mirror of
https://github.com/topjohnwu/selinux.git
synced 2024-12-11 13:26:01 +00:00
ca07a2ad46
Two makefiles of ours pass `-D_FORTIFY_SOURCE=2` directly to the
preprocessor. While this does not pose any problems when the value has
not been previously set, it can break the build if it is part of the
standard build flags.
The issue can easily be fixed by instead defining `_FORTIFY_SOURCE`
without specifying a concrete value. In this case, gcc will not error
out and simply keep using the previously defined value. On the other
hand, if no value has been defined, we will now compile with
`_FORTIFY_SOURCE=1`. From feature_test_macros(7):
If _FORTIFY_SOURCE is set to 1, with compiler optimization level 1
(gcc -O1) and above, checks that shouldn't change the behavior of
conforming programs are performed. With _FORTIFY_SOURCE set to 2,
some more checking is added, but some conforming programs might
fail.
While this leaves us with less checks for buffer overflows, it will only
enable checks that should not change behaviour of conforming programs.
With _FORTIFY_SOURCE=2, the compiler may even unintentionally change
behaviour of conforming programs. So in fact, one could even argue that
we should only be setting the value to 1 anyway to avoid surprising side
effects.
So this patch changes our CFLAGS to only pass `-D_FORTIFY_SOURCE`
without any concrete value, fixing the build issue.
Signed-off-by: Patrick Steinhardt <ps@pks.im>
|
||
|---|---|---|
| .. | ||
| include | ||
| man | ||
| src | ||
| utils | ||
| LICENSE | ||
| Makefile | ||
| VERSION | ||