Looking into hardening of Ruby, there was recently merged this [1] PR. If I understand correctly, it includes this [2] header (leaving aside the OpenBSD condition), which needs to have `__CET__` macro defined. If I read the documentation [3] correctly, it is defined when the compiler is provide with `-fcf-protection` option. Ruby does not set the option on itself (as likely other flags we set by default) and I wonder, shouldn't this be rather configured system wide via ASFLAGS? I am afraid that including the header is likely not enough for proper hardening, but not try to include it is also wrong, isn't it? [1]: https://github.com/ruby/ruby/pull/10987 [2]: https://github.com/gcc-mirror/gcc/blob/8088374a868aacab4dff208ec3e3fde790a1d9a3/gcc/config/i386/cet.h [3]: https://gcc.gnu.org/onlinedocs/gcc/Instrumentation-Options.html Reproducible: Always
@fweimer actually, in the context of [1], isn't this a gap from the beginning? IOW if app/lib includes some assembler code, it is not hardened while it appears differently at the first look [1]: https://fedoraproject.org/wiki/Changes/HardeningFlags28
GNU make has a default rule that passes $(ASFLAGS) to $(AS), which is the as program, not the gcc compiler driver: https://www.gnu.org/software/make/manual/html_node/Catalogue-of-Rules.html#index-assembly_002c-rule-to-compile So ASFLAGS is really not the place to pass -fcfprotection. It's not an option that the as program can understand, and direct invocations of as won't use the preprocessor anyway. This is something that needs to be solved on a per-package basis unfortunately.
Thx for the hint. Looking into Ruby history, there is certainly something fishy. I am closing this for a while and will pursue upstream change.