From: Martin Vaeth <vaeth@mathematik.uni-wuerzburg.de>
To: gentoo-dev@lists.gentoo.org
Subject: [gentoo-dev] Re: Improve the security of the default profile
Date: Sat, 7 Sep 2013 18:10:42 +0000 (UTC) [thread overview]
Message-ID: <slrnl2mr1a.1lk.vaeth@lounge.imp.fu-berlin.de> (raw)
In-Reply-To: 20130907112513.3b7c585c@caribou.gateway.2wire.net
Ryan Hill <dirtyepic@gentoo.org> wrote:
>
> * -fstack-protector{-all}
> No thank you. -fstack-protector has very limited coverage
I'd say it covers most cases where bugs can be made,
practically without a severe impact on execution time or code size.
In contrast, -fstack-protector-all should be left to hardened, since
its impact is unacceptable to e.g. multimedia systems - the
protection is probably over-the-top for normal users.
I'd vote for enabling -fstack-protector by default:
I am using it since many years (though I do not use hardened profile,
since -fstack-protector-all had too much a performance impact for me).
> -fstack-protector-strong
One can later still change to this when >=gcc-4.9 is available in stable.
> * -Wl,-z,relro
> Enabled by default since binutils 2.18
This gives its real impact on secutiry only when combined with
* -Wl,-z,now
The latter is not enabled by default AFAIK.
The latter can slightly decrease load times, but repeated starting is
usually even faster with it. Thus, performance impact is somewhat
balanced, but it increases security slightly (though it would need
a good expert to exploit the problems when it is not used).
I am strongly suggesting to use -Wl,-z,now (and filter it on some
packages which won't work with it like xorg drivers).
I am also using this flag for many years (filtering certain packages;
if desired, I can post a list).
I would like to suggest also another flag
* -Wl,-z,noexecstack
This should be the default, but e.g. some broken gcc versions
forgot this default when using -flto.
I am using this flag since I realized this -flto bug and never
had any problems with it.
> * -Wl,--hash-style=3D{both,gnu}
I don't know what this has to do with security.
However, isn't it time to use "gnu" now for all users? Except for
very strange binary-only code it should not cause any problems.
The majority of users would not realize a difference but profit
from smaller binaries.
> * -Wl,--as-needed
The impact on security is at most rather implicit, if at all.
next prev parent reply other threads:[~2013-09-07 18:11 UTC|newest]
Thread overview: 45+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-09-05 10:13 [gentoo-dev] Improve the security of the default profile Agostino Sarubbo
2013-09-05 10:47 ` Tom Wijsman
2013-09-05 10:54 ` Agostino Sarubbo
2013-09-05 11:09 ` Tom Wijsman
2013-09-05 11:58 ` Agostino Sarubbo
2013-09-05 13:33 ` Rich Freeman
2013-09-05 10:54 ` Sergey Popov
2013-09-05 11:06 ` [gentoo-dev] " Mike Frysinger
2013-09-07 3:48 ` Rick "Zero_Chaos" Farina
2013-09-07 6:36 ` Parker Schmitt
2013-09-05 12:09 ` [gentoo-dev] " Ciaran McCreesh
2013-09-05 12:38 ` Tom Wijsman
2013-09-07 18:24 ` [gentoo-dev] " Martin Vaeth
2013-09-07 17:25 ` Ryan Hill
2013-09-07 18:10 ` Martin Vaeth [this message]
[not found] ` < 20130907151110.13ebc8a2@caribou.gateway.2wire.net>
2013-09-07 18:37 ` Rich Freeman
2013-09-07 18:50 ` Pacho Ramos
2013-09-07 19:52 ` Martin Vaeth
2013-09-07 21:11 ` Ryan Hill
2013-09-07 23:08 ` Rick "Zero_Chaos" Farina
2013-09-07 23:12 ` Rich Freeman
2013-09-08 14:12 ` Hinnerk van Bruinehsen
2013-09-09 0:06 ` Ryan Hill
2013-09-09 12:11 ` Martin Vaeth
2013-09-09 12:21 ` Rich Freeman
2013-09-10 3:00 ` Ryan Hill
2013-09-10 3:46 ` Peter Stuge
2013-09-11 22:04 ` Magnus Granberg
2013-09-10 17:50 ` Jeroen Roovers
2013-09-10 22:41 ` Richard Yao
2013-09-11 1:17 ` Rich Freeman
2013-09-12 15:03 ` Richard Yao
2013-09-12 15:12 ` Richard Yao
2013-09-11 6:07 ` Ryan Hill
2013-09-11 18:23 ` Magnus Granberg
2013-09-12 15:07 ` Richard Yao
[not found] ` <522FA01E.4070602 @gentoo.org>
[not found] ` <CAGfcS_=VwAT0xYAny9hfd3tpRM61dt39Zcm7p0N8_pLzeyw1FQ@mail. gmail.com>
2013-09-11 4:49 ` Duncan
2013-09-11 6:49 ` Ryan Hill
2013-09-11 18:48 ` Magnus Granberg
2013-09-08 11:05 ` Martin Vaeth
2013-09-09 3:24 ` Ryan Hill
2013-09-08 11:24 ` Martin Vaeth
2013-09-12 15:23 ` Anthony G. Basile
2013-09-13 6:08 ` Ryan Hill
2013-09-07 19:50 ` Rick "Zero_Chaos" Farina
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=slrnl2mr1a.1lk.vaeth@lounge.imp.fu-berlin.de \
--to=vaeth@mathematik.uni-wuerzburg.de \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox