From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 108AE1381F3 for ; Sat, 7 Sep 2013 17:15:34 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id BDDEBE0A7C; Sat, 7 Sep 2013 17:15:28 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id DAC83E09CD for ; Sat, 7 Sep 2013 17:15:27 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp.gentoo.org (Postfix) with ESMTP id 2533E33EB42 for ; Sat, 7 Sep 2013 17:15:27 +0000 (UTC) X-Virus-Scanned: by amavisd-new using ClamAV at gentoo.org X-Spam-Flag: NO X-Spam-Score: -2.301 X-Spam-Level: X-Spam-Status: No, score=-2.301 tagged_above=-999 required=5.5 tests=[AWL=0.128, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-2.427, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=unavailable Received: from smtp.gentoo.org ([IPv6:::ffff:127.0.0.1]) by localhost (smtp.gentoo.org [IPv6:::ffff:127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iLZCobvb6qFw for ; Sat, 7 Sep 2013 17:15:21 +0000 (UTC) Received: from plane.gmane.org (plane.gmane.org [80.91.229.3]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 130F833E725 for ; Sat, 7 Sep 2013 17:15:19 +0000 (UTC) Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1VIM6O-0001CZ-Cr for gentoo-dev@gentoo.org; Sat, 07 Sep 2013 19:15:16 +0200 Received: from 71-17-69-121.yktn.hsdb.sasknet.sk.ca ([71.17.69.121]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sat, 07 Sep 2013 19:15:16 +0200 Received: from dirtyepic by 71-17-69-121.yktn.hsdb.sasknet.sk.ca with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sat, 07 Sep 2013 19:15:16 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: gentoo-dev@lists.gentoo.org From: Ryan Hill Subject: [gentoo-dev] Re: Improve the security of the default profile Date: Sat, 7 Sep 2013 11:25:13 -0600 Organization: Gentoo Message-ID: <20130907112513.3b7c585c@caribou.gateway.2wire.net> References: <2258190.ks74ypJstN@devil> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org Mime-Version: 1.0 Content-Type: multipart/signed; micalg=PGP-SHA512; boundary="Sig_/=B_K0zPgC_ulgtnl_vANtzn"; protocol="application/pgp-signature" X-Complaints-To: usenet@ger.gmane.org Cc: ago@gentoo.org X-Gmane-NNTP-Posting-Host: 71-17-69-121.yktn.hsdb.sasknet.sk.ca In-Reply-To: <2258190.ks74ypJstN@devil> X-Newsreader: Claws Mail 3.9.2-dirty (GTK+ 2.24.20; x86_64-pc-linux-gnu) X-Archives-Salt: 4f86710c-502a-420f-bca9-2a878a6984bc X-Archives-Hash: 36e461509c5c9274db0be772450339da --Sig_/=B_K0zPgC_ulgtnl_vANtzn Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: quoted-printable On Thu, 05 Sep 2013 12:13:28 +0200 Agostino Sarubbo wrote: > Hello, >=20 > during an irc debate, me and other people just noticed that the default=20 > profile could use more flags to enhance the security. >=20 > An hint is here: > https://wiki.ubuntu.com/ToolChain/CompilerFlags >=20 > Please argue about what we _don't_ use. >=20 > Note: please CC me in your response. * -fstack-protector{-all} No thank you. -fstack-protector has very limited coverage (which is why Ubuntu felt they needed to mess with the min size) and -fstack-protector-all has enough overhead that every distro that experimented with it dropped it = in the end. If security is important enough to you that you are willing to ta= ke the hit then you should be using hardened where it's the default. There is a new option, -fstack-protector-strong, that's intended to be a balance between the two extremes and something that distros can enable by default. It was just added to mainline so it should be in GCC 4.9. So let= 's revisit this a couple years down the line. * -D_FORTIFY_SOURCE=3D2 Enabled by default since gcc-4.5.0 (patch) * -Wformat -Wformat-security Enabled by default since gcc 4.3.3 (patch) * -Wl,-z,relro Enabled by default since binutils 2.18 (and as far back as 2.15 for the HJL releases). (patch) * -Wl,--hash-style=3D{both,gnu} Enabled by default since binutils 2.18 except on mips where it is unsupport= ed. (patch sets it to "both", developer profiles set it to "gnu" for ignored LD= FLAGs detection) * -Wl,--no-copy-dt-needed-entries/-Wl,--no-add-needed Enabled by default since binutils 2.22. (upstream default) * -Wl,--as-needed Enabled by default since July 2010 (in profiles). I think this is the upst= ream default now as well. In addition to these we also enable -Wtrampolines and warn on DT_TEXTRELs. --=20 Ryan Hill psn: dirtyepic_sk gcc-porting/toolchain/wxwidgets @ gentoo.org 47C3 6D62 4864 0E49 8E9E 7F92 ED38 BD49 957A 8463 --Sig_/=B_K0zPgC_ulgtnl_vANtzn Content-Type: application/pgp-signature; name=signature.asc Content-Disposition: attachment; filename=signature.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.21 (GNU/Linux) iQEcBAEBCgAGBQJSK2GKAAoJEO04vUmVeoRjBXkIALzjxNVMIxxiLvnHODYn5xGe bk3PeyFlz2iYQmeGuuCy+pGWEXqpltLB5hjydbG1AJ2ATNMeLl6Aj3Rb+epSH8Lk SacU3oxA2u9QglDE4AxMB//wgIGFNazgrzsEqkVpaMYWnX/VUdAUW3kjgaH9tdJb QTPASibFnwhsXdGpcDgWuyLVZddxcdtkJG8akQXCkDSMY7oKg5v6+PJx4GhsxIlt XVUcX6wfof0IkpNZOtqajEN6EtxREchRMuT0ZSBMyvuGH4VjN1c5CE18Ajm4ae46 7JujCrOzqAU9pnrly97ZXU4e94tCXMkuWE3JZQtYFrzPGrg8yNKOLu7R9vx1Z0M= =7EKI -----END PGP SIGNATURE----- --Sig_/=B_K0zPgC_ulgtnl_vANtzn--