From mboxrd@z Thu Jan 1 00:00:00 1970 From: ng0 Subject: Re: hardening Date: Thu, 22 Mar 2018 13:16:31 +0000 Message-ID: <20180322131631.ahw5pfqeshoseq2u@abyayala> References: <87a7wwesx2.fsf@abyayala.i-did-not-set--mail-host-address--so-tickle-me> <871si6w76r.fsf@gmail.com> <20180311133732.ojqacszx2mckvdim@abyayala> <20180311134059.mwy6flojzvxxnnah@abyayala> <878tayu2ri.fsf@elephly.net> <20180311143637.5cmjcqr6ugkznxsk@abyayala> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:38494) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ez053-0006io-G0 for guix-devel@gnu.org; Thu, 22 Mar 2018 09:16:34 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ez050-0002qE-8j for guix-devel@gnu.org; Thu, 22 Mar 2018 09:16:33 -0400 Received: from aibo.runbox.com ([91.220.196.211]:48766) by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1ez050-0002os-0o for guix-devel@gnu.org; Thu, 22 Mar 2018 09:16:30 -0400 Received: from [10.9.9.210] (helo=mailfront10.runbox.com) by mailtransmit02.runbox with esmtp (Exim 4.86_2) (envelope-from ) id 1ez04x-0005ke-Ns for guix-devel@gnu.org; Thu, 22 Mar 2018 14:16:27 +0100 Received: from dslb-092-072-215-133.092.072.pools.vodafone-ip.de ([92.72.215.133] helo=localhost) by mailfront10.runbox.com with esmtpsa (uid:892961 ) (TLS1.2:RSA_AES_256_CBC_SHA1:256) (Exim 4.82) id 1ez04m-00012W-99 for guix-devel@gnu.org; Thu, 22 Mar 2018 14:16:16 +0100 Content-Disposition: inline In-Reply-To: <20180311143637.5cmjcqr6ugkznxsk@abyayala> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: guix-devel@gnu.org Let's keep this thread as the thread to discuss possible solutions and work in that field. Yesterday Marius wrote on IRC (https://gnunet.org/bot/log/guix/2018-03-21#T1657250): [ ] This is a pretty good article about build flags (mainly hardening related): https://developers.redhat.com/blog/2018/03/21/compiler-and-linker-flags-... [ ] It would be great to have a "#:hardening?" option with additional provisions for specific flags. The link in full: https://developers.redhat.com/blog/2018/03/21/compiler-and-linker-flags-gcc/ Nix has an a functionality to disable hardening: https://github.com/NixOS/nixpkgs/search?utf8=%E2%9C%93&q=harden&type= for example visible here: https://github.com/NixOS/nixpkgs/commit/f5b04628f00e98e4c757466ab6be2c125d89feeb I have some more notes on Gentoo I'll add next month. Food for thought: If we go all in, we might have to recompile the bootstrap binaries. keyword #:hardening-flags is a good entry for manually fixing packages up to the point where they work with hardened flags. Caveat is, not everything will work good or even at all with hardened-flags and toolchain. So we are presented with 2 options. 1) Selectively harden what is possible through the keyword mentioned above or 2) harden by default and switch off flags through something like #:hardening-exclude which would default to the empty list and otherwise would remove the elements in its list from the list of flags. Further thoughts: #:hardened? could be a simple check so that having package-graphs which are not hardened are possible. We would default to #t, off would be #f obviously. My work in progress so far is to work this into the gnu-build-system, which seemed like a good starting point. I'm in favor of option 2 coupled with the keyword to disable hardening altogether. WDYT? -- A88C8ADD129828D7EAC02E52E22F9BBFEE348588 https://n0.is