From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 26FC21381F3 for ; Sat, 7 Sep 2013 18:11:24 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 4C54FE0AF8; Sat, 7 Sep 2013 18:11:16 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 7675CE0AEA for ; Sat, 7 Sep 2013 18:11:15 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp.gentoo.org (Postfix) with ESMTP id B879733EB0C for ; Sat, 7 Sep 2013 18:11:14 +0000 (UTC) X-Virus-Scanned: by amavisd-new using ClamAV at gentoo.org X-Spam-Flag: NO X-Spam-Score: -1.621 X-Spam-Level: X-Spam-Status: No, score=-1.621 tagged_above=-999 required=5.5 tests=[AWL=0.808, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-2.427, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=unavailable Received: from smtp.gentoo.org ([IPv6:::ffff:127.0.0.1]) by localhost (smtp.gentoo.org [IPv6:::ffff:127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FeoPSoQy8ZcE for ; Sat, 7 Sep 2013 18:11:08 +0000 (UTC) Received: from plane.gmane.org (plane.gmane.org [80.91.229.3]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id D1AC933EBEF for ; Sat, 7 Sep 2013 18:11:05 +0000 (UTC) Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1VIMyL-0007bh-Nq for gentoo-dev@gentoo.org; Sat, 07 Sep 2013 20:11:01 +0200 Received: from lounge.imp.fu-berlin.de ([160.45.42.83]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sat, 07 Sep 2013 20:11:01 +0200 Received: from vaeth by lounge.imp.fu-berlin.de with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Sat, 07 Sep 2013 20:11:01 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: gentoo-dev@lists.gentoo.org From: Martin Vaeth Subject: [gentoo-dev] Re: Improve the security of the default profile Date: Sat, 7 Sep 2013 18:10:42 +0000 (UTC) Message-ID: References: <2258190.ks74ypJstN@devil> <20130907112513.3b7c585c@caribou.gateway.2wire.net> X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: lounge.imp.fu-berlin.de User-Agent: slrn/pre1.0.0-26 (Linux) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org X-Archives-Salt: 2228dd57-894b-42f1-b8f1-1ece8ba6fcbc X-Archives-Hash: cf0a168e468d786163649267c05d681b Ryan Hill wrote: > > * -fstack-protector{-all} > No thank you. -fstack-protector has very limited coverage I'd say it covers most cases where bugs can be made, practically without a severe impact on execution time or code size. In contrast, -fstack-protector-all should be left to hardened, since its impact is unacceptable to e.g. multimedia systems - the protection is probably over-the-top for normal users. I'd vote for enabling -fstack-protector by default: I am using it since many years (though I do not use hardened profile, since -fstack-protector-all had too much a performance impact for me). > -fstack-protector-strong One can later still change to this when >=gcc-4.9 is available in stable. > * -Wl,-z,relro > Enabled by default since binutils 2.18 This gives its real impact on secutiry only when combined with * -Wl,-z,now The latter is not enabled by default AFAIK. The latter can slightly decrease load times, but repeated starting is usually even faster with it. Thus, performance impact is somewhat balanced, but it increases security slightly (though it would need a good expert to exploit the problems when it is not used). I am strongly suggesting to use -Wl,-z,now (and filter it on some packages which won't work with it like xorg drivers). I am also using this flag for many years (filtering certain packages; if desired, I can post a list). I would like to suggest also another flag * -Wl,-z,noexecstack This should be the default, but e.g. some broken gcc versions forgot this default when using -flto. I am using this flag since I realized this -flto bug and never had any problems with it. > * -Wl,--hash-style=3D{both,gnu} I don't know what this has to do with security. However, isn't it time to use "gnu" now for all users? Except for very strange binary-only code it should not cause any problems. The majority of users would not realize a difference but profit from smaller binaries. > * -Wl,--as-needed The impact on security is at most rather implicit, if at all.