From mboxrd@z Thu Jan 1 00:00:00 1970 From: ludo@gnu.org (Ludovic =?utf-8?Q?Court=C3=A8s?=) Subject: Re: Hardening Date: Fri, 02 Sep 2016 15:08:24 +0200 Message-ID: <87oa46jvp3.fsf@gnu.org> References: <20151031215617.4df7ce04@debian> <878u6caz6z.fsf@gnu.org> <87k2o2a68b.fsf@gmail.com> <87y4cbsyyh.fsf_-_@gnu.org> <20160816235711.GA24579@jasmine> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:60357) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bfoCu-0002nd-2u for guix-devel@gnu.org; Fri, 02 Sep 2016 09:08:36 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bfoCp-0004mD-20 for guix-devel@gnu.org; Fri, 02 Sep 2016 09:08:30 -0400 In-Reply-To: <20160816235711.GA24579@jasmine> (Leo Famulari's message of "Tue, 16 Aug 2016 19:57:11 -0400") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Leo Famulari Cc: guix-devel@gnu.org Leo Famulari skribis: > On Wed, Dec 30, 2015 at 05:06:30PM +0100, Ludovic Court=C3=A8s wrote: >> Alex Vong skribis: >> > Yes, I grep for `fstack-protector-strong' in the guix code base and no >> > matches are found. It appears no packages are setting this flag >> > currently. I think this flag (perhaps also a couple others) should be >> > set by default since they help protect against buffer overflow >> > . >>=20 >> I definitely agree, that=E2=80=99s something I=E2=80=99ve been wanting t= o try out. >>=20 >> The question is more how. Do we change the default #:configure-flags >> for =E2=80=98gnu-build-system=E2=80=99 to something like: >>=20 >> '("CPPFLAGS=3D-D_FORTIFY_SOURCE=3D2" >> "CFLAGS=3D-O2 -g -fstack-protector-strong") >>=20 >> ? >>=20 >> That sounds like a good starting point, but I expect that (1) one third >> of the packages will fail to build, and (2) another third of the >> packages will not get these flags, for instance because they pass their >> own #:configure-flags. >>=20 >> IOW, it will take a whole rebuild to find out exactly what=E2=80=99s goi= ng on >> and to fix any issues. >>=20 >> Would you like to start working on it? Then we could create a branch, >> have Hydra build it, and incrementally fix things. > > We should pick this project back up. I was suprised to find we haven't > done anything like this after reading this recent blog post about Nix's > hardening effort: > > https://blog.mayflower.de/5800-Hardening-Compiler-Flags-for-NixOS.html?ut= m_source=3Dtwitterfeed&utm_medium=3Dtwitter Definitely! As discussed on IRC, an option would be to add a keyword parameter to =E2=80=98gnu-build-system=E2=80=99: #:hardening-flags '(fortify stack-protector) Then =E2=80=98configure=E2=80=99 in (guix build gnu-build-system) would tra= nslate that into CPPFLAGS and CFLAGS options for =E2=80=98configure=E2=80=99, as shown = above. The main difficulty with this is that many packages will break. Thus, if we make it opt-out, we=E2=80=99ll have to fix packages one by one. It s= eems unavoidable though. Thoughts? Ludo=E2=80=99.