.TH HARDENED-CC 1 "2008-01-08" "Debian Project" "Debian GNU/Linux"
.SH NAME
hardened-cc \- gcc wrapper to enforce hardening toolchain improvements
.SH SYNOPSIS
.BI "export DEB_BUILD_HARDENING=1"
.br

.B gcc
.I ...
.SH "DESCRIPTION"
The
.B hardened-cc
wrapper is normally used by calling
.B gcc
as usual when
.B DEB_BUILD_HARDENING
is set to 1. It will configure the necessary toolchain hardening
features. By default, all features are enabled. If a given feature does not
work correctly and needs to be disabled, the corresponding environment
variables mentioned below can be set to 0.

.SH ENVIRONMENT
.IP DEB_BUILD_HARDENING=1
Enable hardening features.
.IP DEB_BUILD_HARDENING_DEBUG=1
Print the full resulting gcc command line to STDERR before calling gcc.
.IP DEB_BUILD_HARDENING_OUTPUT=/some/path/debug.log
Instead of using STDERR for debugging, redirect to the given path. Some
builds are very sensitive to unexpected STDERR output.
.IP DEB_BUILD_HARDENING_STACKPROTECTOR=0
Disable stack overflow protection. See README.Debian for details.
.IP DEB_BUILD_HARDENING_RELRO=0
Disable read-only linker sections. See README.Debian for details.
.IP DEB_BUILD_HARDENING_FORTIFY=0
Don't fortify several standard functions. See README.Debian for details.
.IP DEB_BUILD_HARDENING_PIE=0
Don't build position independent executables. See README.Debian for details.
.IP DEB_BUILD_HARDENING_FORMAT=0
Disable unsafe format string usage errors. See README.Debian for details.

.SH NOTES
System-wide settings can be added to
.IR /etc/hardening-wrapper.conf ,
one per line.

The real
.B gcc
symlinks are renamed
.BR gcc.real , 
and a diversion is
registered with
.BR dpkg-divert (1).
Thus
.BR hardened-cc 's
idea of the default
.B gcc
is dictated by whatever package installed
.IR /usr/bin/gcc .

.SH "SEE ALSO"
.BR hardened-ld (1)
.BR gcc (1)