From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id C6C751381F3 for ; Thu, 5 Sep 2013 10:56:33 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 5D221E0E16; Thu, 5 Sep 2013 10:56:21 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 76356E0E18 for ; Thu, 5 Sep 2013 10:56:20 +0000 (UTC) Received: from [91.220.220.251] (pinkbyte.micronet-rostov.ru [91.220.220.251]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: pinkbyte) by smtp.gentoo.org (Postfix) with ESMTPSA id 43C2D33DA9B for ; Thu, 5 Sep 2013 10:56:19 +0000 (UTC) Message-ID: <522862F5.8000106@gentoo.org> Date: Thu, 05 Sep 2013 14:54:45 +0400 From: Sergey Popov User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:17.0) Gecko/20130815 Thunderbird/17.0.8 Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] Improve the security of the default profile References: <2258190.ks74ypJstN@devil> <20130905124701.2ce1b44d@TOMWIJ-GENTOO> In-Reply-To: <20130905124701.2ce1b44d@TOMWIJ-GENTOO> X-Enigmail-Version: 1.5.2 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="mHj7OI9wGo290kGsm2DkcJEqvpsSkpQ5P" X-Archives-Salt: 2de0016d-e1f5-4a70-8744-fed6f28498d6 X-Archives-Hash: fc61b3d8816912203ed2b5f0a2300a64 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --mHj7OI9wGo290kGsm2DkcJEqvpsSkpQ5P Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable 05.09.2013 14:47, Tom Wijsman =D0=BF=D0=B8=D1=88=D0=B5=D1=82: > On Thu, 05 Sep 2013 12:13:28 +0200 > Agostino Sarubbo wrote: >=20 >> Hello, >> >> during an irc debate, me and other people just noticed that the >> default profile could use more flags to enhance the security. >> >> An hint is here: >> https://wiki.ubuntu.com/ToolChain/CompilerFlags >> >> Please argue about what we _don't_ use. >> >> Note: please CC me in your response. >=20 > What I wonder about here is at which cost this does come, when looking > at the fstack-protector then I see that it "emits extra code"; so, now > the question is what kind of overhead this causes. >=20 > I am pretty sure security might not be that important on a real time > system that perhaps isn't connected to the internet; so, besides making= > it the default, we might want to introduce the necessary means to turn > it off again, by the very least perhaps documentation would suffice. >=20 > Do you intend to discuss that flag or more generally any security flag?= >=20 Regarding -fstack-protector - it can be used at least in hardened profiles(but i have some sort of bad expirience with it and uclibc[1]). Also kernel has apropriate option to enable it during build. However, i am not skilled with GCC internals, so i can say nothing about perfomance impact this flag may have. Maybe toolchain guys can bring light on this ;-) [1] - https://bugs.gentoo.org/show_bug.cgi?id=3D470608 --=20 Best regards, Sergey Popov Gentoo developer Gentoo Desktop Effects project lead Gentoo Qt project lead Gentoo Proxy maintainers project lead --mHj7OI9wGo290kGsm2DkcJEqvpsSkpQ5P Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.20 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJSKGL2AAoJECo/aRed9267I8cIAJkKmxscTrxFMM69glC5g1mo bamqQjpf30FpsQEBezOSX0e/q6vwTnJc63kPrPDhg2dty/sDorRHvXnwDEzL/6qK OdirB3bWVpsRwWi9Z0zYEP3WrO9248NpU/qwe1gbZZTlw0GbFXbc7NNbQ/QbSUN1 A8fUT2QrLkvZ3ykHX8w2vO0gpOT5sKm1zGzrM8j5uoyGIo1zg2NPDa9WRXLYSumg pc7NEismfYiA2wYLmexlMh++wJy+P11Zoub7DKsrlScb6y1SkaAEdjgE7fcr+pjN yBUA9i8XvVfDWxzMMM2ZeC7meWJmd4vEjAt9Q3fTgnaIulz7mhPmRj+m06jYy1E= =WejF -----END PGP SIGNATURE----- --mHj7OI9wGo290kGsm2DkcJEqvpsSkpQ5P--