From mboxrd@z Thu Jan  1 00:00:00 1970
From: Alex Vong <alexvong1995@gmail.com>
Subject: Re: Hardening
Date: Wed, 17 Aug 2016 21:48:51 +0800
Message-ID: <8760qzy08s.fsf@gmail.com>
References: <20151031215617.4df7ce04@debian> <878u6caz6z.fsf@gnu.org>
	<87k2o2a68b.fsf@gmail.com> <87y4cbsyyh.fsf_-_@gnu.org>
	<20160816235711.GA24579@jasmine> <871t1n99fj.fsf@elephly.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Return-path: <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
Received: from eggs.gnu.org ([2001:4830:134:3::10]:54416)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <alexvong1995@gmail.com>) id 1ba1DO-0008Rs-Gg
	for guix-devel@gnu.org; Wed, 17 Aug 2016 09:49:07 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <alexvong1995@gmail.com>) id 1ba1DI-0006QK-A5
	for guix-devel@gnu.org; Wed, 17 Aug 2016 09:49:05 -0400
Received: from mail-pf0-x22d.google.com ([2607:f8b0:400e:c00::22d]:36559)
	by eggs.gnu.org with esmtp (Exim 4.71)
	(envelope-from <alexvong1995@gmail.com>) id 1ba1DH-0006PQ-VA
	for guix-devel@gnu.org; Wed, 17 Aug 2016 09:49:00 -0400
Received: by mail-pf0-x22d.google.com with SMTP id h186so37855590pfg.3
	for <guix-devel@gnu.org>; Wed, 17 Aug 2016 06:48:59 -0700 (PDT)
In-Reply-To: <871t1n99fj.fsf@elephly.net> (Ricardo Wurmus's message of "Wed,
	17 Aug 2016 08:49:36 +0200")
List-Id: "Development of GNU Guix and the GNU System distribution."
	<guix-devel.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-devel/>
List-Post: <mailto:guix-devel@gnu.org>
List-Help: <mailto:guix-devel-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-devel>,
	<mailto:guix-devel-request@gnu.org?subject=subscribe>
Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org
Sender: "Guix-devel" <guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org>
To: Ricardo Wurmus <rekado@elephly.net>
Cc: guix-devel@gnu.org

Hi,

Wow, this was long time ago. I've forgot this completely.

Ricardo Wurmus <rekado@elephly.net> writes:

> Leo Famulari <leo@famulari.name> writes:
>
>> On Wed, Dec 30, 2015 at 05:06:30PM +0100, Ludovic Court=C3=A8s wrote:
>>> Alex Vong <alexvong1995@gmail.com> skribis:
>>> > Yes, I grep for `fstack-protector-strong' in the guix code base and no
>>> > matches are found. It appears no packages are setting this flag
>>> > currently. I think this flag (perhaps also a couple others) should be
>>> > set by default since they help protect against buffer overflow
>>> > <https://en.wikipedia.org/wiki/Buffer_overflow_protection>.
>>>=20
>>> I definitely agree, that=E2=80=99s something I=E2=80=99ve been wanting =
to try out.
>>>=20
>>> The question is more how.  Do we change the default #:configure-flags
>>> for =E2=80=98gnu-build-system=E2=80=99 to something like:
>>>=20
>>>   '("CPPFLAGS=3D-D_FORTIFY_SOURCE=3D2"
>>>     "CFLAGS=3D-O2 -g -fstack-protector-strong")
>>>=20
>>> ?
>>>=20
>>> That sounds like a good starting point, but I expect that (1) one third
>>> of the packages will fail to build, and (2) another third of the
>>> packages will not get these flags, for instance because they pass their
>>> own #:configure-flags.
>>>=20
>>> IOW, it will take a whole rebuild to find out exactly what=E2=80=99s go=
ing on
>>> and to fix any issues.
>>>=20
>>> Would you like to start working on it?  Then we could create a branch,
>>> have Hydra build it, and incrementally fix things.
>>
>> We should pick this project back up. I was suprised to find we haven't
>> done anything like this after reading this recent blog post about Nix's
>> hardening effort:
>>
>> https://blog.mayflower.de/5800-Hardening-Compiler-Flags-for-NixOS.html?u=
tm_source=3Dtwitterfeed&utm_medium=3Dtwitter
>
> Are the above flags the only flags we=E2=80=99d like to play with?  There=
=E2=80=99s no
> harm in letting hydra rebuild the world with these flags on a separate
> branch =E2=80=94 provided that all build nodes are usable.
>
There are indeed additional flags (for debian's hardening).


Here is the complete output (from the testing distribution):

alexvong1995@debian:~$ DEB_BUILD_MAINT_OPTIONS=3Dhardening=3D+all dpkg-buil=
dflags
CFLAGS=3D-g -O2 -fdebug-prefix-map=3D/home/alexvong1995=3D. -fPIE -fstack-p=
rotector-strong -Wformat -Werror=3Dformat-security
CPPFLAGS=3D-Wdate-time -D_FORTIFY_SOURCE=3D2
CXXFLAGS=3D-g -O2 -fdebug-prefix-map=3D/home/alexvong1995=3D. -fPIE -fstack=
-protector-strong -Wformat -Werror=3Dformat-security
FCFLAGS=3D-g -O2 -fdebug-prefix-map=3D/home/alexvong1995=3D. -fPIE -fstack-=
protector-strong
FFLAGS=3D-g -O2 -fdebug-prefix-map=3D/home/alexvong1995=3D. -fPIE -fstack-p=
rotector-strong
GCJFLAGS=3D-g -O2 -fdebug-prefix-map=3D/home/alexvong1995=3D. -fPIE -fstack=
-protector-strong
LDFLAGS=3D-fPIE -pie -Wl,-z,relro -Wl,-z,now
OBJCFLAGS=3D-g -O2 -fdebug-prefix-map=3D/home/alexvong1995=3D. -fPIE -fstac=
k-protector-strong -Wformat -Werror=3Dformat-security
OBJCXXFLAGS=3D-g -O2 -fdebug-prefix-map=3D/home/alexvong1995=3D. -fPIE -fst=
ack-protector-strong -Wformat -Werror=3Dformat-security


The `-fdebug-prefix-map' flag seems to be using the current working
directory.

> ~~ Ricardo

Cheers,
Alex