From a013956e4fb7d9e18a105cf64e4d9ea924a3459b Mon Sep 17 00:00:00 2001 From: Florian Weimer Date: Tue, 23 Jan 2018 16:25:52 +0100 Subject: [PATCH] Build flags: Mention -fplugin-arg-annobin-disable --- buildflags.md | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/buildflags.md b/buildflags.md index 22b64f3..e9f700e 100644 --- a/buildflags.md +++ b/buildflags.md @@ -59,12 +59,20 @@ position-dependent (no full ASLR) and use lazy binding. By default, the build flags cause a special output section to be included in ELF files which describes certain aspects of the build. -To change this, include this in the RPM spec file: +To change this for all compiler invocations, include this in the RPM +spec file: %undefine _annotated_build -This turns off watermarking, making it impossible to do full hardening -coverage analysis for any binaries produced. +Be warned that this turns off watermarking, making it impossible to do +full hardening coverage analysis for any binaries produced. + +It is possible to disable annotations for individual compiler +invocations, using the `-fplugin-arg-annobin-disable` flag. However, +the annobin plugin must still be loaded for this flag to be +recognized, so it has to come after the hardening flags on the command +line (it has to be added at the end of `CFLAGS`, or specified after +the `CFLAGS` variable contents). ### Strict symbol checks in the link editor (ld)