From mboxrd@z Thu Jan 1 00:00:00 1970 From: ng0 Subject: Re: Hardening Date: Wed, 17 Aug 2016 20:28:43 +0000 Message-ID: <87mvkbw35w.fsf@we.make.ritual.n0.is> References: <20151031215617.4df7ce04@debian> <878u6caz6z.fsf@gnu.org> <87k2o2a68b.fsf@gmail.com> <87y4cbsyyh.fsf_-_@gnu.org> <20160816235711.GA24579@jasmine> <871t1n99fj.fsf@elephly.net> <8760qzy08s.fsf@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit Return-path: Received: from eggs.gnu.org ([2001:4830:134:3::10]:34492) by lists.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ba7SK-0000HQ-C6 for guix-devel@gnu.org; Wed, 17 Aug 2016 16:29:01 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71) (envelope-from ) id 1ba7SA-0001O9-JH for guix-devel@gnu.org; Wed, 17 Aug 2016 16:28:51 -0400 Received: from mithlond.libertad.in-berlin.de ([2001:67c:1400:2490::1]:42443 helo=beleriand.n0.is) by eggs.gnu.org with esmtp (Exim 4.71) (envelope-from ) id 1ba7SA-0001NF-5x for guix-devel@gnu.org; Wed, 17 Aug 2016 16:28:46 -0400 In-Reply-To: <8760qzy08s.fsf@gmail.com> List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+gcggd-guix-devel=m.gmane.org@gnu.org Sender: "Guix-devel" To: Alex Vong , Ricardo Wurmus Cc: guix-devel@gnu.org Alex Vong writes: > Hi, > > Wow, this was long time ago. I've forgot this completely. > > Ricardo Wurmus writes: > >> Leo Famulari writes: >> >>> On Wed, Dec 30, 2015 at 05:06:30PM +0100, Ludovic Courtès wrote: >>>> Alex Vong skribis: >>>> > Yes, I grep for `fstack-protector-strong' in the guix code base and no >>>> > matches are found. It appears no packages are setting this flag >>>> > currently. I think this flag (perhaps also a couple others) should be >>>> > set by default since they help protect against buffer overflow >>>> > . >>>> >>>> I definitely agree, that’s something I’ve been wanting to try out. >>>> >>>> The question is more how. Do we change the default #:configure-flags >>>> for ‘gnu-build-system’ to something like: >>>> >>>> '("CPPFLAGS=-D_FORTIFY_SOURCE=2" >>>> "CFLAGS=-O2 -g -fstack-protector-strong") >>>> >>>> ? >>>> >>>> That sounds like a good starting point, but I expect that (1) one third >>>> of the packages will fail to build, and (2) another third of the >>>> packages will not get these flags, for instance because they pass their >>>> own #:configure-flags. >>>> >>>> IOW, it will take a whole rebuild to find out exactly what’s going on >>>> and to fix any issues. >>>> >>>> Would you like to start working on it? Then we could create a branch, >>>> have Hydra build it, and incrementally fix things. >>> >>> We should pick this project back up. I was suprised to find we haven't >>> done anything like this after reading this recent blog post about Nix's >>> hardening effort: >>> >>> https://blog.mayflower.de/5800-Hardening-Compiler-Flags-for-NixOS.html?utm_source=twitterfeed&utm_medium=twitter >> >> Are the above flags the only flags we’d like to play with? There’s no >> harm in letting hydra rebuild the world with these flags on a separate >> branch — provided that all build nodes are usable. >> > There are indeed additional flags (for debian's hardening). > > > Here is the complete output (from the testing distribution): > > alexvong1995@debian:~$ DEB_BUILD_MAINT_OPTIONS=hardening=+all dpkg-buildflags > CFLAGS=-g -O2 -fdebug-prefix-map=/home/alexvong1995=. -fPIE -fstack-protector-strong -Wformat -Werror=format-security > CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2 > CXXFLAGS=-g -O2 -fdebug-prefix-map=/home/alexvong1995=. -fPIE -fstack-protector-strong -Wformat -Werror=format-security > FCFLAGS=-g -O2 -fdebug-prefix-map=/home/alexvong1995=. -fPIE -fstack-protector-strong > FFLAGS=-g -O2 -fdebug-prefix-map=/home/alexvong1995=. -fPIE -fstack-protector-strong > GCJFLAGS=-g -O2 -fdebug-prefix-map=/home/alexvong1995=. -fPIE -fstack-protector-strong > LDFLAGS=-fPIE -pie -Wl,-z,relro -Wl,-z,now > OBJCFLAGS=-g -O2 -fdebug-prefix-map=/home/alexvong1995=. -fPIE -fstack-protector-strong -Wformat -Werror=format-security > OBJCXXFLAGS=-g -O2 -fdebug-prefix-map=/home/alexvong1995=. -fPIE -fstack-protector-strong -Wformat -Werror=format-security > > > The `-fdebug-prefix-map' flag seems to be using the current working > directory. > >> ~~ Ricardo > > Cheers, > Alex > I think there's even more, I can add to this thread when I have access to my hardened vm systems again. Good to see that this is being picked up again. -- ng0 For non-prism friendly talk find me on http://www.psyced.org