NAME
hardened-cc - gcc wrapper to enforce hardening toolchain improvements
SYNOPSIS
export DEB_BUILD_HARDENING=1
gcc ...
DESCRIPTION
The hardened-cc wrapper is normally used by calling gcc as usual when
DEB_BUILD_HARDENING is set to 1. It will configure the necessary
toolchain hardening features. By default, all features are enabled. If
a given feature does not work correctly and needs to be disabled, the
corresponding environment variables mentioned below can be set to 0.
ENVIRONMENT
DEB_BUILD_HARDENING=1
Enable hardening features.
DEB_BUILD_HARDENING_DEBUG=1
Print the full resulting gcc command line to STDERR before
calling gcc.
DEB_BUILD_HARDENING_STACKPROTECTOR=0
Disable stack overflow protection. See README.Debian for
details.
DEB_BUILD_HARDENING_RELRO=0
Disable read-only linker sections. See README.Debian for
details.
DEB_BUILD_HARDENING_FORTIFY=0
Don’t fortify several standard functions. See README.Debian for
details.
DEB_BUILD_HARDENING_PIE=0
Don’t build position independent executables. See README.Debian
for details.
DEB_BUILD_HARDENING_FORMAT=0
Disable unsafe format string usage errors. See README.Debian for
details.
NOTES
System-wide settings can be added to /etc/hardening-wrapper.conf, one
per line.
The real gcc symlinks are renamed gcc.real, and a diversion is
registered with dpkg-divert(1). Thus hardened-cc’s idea of the default
gcc is dictated by whatever package installed /usr/bin/gcc.
SEE ALSO
hardened-ld(1) gcc(1)