G++ wrapper to enforce hardening toolchain improvements
export DEB_BUILD_HARDENING=1
g++ ...
The hardened-c++ wrapper is normally used by calling g++ as usual when DEB_BUILD_HARDENING is set to 1. It will configure the necessary toolchain hardening features. By default, all features are enabled. If a given feature does not work correctly and needs to be disabled, the corresponding environment variables mentioned below can be set to 0.
Enable hardening features.
Print the full resulting g++ command line to STDERR before calling g++.
Instead of using STDERR for debugging, redirect to the given path. Some builds are very sensitive to unexpected STDERR output.
Disable stack overflow protection. See README.Debian for details.
Disable read-only linker sections. See README.Debian for details.
Don't fortify several standard functions. See README.Debian for details.
Don't build position independent executables. See README.Debian for details.
Disable unsafe format string usage errors. See README.Debian for details.
System-wide settings can be added to /etc/hardening-wrapper.conf, one per line.
The real g++ symlinks are renamed g++.real, and a diversion is registered with dpkg-divert(1). Thus hardened-c++'s idea of the default g++ is dictated by whatever package installed /usr/bin/g++.
hardened-ld(1) g++(1)