[PATCH] New option --enable-pie-programs

[Fāng-ruì Sòng]

On Mon, Nov 22, 2021 at 3:40 PM Fangrui Song <maskray@google.com> wrote:
>
> On 2021-11-18, H.J. Lu via Libc-alpha wrote:
> >On Thu, Nov 18, 2021 at 10:09 AM Siddhesh Poyarekar <siddhesh@gotplt.org> wrote:
> >>
> >> On 11/18/21 23:28, H.J. Lu wrote:
> >> >> How do you see --disable-default-pie behaving with a compiler that
> >> >> produces PIE by default?  That is, in case where
> >> >> libc_cv_cc_default_pie=yes?  Should it add -fno-pie or leave it as is?
> >> >>
> >> >
> >> > It should add -fno-pie by default when building programs.
> >> >
> >>
> >> In that case I'm inclined towards --enable-default-pie=yes being the new
> >> default since AFAIK at least Ubuntu will have to start adding
> >> --enable-default-pie to its flags to maintain its current state with its
> >> default-pie toolchain.  With Fedora too I think we'd prefer to build PIE
> >> by default and I suspect other distros would be OK with that too.
> >>
> >> Those that don't could add --disable-default-pie to continue maintaining
> >> status quo.  This is a step forward security-wise IMO.
> >>
> >
> >Sounds reasonable to me.
>
> As a bonus, --enable-default-pie matches the GCC configure option name:)
>
> As of the auto mode which adds neither -fno-pic nor -fpie, I think it is
> unnecessary. --enable-default-pie + --disable-default-pie are sufficient.
>
> ---
>
> I think --enable-default-pie is the majority in the Linux world, so
> perhaps someone may want to make it the default in the upstream GCC.

I filed https://gcc.gnu.org/bugzilla/show_bug.cgi?id=103398
("configure: Enable --enable-default-pie by default for Linux"), but
it has been closed.
Anyone might want to chime in?

> After one or two llvm-project releases, I'll adjust my Clang patch
> https://reviews.llvm.org/D113372 to default to PIE.