From mboxrd@z Thu Jan 1 00:00:00 1970 From: Alex Vong Subject: Re: Hardening Date: Sun, 21 Aug 2016 00:45:05 +0800 Message-ID: <8737lz1jam.fsf@gmail.com> References: <20151031215617.4df7ce04@debian> <878u6caz6z.fsf@gnu.org> <87k2o2a68b.fsf@gmail.com> <87y4cbsyyh.fsf_-_@gnu.org> <20160816235711.GA24579@jasmine> <871t1n99fj.fsf@elephly.net> <8760qzy08s.fsf@gmail.com> <87mvkbw35w.fsf@we.make.ritual.n0.is> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:53719) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bb9OV-0005tS-3F for guix-devel@gnu.org; Sat, 20 Aug 2016 12:45:16 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1bb9OQ-0002j9-5f for guix-devel@gnu.org; Sat, 20 Aug 2016 12:45:14 -0400 Received: from mail-pf0-x233.google.com ([2607:f8b0:400e:c00::233]:36581) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1bb9OP-0002ib-M9 for guix-devel@gnu.org; Sat, 20 Aug 2016 12:45:10 -0400 Received: by mail-pf0-x233.google.com with SMTP id h186so18737984pfg.3 for ; Sat, 20 Aug 2016 09:45:09 -0700 (PDT) In-Reply-To: <87mvkbw35w.fsf@we.make.ritual.n0.is> (ng0@we.make.ritual.n0.is's message of "Wed, 17 Aug 2016 20:28:43 +0000") List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: ng0 Cc: guix-devel@gnu.org ng0 writes: > Alex Vong writes: > >> Hi, >> >> Wow, this was long time ago. I've forgot this completely. >> >> Ricardo Wurmus writes: >> >>> Leo Famulari writes: >>> >>>> On Wed, Dec 30, 2015 at 05:06:30PM +0100, Ludovic Court=C3=A8s wrote: >>>>> Alex Vong skribis: >>>>> > Yes, I grep for `fstack-protector-strong' in the guix code base and= no >>>>> > matches are found. It appears no packages are setting this flag >>>>> > currently. I think this flag (perhaps also a couple others) should = be >>>>> > set by default since they help protect against buffer overflow >>>>> > . >>>>>=20 >>>>> I definitely agree, that=E2=80=99s something I=E2=80=99ve been wantin= g to try out. >>>>>=20 >>>>> The question is more how. Do we change the default #:configure-flags >>>>> for =E2=80=98gnu-build-system=E2=80=99 to something like: >>>>>=20 >>>>> '("CPPFLAGS=3D-D_FORTIFY_SOURCE=3D2" >>>>> "CFLAGS=3D-O2 -g -fstack-protector-strong") >>>>>=20 >>>>> ? >>>>>=20 >>>>> That sounds like a good starting point, but I expect that (1) one thi= rd >>>>> of the packages will fail to build, and (2) another third of the >>>>> packages will not get these flags, for instance because they pass the= ir >>>>> own #:configure-flags. >>>>>=20 >>>>> IOW, it will take a whole rebuild to find out exactly what=E2=80=99s = going on >>>>> and to fix any issues. >>>>>=20 >>>>> Would you like to start working on it? Then we could create a branch, >>>>> have Hydra build it, and incrementally fix things. >>>> >>>> We should pick this project back up. I was suprised to find we haven't >>>> done anything like this after reading this recent blog post about Nix's >>>> hardening effort: >>>> >>>> https://blog.mayflower.de/5800-Hardening-Compiler-Flags-for-NixOS.html= ?utm_source=3Dtwitterfeed&utm_medium=3Dtwitter >>> >>> Are the above flags the only flags we=E2=80=99d like to play with? The= re=E2=80=99s no >>> harm in letting hydra rebuild the world with these flags on a separate >>> branch =E2=80=94 provided that all build nodes are usable. >>> >> There are indeed additional flags (for debian's hardening). >> >> >> Here is the complete output (from the testing distribution): >> >> alexvong1995@debian:~$ DEB_BUILD_MAINT_OPTIONS=3Dhardening=3D+all dpkg-b= uildflags >> CFLAGS=3D-g -O2 -fdebug-prefix-map=3D/home/alexvong1995=3D. -fPIE >> -fstack-protector-strong -Wformat -Werror=3Dformat-security >> CPPFLAGS=3D-Wdate-time -D_FORTIFY_SOURCE=3D2 >> CXXFLAGS=3D-g -O2 -fdebug-prefix-map=3D/home/alexvong1995=3D. -fPIE >> -fstack-protector-strong -Wformat -Werror=3Dformat-security >> FCFLAGS=3D-g -O2 -fdebug-prefix-map=3D/home/alexvong1995=3D. -fPIE >> -fstack-protector-strong >> FFLAGS=3D-g -O2 -fdebug-prefix-map=3D/home/alexvong1995=3D. -fPIE >> -fstack-protector-strong >> GCJFLAGS=3D-g -O2 -fdebug-prefix-map=3D/home/alexvong1995=3D. -fPIE >> -fstack-protector-strong >> LDFLAGS=3D-fPIE -pie -Wl,-z,relro -Wl,-z,now >> OBJCFLAGS=3D-g -O2 -fdebug-prefix-map=3D/home/alexvong1995=3D. -fPIE >> -fstack-protector-strong -Wformat -Werror=3Dformat-security >> OBJCXXFLAGS=3D-g -O2 -fdebug-prefix-map=3D/home/alexvong1995=3D. -fPIE >> -fstack-protector-strong -Wformat -Werror=3Dformat-security >> >> >> The `-fdebug-prefix-map' flag seems to be using the current working >> directory. >> >>> ~~ Ricardo >> >> Cheers, >> Alex >> > > I think there's even more, I can add to this thread when I have access > to my hardened vm systems again. > Yes, I think people running guix on top of another distro can tell how their distro do the hardening, so we can see what are the existing practices. > Good to see that this is being picked up again.