From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id F3B48139694 for ; Fri, 16 Jun 2017 00:52:27 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 372E321C219; Fri, 16 Jun 2017 00:52:21 +0000 (UTC) Received: from tsukuyomi.43-1.org (tsukuyomi.43-1.org [IPv6:2a01:4f8:173:743::1:50]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id D31E721C09E for ; Fri, 16 Jun 2017 00:52:20 +0000 (UTC) From: Matthias Maier To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] Hardening a default profile In-Reply-To: <60680dd3-b243-cfe7-43ce-50361cd4c65e@gentoo.org> (Anthony G. Basile's message of "Thu, 15 Jun 2017 20:05:11 -0400") References: <878tktnupm.fsf@kestrel.kyomu.43-1.org> <60680dd3-b243-cfe7-43ce-50361cd4c65e@gentoo.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) Date: Thu, 15 Jun 2017 19:52:07 -0500 Message-ID: <874lvgoitk.fsf@kestrel.kyomu.43-1.org> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha512; protocol="application/pgp-signature" X-Archives-Salt: 2404052e-65b1-456f-86ce-796d49c0d73a X-Archives-Hash: ca602bba3cab49f5129c5d53f167d951 --=-=-= Content-Type: text/plain > there should be a way of turning these off systematically. the > advantage of the current hardened gcc specs is that one can switch > between them using gcc-config. if these are forced on for the default > profile then there will be no easy way to systematically turn them off. No - there won't be an easy way for systematically turning off SSP and PIE in 17.0 profiles [1,2]. The hardened toolchain with its different gcc profiles came from a time where SSP and PIE were relatively new security features and a certain amount of fine-grained control was needed. Further, at that time we were talking about external patches against gcc. Nowadays everything is upstreamed and (almost) no patches to gcc for hardened profiles are applied any more. Given the fact that all major linux distributions are following the path of improved default hardening features (see for example [1]) and that we have been using ssp/pie in hardened profiles for years now the purpose of fine-grained control over ssp/pie is also highly questionable. The consensus at the moment is that PIE and SSP (as well as stricter linker flags) will soon be standard (or, actually *are* already standard) compilation options. A per-package override (if absoluetely needed) is fine - and, in fact, already in place everywhere where needed. Thus, we should go with the time and simply force these well tested hardening features on platforms that support it. Best, Matthias [1] for amd64/x86 and well supported profiles [2] there is always the possibility to override forced use flags [1] https://wiki.debian.org/Hardening/PIEByDefaultTransition --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQIzBAEBCgAdFiEE6t/5JjgpnbiQKMUluE7NiUruef8FAllDK7cACgkQuE7NiUru ef8cOhAAlpT9JrjGr+1OHlfqvMrY36uHZCwXv/7aAX6PzOEZRJfHUOjxzXO1KLq7 TtP7Y2/U2dJs0MY14PukXUDFqMWqCJtcx1OfkJ4dqPOwG3n/hr+IE2PKBi9AVunT BGcWSbh0Tqsit/cmrt7h5bvUwpVfyTi9cLUagjzNSwdDTgy+8Onh+z+zpjxLfQGf EQ8yCIuE+tKklvcKRYTVTwPE95cEYzXpbfg5/uVMLS7gH0ZCPM4Rjxk5f9s8lAjI t1oafUr4u4wMto+EKDmDlipMM+FjlYxecf6W96RzS2D+VoTJvKqZaRMXABd3+T3O +YJQfDSM8J0hhh37WJ0AtG0o/O9+bkpwQpMtYHV2unnuwDGEm5pBHhZZnzANspuE W3ikUXaRnPCCkXdij2CEoTbTiFNXUfreCMtDj5k151O89SSJr8I0IrDls8KLYPhq K1ceCvFMfzKENUg6Nr1owKWk3DxwTEWTY3uA+5AnO2/dfK/fgR0rWH3JdcjOrDI+ As72kGby8ia38wwDpk4D02OcTquvA7Kh0H3p3UYIvR3tC8dEYIGLYCYP1l+ld6La HYU0cQih3uBQCLo2AsDttrBNZUKFWx2a1CrWf812enhgQtcz9Lvr3iJrr/AnnAPV eFOKvN77Hh6m4PbCWMVs5c9IbskIqEkUkX7kurs90pTLEBeWh00= =C/mZ -----END PGP SIGNATURE----- --=-=-=--