doc/stdenv: hardening flags: add section on fortify3

author: Robert Scott <code@humanleg.org.uk> 2024-06-05 23:08:47 +0100
committer: Robert Scott <code@humanleg.org.uk> 2024-06-05 23:10:19 +0100
commit: 65cc6d3cf151552de1a5ed2868daea3c8e4aa5bc (patch)
tree: fa3e0b7cea03a0f67bb90261c83c7e40a6364591 /doc
parent: a8062e526cb6448373b95028c4f91800ba108662 (diff)
1 files changed, 10 insertions, 0 deletions
diff --git a/doc/stdenv/stdenv.chapter.md b/doc/stdenv/stdenv.chapter.md
index 368e7be93825..a331ceb689ec 100644
--- a/doc/stdenv/stdenv.chapter.md
+++ b/doc/stdenv/stdenv.chapter.md
@@ -1609,6 +1609,16 @@ installwatch.c:3751:5: error: conflicting types for '__open_2'
 fcntl2.h:50:4: error: call to '__open_missing_mode' declared with attribute error: open with O_CREAT or O_TMPFILE in second argument needs 3 arguments
 ```
 
+Disabling `fortify` implies disablement of `fortify3`
+
+#### `fortify3` {#fortify3}
+
+Adds the `-O2 -D_FORTIFY_SOURCE=3` compiler options. This expands the cases that can be protected by fortify-checks to include some situations with dynamic-length buffers whose length can be inferred at runtime using compiler hints.
+
+Enabling this flag implies enablement of `fortify`. Disabling this flag does not imply disablement of `fortify`.
+
+This flag can sometimes conflict with a build-system's own attempts at enabling fortify support and result in errors complaining about `redefinition of _FORTIFY_SOURCE`.
+
 #### `pic` {#pic}
 
 Adds the `-fPIC` compiler options. This options adds support for position independent code in shared libraries and thus making ASLR possible.
author	Robert Scott <code@humanleg.org.uk>	2024-06-05 23:08:47 +0100
committer	Robert Scott <code@humanleg.org.uk>	2024-06-05 23:10:19 +0100
commit	65cc6d3cf151552de1a5ed2868daea3c8e4aa5bc (patch)
tree	fa3e0b7cea03a0f67bb90261c83c7e40a6364591 /doc
parent	a8062e526cb6448373b95028c4f91800ba108662 (diff)