Merge pull request #340 from infosiftr/cflagz

tianon · web-flow · commit 1feb745d091d · 2016-12-05T15:48:16.000-08:00
Add cflags and ldflags for security and portability
diff --git a/5.6/Dockerfile b/5.6/Dockerfile
@@ -32,6 +32,16 @@ RUN mkdir -p $PHP_INI_DIR/conf.d
 ##<autogenerated>##
 ##</autogenerated>##
 
+# Apply stack smash protection to functions using local buffers and alloca()
+# Make PHP's main executable position-independent (improves ASLR security mechanism, and has no performance impact on x86_64)
+# Enable optimization (-O2)
+# Enable linker optimization (this sorts the hash buckets to improve cache locality, and is non-default)
+# Adds GNU HASH segments to generated executables (this is used if present, and is much faster than sysv hash; in this configuration, sysv hash is also generated)
+# https://github.com/docker-library/php/issues/272
+ENV CFLAGS="-fstack-protector-strong -fpic -fpie -O2"
+ENV CPPFLAGS="$CFLAGS"
+ENV LDFLAGS="-Wl,-O1 -Wl,--hash-style=both"
+
 ENV GPG_KEYS 0BD78B5F97500D450838F95DFE857D9A90D90EC1 6E4F6AB321FDC07F2C332E3AC2BF0BC433CFC8B3
 
 ENV PHP_VERSION 5.6.28
diff --git a/5.6/alpine/Dockerfile b/5.6/alpine/Dockerfile
@@ -37,6 +37,16 @@ RUN mkdir -p $PHP_INI_DIR/conf.d
 ##<autogenerated>##
 ##</autogenerated>##
 
+# Apply stack smash protection to functions using local buffers and alloca()
+# Make PHP's main executable position-independent (improves ASLR security mechanism, and has no performance impact on x86_64)
+# Enable optimization (-O2)
+# Enable linker optimization (this sorts the hash buckets to improve cache locality, and is non-default)
+# Adds GNU HASH segments to generated executables (this is used if present, and is much faster than sysv hash; in this configuration, sysv hash is also generated)
+# https://github.com/docker-library/php/issues/272
+ENV CFLAGS="-fstack-protector-strong -fpic -fpie -O2"
+ENV CPPFLAGS="$CFLAGS"
+ENV LDFLAGS="-Wl,-O1 -Wl,--hash-style=both"
+
 ENV GPG_KEYS 0BD78B5F97500D450838F95DFE857D9A90D90EC1 6E4F6AB321FDC07F2C332E3AC2BF0BC433CFC8B3
 
 ENV PHP_VERSION 5.6.28
diff --git a/5.6/apache/Dockerfile b/5.6/apache/Dockerfile
@@ -88,6 +88,16 @@ ENV PHP_EXTRA_BUILD_DEPS apache2-dev
 ENV PHP_EXTRA_CONFIGURE_ARGS --with-apxs2
 ##</autogenerated>##
 
+# Apply stack smash protection to functions using local buffers and alloca()
+# Make PHP's main executable position-independent (improves ASLR security mechanism, and has no performance impact on x86_64)
+# Enable optimization (-O2)
+# Enable linker optimization (this sorts the hash buckets to improve cache locality, and is non-default)
+# Adds GNU HASH segments to generated executables (this is used if present, and is much faster than sysv hash; in this configuration, sysv hash is also generated)
+# https://github.com/docker-library/php/issues/272
+ENV CFLAGS="-fstack-protector-strong -fpic -fpie -O2"
+ENV CPPFLAGS="$CFLAGS"
+ENV LDFLAGS="-Wl,-O1 -Wl,--hash-style=both"
+
 ENV GPG_KEYS 0BD78B5F97500D450838F95DFE857D9A90D90EC1 6E4F6AB321FDC07F2C332E3AC2BF0BC433CFC8B3
 
 ENV PHP_VERSION 5.6.28
diff --git a/5.6/fpm/Dockerfile b/5.6/fpm/Dockerfile
@@ -33,6 +33,16 @@ RUN mkdir -p $PHP_INI_DIR/conf.d
 ENV PHP_EXTRA_CONFIGURE_ARGS --enable-fpm --with-fpm-user=www-data --with-fpm-group=www-data
 ##</autogenerated>##
 
+# Apply stack smash protection to functions using local buffers and alloca()
+# Make PHP's main executable position-independent (improves ASLR security mechanism, and has no performance impact on x86_64)
+# Enable optimization (-O2)
+# Enable linker optimization (this sorts the hash buckets to improve cache locality, and is non-default)
+# Adds GNU HASH segments to generated executables (this is used if present, and is much faster than sysv hash; in this configuration, sysv hash is also generated)
+# https://github.com/docker-library/php/issues/272
+ENV CFLAGS="-fstack-protector-strong -fpic -fpie -O2"
+ENV CPPFLAGS="$CFLAGS"
+ENV LDFLAGS="-Wl,-O1 -Wl,--hash-style=both"
+
 ENV GPG_KEYS 0BD78B5F97500D450838F95DFE857D9A90D90EC1 6E4F6AB321FDC07F2C332E3AC2BF0BC433CFC8B3
 
 ENV PHP_VERSION 5.6.28
diff --git a/5.6/fpm/alpine/Dockerfile b/5.6/fpm/alpine/Dockerfile
@@ -38,6 +38,16 @@ RUN mkdir -p $PHP_INI_DIR/conf.d
 ENV PHP_EXTRA_CONFIGURE_ARGS --enable-fpm --with-fpm-user=www-data --with-fpm-group=www-data
 ##</autogenerated>##
 
+# Apply stack smash protection to functions using local buffers and alloca()
+# Make PHP's main executable position-independent (improves ASLR security mechanism, and has no performance impact on x86_64)
+# Enable optimization (-O2)
+# Enable linker optimization (this sorts the hash buckets to improve cache locality, and is non-default)
+# Adds GNU HASH segments to generated executables (this is used if present, and is much faster than sysv hash; in this configuration, sysv hash is also generated)
+# https://github.com/docker-library/php/issues/272
+ENV CFLAGS="-fstack-protector-strong -fpic -fpie -O2"
+ENV CPPFLAGS="$CFLAGS"
+ENV LDFLAGS="-Wl,-O1 -Wl,--hash-style=both"
+
 ENV GPG_KEYS 0BD78B5F97500D450838F95DFE857D9A90D90EC1 6E4F6AB321FDC07F2C332E3AC2BF0BC433CFC8B3
 
 ENV PHP_VERSION 5.6.28
diff --git a/5.6/zts/Dockerfile b/5.6/zts/Dockerfile
@@ -33,6 +33,16 @@ RUN mkdir -p $PHP_INI_DIR/conf.d
 ENV PHP_EXTRA_CONFIGURE_ARGS --enable-maintainer-zts
 ##</autogenerated>##
 
+# Apply stack smash protection to functions using local buffers and alloca()
+# Make PHP's main executable position-independent (improves ASLR security mechanism, and has no performance impact on x86_64)
+# Enable optimization (-O2)
+# Enable linker optimization (this sorts the hash buckets to improve cache locality, and is non-default)
+# Adds GNU HASH segments to generated executables (this is used if present, and is much faster than sysv hash; in this configuration, sysv hash is also generated)
+# https://github.com/docker-library/php/issues/272
+ENV CFLAGS="-fstack-protector-strong -fpic -fpie -O2"
+ENV CPPFLAGS="$CFLAGS"
+ENV LDFLAGS="-Wl,-O1 -Wl,--hash-style=both"
+
 ENV GPG_KEYS 0BD78B5F97500D450838F95DFE857D9A90D90EC1 6E4F6AB321FDC07F2C332E3AC2BF0BC433CFC8B3
 
 ENV PHP_VERSION 5.6.28
diff --git a/5.6/zts/alpine/Dockerfile b/5.6/zts/alpine/Dockerfile
@@ -38,6 +38,16 @@ RUN mkdir -p $PHP_INI_DIR/conf.d
 ENV PHP_EXTRA_CONFIGURE_ARGS --enable-maintainer-zts
 ##</autogenerated>##
 
+# Apply stack smash protection to functions using local buffers and alloca()
+# Make PHP's main executable position-independent (improves ASLR security mechanism, and has no performance impact on x86_64)
+# Enable optimization (-O2)
+# Enable linker optimization (this sorts the hash buckets to improve cache locality, and is non-default)
+# Adds GNU HASH segments to generated executables (this is used if present, and is much faster than sysv hash; in this configuration, sysv hash is also generated)
+# https://github.com/docker-library/php/issues/272
+ENV CFLAGS="-fstack-protector-strong -fpic -fpie -O2"
+ENV CPPFLAGS="$CFLAGS"
+ENV LDFLAGS="-Wl,-O1 -Wl,--hash-style=both"
+
 ENV GPG_KEYS 0BD78B5F97500D450838F95DFE857D9A90D90EC1 6E4F6AB321FDC07F2C332E3AC2BF0BC433CFC8B3
 
 ENV PHP_VERSION 5.6.28
diff --git a/7.0/Dockerfile b/7.0/Dockerfile
@@ -32,6 +32,16 @@ RUN mkdir -p $PHP_INI_DIR/conf.d
 ##<autogenerated>##
 ##</autogenerated>##
 
+# Apply stack smash protection to functions using local buffers and alloca()
+# Make PHP's main executable position-independent (improves ASLR security mechanism, and has no performance impact on x86_64)
+# Enable optimization (-O2)
+# Enable linker optimization (this sorts the hash buckets to improve cache locality, and is non-default)
+# Adds GNU HASH segments to generated executables (this is used if present, and is much faster than sysv hash; in this configuration, sysv hash is also generated)
+# https://github.com/docker-library/php/issues/272
+ENV CFLAGS="-fstack-protector-strong -fpic -fpie -O2"
+ENV CPPFLAGS="$CFLAGS"
+ENV LDFLAGS="-Wl,-O1 -Wl,--hash-style=both"
+
 ENV GPG_KEYS 1A4E8B7277C42E53DBA9C7B9BCAA30EA9C0D5763
 
 ENV PHP_VERSION 7.0.13
diff --git a/7.0/alpine/Dockerfile b/7.0/alpine/Dockerfile
@@ -37,6 +37,16 @@ RUN mkdir -p $PHP_INI_DIR/conf.d
 ##<autogenerated>##
 ##</autogenerated>##
 
+# Apply stack smash protection to functions using local buffers and alloca()
+# Make PHP's main executable position-independent (improves ASLR security mechanism, and has no performance impact on x86_64)
+# Enable optimization (-O2)
+# Enable linker optimization (this sorts the hash buckets to improve cache locality, and is non-default)
+# Adds GNU HASH segments to generated executables (this is used if present, and is much faster than sysv hash; in this configuration, sysv hash is also generated)
+# https://github.com/docker-library/php/issues/272
+ENV CFLAGS="-fstack-protector-strong -fpic -fpie -O2"
+ENV CPPFLAGS="$CFLAGS"
+ENV LDFLAGS="-Wl,-O1 -Wl,--hash-style=both"
+
 ENV GPG_KEYS 1A4E8B7277C42E53DBA9C7B9BCAA30EA9C0D5763
 
 ENV PHP_VERSION 7.0.13
diff --git a/7.0/apache/Dockerfile b/7.0/apache/Dockerfile
@@ -88,6 +88,16 @@ ENV PHP_EXTRA_BUILD_DEPS apache2-dev
 ENV PHP_EXTRA_CONFIGURE_ARGS --with-apxs2
 ##</autogenerated>##
 
+# Apply stack smash protection to functions using local buffers and alloca()
+# Make PHP's main executable position-independent (improves ASLR security mechanism, and has no performance impact on x86_64)
+# Enable optimization (-O2)
+# Enable linker optimization (this sorts the hash buckets to improve cache locality, and is non-default)
+# Adds GNU HASH segments to generated executables (this is used if present, and is much faster than sysv hash; in this configuration, sysv hash is also generated)
+# https://github.com/docker-library/php/issues/272
+ENV CFLAGS="-fstack-protector-strong -fpic -fpie -O2"
+ENV CPPFLAGS="$CFLAGS"
+ENV LDFLAGS="-Wl,-O1 -Wl,--hash-style=both"
+
 ENV GPG_KEYS 1A4E8B7277C42E53DBA9C7B9BCAA30EA9C0D5763
 
 ENV PHP_VERSION 7.0.13
diff --git a/7.0/fpm/Dockerfile b/7.0/fpm/Dockerfile
@@ -33,6 +33,16 @@ RUN mkdir -p $PHP_INI_DIR/conf.d
 ENV PHP_EXTRA_CONFIGURE_ARGS --enable-fpm --with-fpm-user=www-data --with-fpm-group=www-data
 ##</autogenerated>##
 
+# Apply stack smash protection to functions using local buffers and alloca()
+# Make PHP's main executable position-independent (improves ASLR security mechanism, and has no performance impact on x86_64)
+# Enable optimization (-O2)
+# Enable linker optimization (this sorts the hash buckets to improve cache locality, and is non-default)
+# Adds GNU HASH segments to generated executables (this is used if present, and is much faster than sysv hash; in this configuration, sysv hash is also generated)
+# https://github.com/docker-library/php/issues/272
+ENV CFLAGS="-fstack-protector-strong -fpic -fpie -O2"
+ENV CPPFLAGS="$CFLAGS"
+ENV LDFLAGS="-Wl,-O1 -Wl,--hash-style=both"
+
 ENV GPG_KEYS 1A4E8B7277C42E53DBA9C7B9BCAA30EA9C0D5763
 
 ENV PHP_VERSION 7.0.13
diff --git a/7.0/fpm/alpine/Dockerfile b/7.0/fpm/alpine/Dockerfile
@@ -38,6 +38,16 @@ RUN mkdir -p $PHP_INI_DIR/conf.d
 ENV PHP_EXTRA_CONFIGURE_ARGS --enable-fpm --with-fpm-user=www-data --with-fpm-group=www-data
 ##</autogenerated>##
 
+# Apply stack smash protection to functions using local buffers and alloca()
+# Make PHP's main executable position-independent (improves ASLR security mechanism, and has no performance impact on x86_64)
+# Enable optimization (-O2)
+# Enable linker optimization (this sorts the hash buckets to improve cache locality, and is non-default)
+# Adds GNU HASH segments to generated executables (this is used if present, and is much faster than sysv hash; in this configuration, sysv hash is also generated)
+# https://github.com/docker-library/php/issues/272
+ENV CFLAGS="-fstack-protector-strong -fpic -fpie -O2"
+ENV CPPFLAGS="$CFLAGS"
+ENV LDFLAGS="-Wl,-O1 -Wl,--hash-style=both"
+
 ENV GPG_KEYS 1A4E8B7277C42E53DBA9C7B9BCAA30EA9C0D5763
 
 ENV PHP_VERSION 7.0.13
diff --git a/7.0/zts/Dockerfile b/7.0/zts/Dockerfile
@@ -33,6 +33,16 @@ RUN mkdir -p $PHP_INI_DIR/conf.d
 ENV PHP_EXTRA_CONFIGURE_ARGS --enable-maintainer-zts
 ##</autogenerated>##
 
+# Apply stack smash protection to functions using local buffers and alloca()
+# Make PHP's main executable position-independent (improves ASLR security mechanism, and has no performance impact on x86_64)
+# Enable optimization (-O2)
+# Enable linker optimization (this sorts the hash buckets to improve cache locality, and is non-default)
+# Adds GNU HASH segments to generated executables (this is used if present, and is much faster than sysv hash; in this configuration, sysv hash is also generated)
+# https://github.com/docker-library/php/issues/272
+ENV CFLAGS="-fstack-protector-strong -fpic -fpie -O2"
+ENV CPPFLAGS="$CFLAGS"
+ENV LDFLAGS="-Wl,-O1 -Wl,--hash-style=both"
+
 ENV GPG_KEYS 1A4E8B7277C42E53DBA9C7B9BCAA30EA9C0D5763
 
 ENV PHP_VERSION 7.0.13
diff --git a/7.0/zts/alpine/Dockerfile b/7.0/zts/alpine/Dockerfile
@@ -38,6 +38,16 @@ RUN mkdir -p $PHP_INI_DIR/conf.d
 ENV PHP_EXTRA_CONFIGURE_ARGS --enable-maintainer-zts
 ##</autogenerated>##
 
+# Apply stack smash protection to functions using local buffers and alloca()
+# Make PHP's main executable position-independent (improves ASLR security mechanism, and has no performance impact on x86_64)
+# Enable optimization (-O2)
+# Enable linker optimization (this sorts the hash buckets to improve cache locality, and is non-default)
+# Adds GNU HASH segments to generated executables (this is used if present, and is much faster than sysv hash; in this configuration, sysv hash is also generated)
+# https://github.com/docker-library/php/issues/272
+ENV CFLAGS="-fstack-protector-strong -fpic -fpie -O2"
+ENV CPPFLAGS="$CFLAGS"
+ENV LDFLAGS="-Wl,-O1 -Wl,--hash-style=both"
+
 ENV GPG_KEYS 1A4E8B7277C42E53DBA9C7B9BCAA30EA9C0D5763
 
 ENV PHP_VERSION 7.0.13
diff --git a/7.1/Dockerfile b/7.1/Dockerfile
@@ -32,6 +32,16 @@ RUN mkdir -p $PHP_INI_DIR/conf.d
 ##<autogenerated>##
 ##</autogenerated>##
 
+# Apply stack smash protection to functions using local buffers and alloca()
+# Make PHP's main executable position-independent (improves ASLR security mechanism, and has no performance impact on x86_64)
+# Enable optimization (-O2)
+# Enable linker optimization (this sorts the hash buckets to improve cache locality, and is non-default)
+# Adds GNU HASH segments to generated executables (this is used if present, and is much faster than sysv hash; in this configuration, sysv hash is also generated)
+# https://github.com/docker-library/php/issues/272
+ENV CFLAGS="-fstack-protector-strong -fpic -fpie -O2"
+ENV CPPFLAGS="$CFLAGS"
+ENV LDFLAGS="-Wl,-O1 -Wl,--hash-style=both"
+
 ENV GPG_KEYS A917B1ECDA84AEC2B568FED6F50ABC807BD5DCD0
 
 ENV PHP_VERSION 7.1.0
diff --git a/7.1/alpine/Dockerfile b/7.1/alpine/Dockerfile
@@ -37,6 +37,16 @@ RUN mkdir -p $PHP_INI_DIR/conf.d
 ##<autogenerated>##
 ##</autogenerated>##
 
+# Apply stack smash protection to functions using local buffers and alloca()
+# Make PHP's main executable position-independent (improves ASLR security mechanism, and has no performance impact on x86_64)
+# Enable optimization (-O2)
+# Enable linker optimization (this sorts the hash buckets to improve cache locality, and is non-default)
+# Adds GNU HASH segments to generated executables (this is used if present, and is much faster than sysv hash; in this configuration, sysv hash is also generated)
+# https://github.com/docker-library/php/issues/272
+ENV CFLAGS="-fstack-protector-strong -fpic -fpie -O2"
+ENV CPPFLAGS="$CFLAGS"
+ENV LDFLAGS="-Wl,-O1 -Wl,--hash-style=both"
+
 ENV GPG_KEYS A917B1ECDA84AEC2B568FED6F50ABC807BD5DCD0
 
 ENV PHP_VERSION 7.1.0
diff --git a/7.1/apache/Dockerfile b/7.1/apache/Dockerfile
@@ -88,6 +88,16 @@ ENV PHP_EXTRA_BUILD_DEPS apache2-dev
 ENV PHP_EXTRA_CONFIGURE_ARGS --with-apxs2
 ##</autogenerated>##
 
+# Apply stack smash protection to functions using local buffers and alloca()
+# Make PHP's main executable position-independent (improves ASLR security mechanism, and has no performance impact on x86_64)
+# Enable optimization (-O2)
+# Enable linker optimization (this sorts the hash buckets to improve cache locality, and is non-default)
+# Adds GNU HASH segments to generated executables (this is used if present, and is much faster than sysv hash; in this configuration, sysv hash is also generated)
+# https://github.com/docker-library/php/issues/272
+ENV CFLAGS="-fstack-protector-strong -fpic -fpie -O2"
+ENV CPPFLAGS="$CFLAGS"
+ENV LDFLAGS="-Wl,-O1 -Wl,--hash-style=both"
+
 ENV GPG_KEYS A917B1ECDA84AEC2B568FED6F50ABC807BD5DCD0
 
 ENV PHP_VERSION 7.1.0
diff --git a/7.1/fpm/Dockerfile b/7.1/fpm/Dockerfile
@@ -33,6 +33,16 @@ RUN mkdir -p $PHP_INI_DIR/conf.d
 ENV PHP_EXTRA_CONFIGURE_ARGS --enable-fpm --with-fpm-user=www-data --with-fpm-group=www-data
 ##</autogenerated>##
 
+# Apply stack smash protection to functions using local buffers and alloca()
+# Make PHP's main executable position-independent (improves ASLR security mechanism, and has no performance impact on x86_64)
+# Enable optimization (-O2)
+# Enable linker optimization (this sorts the hash buckets to improve cache locality, and is non-default)
+# Adds GNU HASH segments to generated executables (this is used if present, and is much faster than sysv hash; in this configuration, sysv hash is also generated)
+# https://github.com/docker-library/php/issues/272
+ENV CFLAGS="-fstack-protector-strong -fpic -fpie -O2"
+ENV CPPFLAGS="$CFLAGS"
+ENV LDFLAGS="-Wl,-O1 -Wl,--hash-style=both"
+
 ENV GPG_KEYS A917B1ECDA84AEC2B568FED6F50ABC807BD5DCD0
 
 ENV PHP_VERSION 7.1.0
diff --git a/7.1/fpm/alpine/Dockerfile b/7.1/fpm/alpine/Dockerfile
@@ -38,6 +38,16 @@ RUN mkdir -p $PHP_INI_DIR/conf.d
 ENV PHP_EXTRA_CONFIGURE_ARGS --enable-fpm --with-fpm-user=www-data --with-fpm-group=www-data
 ##</autogenerated>##
 
+# Apply stack smash protection to functions using local buffers and alloca()
+# Make PHP's main executable position-independent (improves ASLR security mechanism, and has no performance impact on x86_64)
+# Enable optimization (-O2)
+# Enable linker optimization (this sorts the hash buckets to improve cache locality, and is non-default)
+# Adds GNU HASH segments to generated executables (this is used if present, and is much faster than sysv hash; in this configuration, sysv hash is also generated)
+# https://github.com/docker-library/php/issues/272
+ENV CFLAGS="-fstack-protector-strong -fpic -fpie -O2"
+ENV CPPFLAGS="$CFLAGS"
+ENV LDFLAGS="-Wl,-O1 -Wl,--hash-style=both"
+
 ENV GPG_KEYS A917B1ECDA84AEC2B568FED6F50ABC807BD5DCD0
 
 ENV PHP_VERSION 7.1.0
diff --git a/7.1/zts/Dockerfile b/7.1/zts/Dockerfile
@@ -33,6 +33,16 @@ RUN mkdir -p $PHP_INI_DIR/conf.d
 ENV PHP_EXTRA_CONFIGURE_ARGS --enable-maintainer-zts
 ##</autogenerated>##
 
+# Apply stack smash protection to functions using local buffers and alloca()
+# Make PHP's main executable position-independent (improves ASLR security mechanism, and has no performance impact on x86_64)
+# Enable optimization (-O2)
+# Enable linker optimization (this sorts the hash buckets to improve cache locality, and is non-default)
+# Adds GNU HASH segments to generated executables (this is used if present, and is much faster than sysv hash; in this configuration, sysv hash is also generated)
+# https://github.com/docker-library/php/issues/272
+ENV CFLAGS="-fstack-protector-strong -fpic -fpie -O2"
+ENV CPPFLAGS="$CFLAGS"
+ENV LDFLAGS="-Wl,-O1 -Wl,--hash-style=both"
+
 ENV GPG_KEYS A917B1ECDA84AEC2B568FED6F50ABC807BD5DCD0
 
 ENV PHP_VERSION 7.1.0
diff --git a/7.1/zts/alpine/Dockerfile b/7.1/zts/alpine/Dockerfile
@@ -38,6 +38,16 @@ RUN mkdir -p $PHP_INI_DIR/conf.d
 ENV PHP_EXTRA_CONFIGURE_ARGS --enable-maintainer-zts
 ##</autogenerated>##
 
+# Apply stack smash protection to functions using local buffers and alloca()
+# Make PHP's main executable position-independent (improves ASLR security mechanism, and has no performance impact on x86_64)
+# Enable optimization (-O2)
+# Enable linker optimization (this sorts the hash buckets to improve cache locality, and is non-default)
+# Adds GNU HASH segments to generated executables (this is used if present, and is much faster than sysv hash; in this configuration, sysv hash is also generated)
+# https://github.com/docker-library/php/issues/272
+ENV CFLAGS="-fstack-protector-strong -fpic -fpie -O2"
+ENV CPPFLAGS="$CFLAGS"
+ENV LDFLAGS="-Wl,-O1 -Wl,--hash-style=both"
+
 ENV GPG_KEYS A917B1ECDA84AEC2B568FED6F50ABC807BD5DCD0
 
 ENV PHP_VERSION 7.1.0
diff --git a/Dockerfile-alpine.template b/Dockerfile-alpine.template
@@ -31,6 +31,16 @@ RUN mkdir -p $PHP_INI_DIR/conf.d
 ##<autogenerated>##
 ##</autogenerated>##
 
+# Apply stack smash protection to functions using local buffers and alloca()
+# Make PHP's main executable position-independent (improves ASLR security mechanism, and has no performance impact on x86_64)
+# Enable optimization (-O2)
+# Enable linker optimization (this sorts the hash buckets to improve cache locality, and is non-default)
+# Adds GNU HASH segments to generated executables (this is used if present, and is much faster than sysv hash; in this configuration, sysv hash is also generated)
+# https://github.com/docker-library/php/issues/272
+ENV CFLAGS="-fstack-protector-strong -fpic -fpie -O2"
+ENV CPPFLAGS="$CFLAGS"
+ENV LDFLAGS="-Wl,-O1 -Wl,--hash-style=both"
+
 ENV GPG_KEYS %%GPG_KEYS%%
 
 ENV PHP_VERSION %%PHP_VERSION%%
diff --git a/Dockerfile-debian.template b/Dockerfile-debian.template
