[gentoo-dev] Hardening a default profile

[Michael Brinkman <thygreatswaggedone@gmail.com>]

 Hello, so I've been running Gentoo Hardened for a few years on my
laptop, my desktop, and a server made from an older desktop.

Because of Grsecurity closing access to its source to non-subscribers,
I decided that I would just try to stick with Gentoo-sources and
harden the default profile and follow the KSSP guidelines to get as
close as possible without losing the testing kernel.  Because of this,
I no longer used the PaX features and decided switch to the default
profile and enabling my own flags.

I enabled pie, ssp, and appended my CFLAGS with -fstack-protector-all
and LDFLAGS with full RELRO support (and --sort-common). I saw that
GCC still uses the FORTIFY patch so I didn't need to add that. So far
I've had absolutely no issues with this setup but I was trying to see
if there's anything else I could do to bridge it closer to where it
was and noticed that there are several warnings against this as it
could break packages (including glibc). I've had no breakages myself
that are visable at least and no build failures.

So I was just wondering if ~arch is ready for more secure defaults on
the 17.0 profiles in the linker flags.  There are several
distributions which ship RELRO by default and I am not aware of any
performance issues regarding this.  At least to me it shouldn't be
warned against unless there are lots of build failures these days.  Of
course though, I'm not a dev and would like to see your perspective on
this.

Thank you,
Michael Brinkman