Re: [gentoo-dev] Moving more hardening features to default?

[Magnus Granberg <zorry@gentoo.org>]

torsdag 20 oktober 2011 13.17.33 skrev  Mike Frysinger:
> On Thursday 20 October 2011 12:47:27 Rich Freeman wrote:
> > I was trying to draw a contrast between passive things like
> > stack-protection and things that really get in your face like MAC.
> 
> the trouble was in the context quoting then ... it sounded like you were
> proposing PaX by default
> 
> i am a fan of things that "just work" though which is why i was happy to
> merge the fortify source code.  most of that checking is done at compile
> time, so the runtime overhead is generally small.  and in terms of packages
> that did break, it was (more often than not) because they were broken
> already but we never noticed.
> -mike

Hi

Debian has start to add some hardened features but take a look at ubuntu
https://wiki.ubuntu.com/Security/Features

Adding ssp support to main would not be a problem for most package works with 
it. We use same patch as ubuntu's toolchain to enable ssp, but we enable 
-fstack-protector-all instead of -fstack-protector.  You will, however, have 
some performance penalty enabling it.

Adding PIE to main is much harder than ssp.  On x86 it will have a high 
performance penalty and a lot of trouble with asm code.  The only arch I would 
add PIE on is amd64 where it will have only a minor performance penalty and we 
already have shared libs compile with PIC.  The biggest problem we have with 
PIE on amd64 is asm code in the apps where upstream is not that interested in 
making the asm PIC aware.  It hards to keep the patches up to date when they 
are not maintained upstream.

There are about 30 packages which have problems with PIE.  We either add patch 
to these or else use filter-flags on them.

my 2c
/Magnus (Zorry)