Re: [gentoo-dev] Hardening a default profile

["Anthony G. Basile" <blueness@gentoo.org>]

On 6/15/17 11:20 AM, Matthias Maier wrote:
> Hi Michael,
> 
> On Sun, Jun 11, 2017, at 16:39 CDT, Michael Brinkman <thygreatswaggedone@gmail.com> wrote:
> 
>> So I was just wondering if ~arch is ready for more secure defaults on
>> the 17.0 profiles in the linker flags.  There are several
>> distributions which ship RELRO by default and I am not aware of any
>> performance issues regarding this.
> 
> We (i.e. toolchain) are in the process of enabling quite a number of
> security hardening features on default profiles. In particular
> 
>  - (force) +pie +ssp for gcc-6 onwards in 17.0 profiles
> 

there should be a way of turning these off systematically.  the
advantage of the current hardened gcc specs is that one can switch
between them using gcc-config.  if these are forced on for the default
profile then there will be no easy way to systematically turn them off.

for those who don't used hardened, gcc-config -l on hardened profile gives:

 [1] x86_64-pc-linux-gnu-5.4.0 *
 [2] x86_64-pc-linux-gnu-5.4.0-hardenednopie
 [3] x86_64-pc-linux-gnu-5.4.0-hardenednopiessp
 [4] x86_64-pc-linux-gnu-5.4.0-hardenednossp
 [5] x86_64-pc-linux-gnu-5.4.0-vanilla

while on the default profiles it gives:

 [1] x86_64-pc-linux-gnu-5.4.0 *

[5] on the hardened profile is equivalent to [1] on the vanilla.

maybe we should consider merging the hardened and default profiles?

-- 
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail    : blueness@gentoo.org
GnuPG FP  : 1FED FAD9 D82C 52A5 3BAB  DC79 9384 FA6E F52D 4BBA
GnuPG ID  : F52D4BBA