened-cc wrapper is normally used by calling gcc as usual when DEB_BUILD_HARDENING is set to 1. It will configure the necessary toolchain hardening features. By default, all features are enabled. If a given feature does not work correctly and needs to be disabled, the corresponding environment variables mentioned below can be set to 0.

ENVIRONMENT

DEB_BUILD_HARDENING=1

Enable hardening features.

DEB_BUILD_HARDENING_DEBUG=1

Print the full resulting gcc command line to STDERR before calling gcc.

DEB_BUILD_HARDENING_OUTPUT=/some/path/debug.log

Instead of using STDERR for debugging, redirect to the given path. Some builds are very sensitive to unexpected STDERR output.

DEB_BUILD_HARDENING_STACKPROTECTOR=0

Disable stack overflow protection. See README.Debian for details.

DEB_BUILD_HARDENING_RELRO=0

Disable read-only linker sections. See README.Debian for details.

DEB_BUILD_HARDENING_FORTIFY=0

Don't fortify several standard functions. See README.Debian for details.

DEB_BUILD_HARDENING_PIE=0

Don't build position independent executables. See README.Debian for details.

DEB_BUILD_HARDENING_FORMAT=0

Disable unsafe format string usage errors. See README.Debian for details.

NOTES

System-wide settings can be added to /etc/hardening-wrapper.conf, one per line.

The real gcc symlinks are renamed gcc.real, and a diversion is registered with dpkg-divert(1). Thus hardened-cc's idea of the default gcc is dictated by whatever package installed /usr/bin/gcc.

RELATED TO hardening-wrapper…