From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 467FF139694 for ; Sun, 11 Jun 2017 21:39:32 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 74FE8E0BB3; Sun, 11 Jun 2017 21:39:26 +0000 (UTC) Received: from mail-yb0-x234.google.com (mail-yb0-x234.google.com [IPv6:2607:f8b0:4002:c09::234]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 2F07BE0844 for ; Sun, 11 Jun 2017 21:39:25 +0000 (UTC) Received: by mail-yb0-x234.google.com with SMTP id f192so23620657yba.2 for ; Sun, 11 Jun 2017 14:39:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=5TdxJnX3lFgu3Gp/Br5jqBzTPb7jpY3f6dC1NY34hFc=; b=eWe5J7KaW3oJFmJtUfodiLOPn5hJPOqOs1Tj9kaUaFs6I9IUSCekjPi/I9zQYoihcV tJpDCj9vUoU6rV+6D4vCHrHbcMqPs5GQJzzSxyw/Gq1xYT3wnFHvtCHWGS/Zn6Lt5/Dn /iOriNZy/0K57ilmhfyQRLakbrUuBDnMWp0OpngNHirFi5lt6Ap95ixdmslKScnDIc7g MQ/4K0e5/GVdhsVqnb/hJxavWuw1PUSeoYLCFQxiPEG+bDDtguL2pGUWpD9K/Zd3zpxb DvhBVdjOran+rwpYPns6BC9fTAVavfCpp62vL5KiX9RW7lntTaWeTaXSrRQ2vPLGTmC3 od5Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=5TdxJnX3lFgu3Gp/Br5jqBzTPb7jpY3f6dC1NY34hFc=; b=QZGlcQk8ouaVvxo6BjF/BlbFqo0uhR7qq1JBRRyANM5qK5NVqjqiVypfJejCcm6bNn CxoQK8heCOJPEE01zw+91HOPkhyqAJWcjn6J6cQm0gksHexZ6jd4Vna1M6uuUoRMQ33C gE6ozs29Cib3dmacVn2gZY3WV4hBwzlMvF/1e731c2rcseVgZ5rp8I4oeXZ4Wmv+mbs7 zvuZpype9hlVmpYZQSqIzL86NPdgCHEgdSCyPeNmiGtrk9whmvFWRzq3AnE67tu22lRL PKRKb6v9evctxFKi8jrLCBED49YeM55rHY0KLy6kEaVRpty4FV2sib3SmuVljkDu71bo XOew== X-Gm-Message-State: AODbwcARWPecSJNkP3ZzCb2fKJZz6lsSIefljrcZUeic5IjMroj7KuBS er9x65kh/DGKdlFv7kBuFwzz+qFH9g== X-Received: by 10.37.164.34 with SMTP id f31mr22804300ybi.225.1497217165180; Sun, 11 Jun 2017 14:39:25 -0700 (PDT) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 Received: by 10.129.94.70 with HTTP; Sun, 11 Jun 2017 14:39:24 -0700 (PDT) From: Michael Brinkman Date: Sun, 11 Jun 2017 16:39:24 -0500 Message-ID: Subject: [gentoo-dev] Hardening a default profile To: gentoo-dev@lists.gentoo.org Content-Type: text/plain; charset="UTF-8" X-Archives-Salt: cec7b82f-4f31-4322-adfd-c7e563ca9761 X-Archives-Hash: 1d0b1d1c67281e1662c2634246107c9a Hello, so I've been running Gentoo Hardened for a few years on my laptop, my desktop, and a server made from an older desktop. Because of Grsecurity closing access to its source to non-subscribers, I decided that I would just try to stick with Gentoo-sources and harden the default profile and follow the KSSP guidelines to get as close as possible without losing the testing kernel. Because of this, I no longer used the PaX features and decided switch to the default profile and enabling my own flags. I enabled pie, ssp, and appended my CFLAGS with -fstack-protector-all and LDFLAGS with full RELRO support (and --sort-common). I saw that GCC still uses the FORTIFY patch so I didn't need to add that. So far I've had absolutely no issues with this setup but I was trying to see if there's anything else I could do to bridge it closer to where it was and noticed that there are several warnings against this as it could break packages (including glibc). I've had no breakages myself that are visable at least and no build failures. So I was just wondering if ~arch is ready for more secure defaults on the 17.0 profiles in the linker flags. There are several distributions which ship RELRO by default and I am not aware of any performance issues regarding this. At least to me it shouldn't be warned against unless there are lots of build failures these days. Of course though, I'm not a dev and would like to see your perspective on this. Thank you, Michael Brinkman