From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: passt.top; dmarc=pass (p=none dis=none) header.from=redhat.com
Authentication-Results: passt.top;
	dkim=pass (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=KrWEayJ0;
	dkim-atps=neutral
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124])
	by passt.top (Postfix) with ESMTP id 724CB5A004E
	for <passt-dev@passt.top>; Thu, 29 Aug 2024 19:03:29 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1724951008;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=2ls8RZAleAz2UCVaEpYuzj1O2hf+SGrgrVModQM57wk=;
	b=KrWEayJ0196kkt6ElYskpkseuN2N0L+seewvP0nzSUmNbnIxVMVoEOZKYtj+gjfLw8y4PT
	J3TcOt3TH3l2P0ZDEfDwpNCMr6RrOCSL+oZx5uanzvOycECX5PZvnX3tJNsqUuDOmGLOON
	YiKkqcgtagHrntzx0EHO9ZBjy4mzGuI=
Received: from mail-wr1-f71.google.com (mail-wr1-f71.google.com
 [209.85.221.71]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id
 us-mta-220-66_rbq9TMdS-pm0CuX71-g-1; Thu, 29 Aug 2024 13:03:27 -0400
X-MC-Unique: 66_rbq9TMdS-pm0CuX71-g-1
Received: by mail-wr1-f71.google.com with SMTP id ffacd0b85a97d-37189fa7ad6so836165f8f.0
        for <passt-dev@passt.top>; Thu, 29 Aug 2024 10:03:26 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1724951005; x=1725555805;
        h=content-transfer-encoding:mime-version:organization:references
         :in-reply-to:message-id:subject:cc:to:from:date:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=2ls8RZAleAz2UCVaEpYuzj1O2hf+SGrgrVModQM57wk=;
        b=atvIcQl3utgwSQfliKrdWtjXudZRuochURVkbXeYkUkCkVT1TBevgNvTAC/zcmGBXC
         JJHfZzd1oJk2gKEDJWtWuhHhZlokb7mQbnQnlsApRLITQ3ARvircZKJB3/pBxWuXu2VM
         YBZv86s52HSmBjwOGP7GrPoESETvEbaCyudSsEcqiRXL16hFOh0YPJyD43BLgdmVWUZF
         bvbIK/ODWmVeJ4TzakpyFJuCouuvCQ06E+oz2WQVLHoEcrYPaQJpMIzgRM2TC9k534Ry
         LMQ2dMxOV595CmG6UpFmGMkn1X3NRD2kr/OxQCwebmEDnh+M5RM7o1rQ9+RBYe3nPYM0
         b28g==
X-Gm-Message-State: AOJu0Yz8EdHnJLp9iLDmX7MkWbX9auOLXSeyIddNjyeWGV3MEGuwdJYL
	M4POoDB01MD1Bt7sahMsvj1ECd7QUxIve+ae2A3K2FK+CpKhFdl069/5VE72WbgYlZNyas3depe
	CGGjaCxkB4kZp3JlpHDV8vB1vVz41gGRFkKPsDBLNqQEqua8+xQXefWc3TnYpYmPat9HSm1KlUE
	7trBbbOBoT4DDdoKJRlXm+9BJsI7wnxvHj
X-Received: by 2002:adf:fc88:0:b0:36d:3421:5a23 with SMTP id ffacd0b85a97d-3749b546e89mr3007772f8f.26.1724951005152;
        Thu, 29 Aug 2024 10:03:25 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IFQQN/t7Dt4D7r4i6GPdZgX0q3/o4grqYUJY8eyQe5wW6GxOJ9MdGRXi9vRg9fKyZ38yNpTFA==
X-Received: by 2002:adf:fc88:0:b0:36d:3421:5a23 with SMTP id ffacd0b85a97d-3749b546e89mr3007725f8f.26.1724951004543;
        Thu, 29 Aug 2024 10:03:24 -0700 (PDT)
Received: from maya.myfinge.rs (ifcgrfdd.trafficplex.cloud. [2a10:fc81:a806:d6a9::1])
        by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-3749eca0e23sm1906827f8f.0.2024.08.29.10.03.23
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 29 Aug 2024 10:03:23 -0700 (PDT)
Date: Thu, 29 Aug 2024 19:03:21 +0200
From: Stefano Brivio <sbrivio@redhat.com>
To: Michal Privoznik <mprivozn@redhat.com>
Subject: Re: [PATCH] Makefile: Enable _FORTIFY_SOURCE iff needed
Message-ID: <20240829190321.1743a5b4@elisabeth>
In-Reply-To: <6f3c749d01ab15eea130ddd6d879b3c7b60e191f.1724940903.git.mprivozn@redhat.com>
References: <6f3c749d01ab15eea130ddd6d879b3c7b60e191f.1724940903.git.mprivozn@redhat.com>
Organization: Red Hat
X-Mailer: Claws Mail 4.2.0 (GTK 3.24.41; x86_64-pc-linux-gnu)
MIME-Version: 1.0
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-ID-Hash: XLCMIF4B57TNYC2C6FJFBAP3EUJKQQBJ
X-Message-ID-Hash: XLCMIF4B57TNYC2C6FJFBAP3EUJKQQBJ
X-MailFrom: sbrivio@redhat.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: passt-dev@passt.top, Rahil Bhimjiani <me@rahil.rocks>
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/20240829190321.1743a5b4@elisabeth/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/XLCMIF4B57TNYC2C6FJFBAP3EUJKQQBJ/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>

On Thu, 29 Aug 2024 16:16:03 +0200
Michal Privoznik <mprivozn@redhat.com> wrote:

> On some systems source fortification is enabled whenever code
> optimization is enabled (e.g. with -O2). Since code fortification
> is explicitly enabled too (with possibly different value than the
> system wants, there are three levels [1]), distros are required
> to patch our Makefile, e.g. [2].

Hah, thanks for the patch, I would have never guessed. I just tried
this on Alpine and, also there, gcc enables -D_FORTIFY_SOURCE=2 by
default, while it's not the case on Debian and Fedora.

> Detect whether fortification is not already enabled and enable it
> explicitly only if really needed.
> 
> 1: https://www.gnu.org/software/libc/manual/html_node/Source-Fortification.html
> 2: https://github.com/gentoo/gentoo/commit/edfeb8763ac56112c59248c62c9cda13e5d01c97

Rahil, I'm going to apply this in a bit, once it's released you can
drop Makefile-2024.03.20.patch (I didn't understand why you needed that
patch and I forgot to ask, but Michal just explained).

> Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
> ---
> 
> It may be worth exploring whether level 3 would be beneficial:
> https://developers.redhat.com/articles/2022/09/17/gccs-new-fortification-level#

I tried it a while ago, but at least in my quick test back then it
seemed to have a significant effect on TCP throughput.

On the other hand it might be worth understanding where that comes from
an if it's fixable somehow.

>  Makefile | 9 ++++++++-
>  1 file changed, 8 insertions(+), 1 deletion(-)
> 
> diff --git a/Makefile b/Makefile
> index 01fada4..74a9513 100644
> --- a/Makefile
> +++ b/Makefile
> @@ -33,9 +33,16 @@ AUDIT_ARCH := $(shell echo $(AUDIT_ARCH) | sed 's/MIPS64EL/MIPSEL64/')
>  AUDIT_ARCH := $(shell echo $(AUDIT_ARCH) | sed 's/HPPA/PARISC/')
>  AUDIT_ARCH := $(shell echo $(AUDIT_ARCH) | sed 's/SH4/SH/')
>  
> +# On some systems enabling optimization also enables source fortification,
> +# automagically. Do not override it.
> +FORTIFY_FLAG :=
> +ifeq ($(shell $(CC) -O2 -dM -E - < /dev/null 2>&1 | grep ' _FORTIFY_SOURCE ' > /dev/null; echo $$?),1)
> +FORTIFY_FLAG := -D_FORTIFY_SOURCE=2
> +endif
> +
>  FLAGS := -Wall -Wextra -Wno-format-zero-length
>  FLAGS += -pedantic -std=c11 -D_XOPEN_SOURCE=700 -D_GNU_SOURCE
> -FLAGS += -D_FORTIFY_SOURCE=2 -O2 -pie -fPIE
> +FLAGS +=  $(FORTIFY_FLAG) -O2 -pie -fPIE
>  FLAGS += -DPAGE_SIZE=$(shell getconf PAGE_SIZE)
>  FLAGS += -DNETNS_RUN_DIR=\"/run/netns\"
>  FLAGS += -DPASST_AUDIT_ARCH=AUDIT_ARCH_$(AUDIT_ARCH)

-- 
Stefano