From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-dev+bounces-81065-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id EBEAF139694
	for <garchives@archives.gentoo.org>; Thu, 15 Jun 2017 15:20:47 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id E706C21C09C;
	Thu, 15 Jun 2017 15:20:41 +0000 (UTC)
Received: from tsukuyomi.43-1.org (tsukuyomi.43-1.org [188.40.248.50])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id 97B0821C06C
	for <gentoo-dev@lists.gentoo.org>; Thu, 15 Jun 2017 15:20:41 +0000 (UTC)
From: Matthias Maier <tamiko@gentoo.org>
To: gentoo-dev@lists.gentoo.org
Subject: Re: [gentoo-dev] Hardening a default profile
In-Reply-To: <CAJ-1GrkKQch803nN9gjaFhUkZAiOtykCAYxeWGXUbeYij6LfMg@mail.gmail.com>
	(Michael Brinkman's message of "Sun, 11 Jun 2017 16:39:24 -0500")
References: <CAJ-1GrkKQch803nN9gjaFhUkZAiOtykCAYxeWGXUbeYij6LfMg@mail.gmail.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux)
Date: Thu, 15 Jun 2017 10:20:37 -0500
Message-ID: <878tktnupm.fsf@kestrel.kyomu.43-1.org>
Precedence: bulk
List-Post: <mailto:gentoo-dev@lists.gentoo.org>
List-Help: <mailto:gentoo-dev+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-dev+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-dev+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-dev.gentoo.org>
X-BeenThere: gentoo-dev@lists.gentoo.org
Reply-to: gentoo-dev@lists.gentoo.org
MIME-Version: 1.0
Content-Type: text/plain
X-Archives-Salt: 0f029503-0812-44d5-9562-5015719d4a7e
X-Archives-Hash: 84c8f09f3a37310c86b3922cdaec7878

Hi Michael,

On Sun, Jun 11, 2017, at 16:39 CDT, Michael Brinkman <thygreatswaggedone@gmail.com> wrote:

> So I was just wondering if ~arch is ready for more secure defaults on
> the 17.0 profiles in the linker flags.  There are several
> distributions which ship RELRO by default and I am not aware of any
> performance issues regarding this.

We (i.e. toolchain) are in the process of enabling quite a number of
security hardening features on default profiles. In particular

 - (force) +pie +ssp for gcc-6 onwards in 17.0 profiles

 - enable additional hardening features for glibc-2.25 and newer
   (will be merged soon).

But, yes. Updated linker flags are a very good point. I have put updated
linker flags on the toolchain meeting agenda for next week.


The hardened profiles (even used without a hardened kernel) will serve
an important difference in the future. While we try to enable as many
security features on default profiles as possible, we have to compromise
between security features and not introducing regressions. The hardened
profiles will thus have more aggressive security features enabled for
the foreseeable future (at the cost of more potential breakage).

Best,
Matthias