Re: [gentoo-dev] Hardening a default profile

public inbox for gentoo-dev@lists.gentoo.org
 help / color / mirror / Atom feed

From: Matthias Maier <tamiko@gentoo.org>
To: gentoo-dev@lists.gentoo.org
Subject: Re: [gentoo-dev] Hardening a default profile
Date: Thu, 15 Jun 2017 10:20:37 -0500	[thread overview]
Message-ID: <878tktnupm.fsf@kestrel.kyomu.43-1.org> (raw)
In-Reply-To: <CAJ-1GrkKQch803nN9gjaFhUkZAiOtykCAYxeWGXUbeYij6LfMg@mail.gmail.com> (Michael Brinkman's message of "Sun, 11 Jun 2017 16:39:24 -0500")

Hi Michael,

On Sun, Jun 11, 2017, at 16:39 CDT, Michael Brinkman <thygreatswaggedone@gmail.com> wrote:

> So I was just wondering if ~arch is ready for more secure defaults on
> the 17.0 profiles in the linker flags.  There are several
> distributions which ship RELRO by default and I am not aware of any
> performance issues regarding this.

We (i.e. toolchain) are in the process of enabling quite a number of
security hardening features on default profiles. In particular

 - (force) +pie +ssp for gcc-6 onwards in 17.0 profiles

 - enable additional hardening features for glibc-2.25 and newer
   (will be merged soon).

But, yes. Updated linker flags are a very good point. I have put updated
linker flags on the toolchain meeting agenda for next week.

The hardened profiles (even used without a hardened kernel) will serve
an important difference in the future. While we try to enable as many
security features on default profiles as possible, we have to compromise
between security features and not introducing regressions. The hardened
profiles will thus have more aggressive security features enabled for
the foreseeable future (at the cost of more potential breakage).

Best,
Matthias

next prev parent reply	other threads:[~2017-06-15 15:20 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-06-11 21:39 [gentoo-dev] Hardening a default profile Michael Brinkman
2017-06-15 14:39 ` Tiziano Müller
2017-06-15 15:20 ` Matthias Maier [this message]
2017-06-16  0:05   ` Anthony G. Basile
2017-06-16  0:52     ` Matthias Maier
2017-06-17 11:43       ` Andrew Savchenko
2017-06-17 12:23         ` Alexis Ballier

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=878tktnupm.fsf@kestrel.kyomu.43-1.org \
    --to=tamiko@gentoo.org \
    --cc=gentoo-dev@lists.gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox