From: "Anthony G. Basile" <blueness@gentoo.org>
To: gentoo-dev@lists.gentoo.org
Subject: Re: [gentoo-dev] Hardening a default profile
Date: Thu, 15 Jun 2017 20:05:11 -0400 [thread overview]
Message-ID: <60680dd3-b243-cfe7-43ce-50361cd4c65e@gentoo.org> (raw)
In-Reply-To: <878tktnupm.fsf@kestrel.kyomu.43-1.org>
On 6/15/17 11:20 AM, Matthias Maier wrote:
> Hi Michael,
>
> On Sun, Jun 11, 2017, at 16:39 CDT, Michael Brinkman <thygreatswaggedone@gmail.com> wrote:
>
>> So I was just wondering if ~arch is ready for more secure defaults on
>> the 17.0 profiles in the linker flags. There are several
>> distributions which ship RELRO by default and I am not aware of any
>> performance issues regarding this.
>
> We (i.e. toolchain) are in the process of enabling quite a number of
> security hardening features on default profiles. In particular
>
> - (force) +pie +ssp for gcc-6 onwards in 17.0 profiles
>
there should be a way of turning these off systematically. the
advantage of the current hardened gcc specs is that one can switch
between them using gcc-config. if these are forced on for the default
profile then there will be no easy way to systematically turn them off.
for those who don't used hardened, gcc-config -l on hardened profile gives:
[1] x86_64-pc-linux-gnu-5.4.0 *
[2] x86_64-pc-linux-gnu-5.4.0-hardenednopie
[3] x86_64-pc-linux-gnu-5.4.0-hardenednopiessp
[4] x86_64-pc-linux-gnu-5.4.0-hardenednossp
[5] x86_64-pc-linux-gnu-5.4.0-vanilla
while on the default profiles it gives:
[1] x86_64-pc-linux-gnu-5.4.0 *
[5] on the hardened profile is equivalent to [1] on the vanilla.
maybe we should consider merging the hardened and default profiles?
--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail : blueness@gentoo.org
GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA
GnuPG ID : F52D4BBA
next prev parent reply other threads:[~2017-06-16 0:05 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-11 21:39 [gentoo-dev] Hardening a default profile Michael Brinkman
2017-06-15 14:39 ` Tiziano Müller
2017-06-15 15:20 ` Matthias Maier
2017-06-16 0:05 ` Anthony G. Basile [this message]
2017-06-16 0:52 ` Matthias Maier
2017-06-17 11:43 ` Andrew Savchenko
2017-06-17 12:23 ` Alexis Ballier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=60680dd3-b243-cfe7-43ce-50361cd4c65e@gentoo.org \
--to=blueness@gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox