[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Hardening
|
From: |
Alex Vong |
|
Subject: |
Re: Hardening |
|
Date: |
Sun, 21 Aug 2016 00:45:05 +0800 |
|
User-agent: |
Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) |
ng0 <address@hidden> writes:
> Alex Vong <address@hidden> writes:
>
>> Hi,
>>
>> Wow, this was long time ago. I've forgot this completely.
>>
>> Ricardo Wurmus <address@hidden> writes:
>>
>>> Leo Famulari <address@hidden> writes:
>>>
>>>> On Wed, Dec 30, 2015 at 05:06:30PM +0100, Ludovic Courtès wrote:
>>>>> Alex Vong <address@hidden> skribis:
>>>>> > Yes, I grep for `fstack-protector-strong' in the guix code base and no
>>>>> > matches are found. It appears no packages are setting this flag
>>>>> > currently. I think this flag (perhaps also a couple others) should be
>>>>> > set by default since they help protect against buffer overflow
>>>>> > <https://en.wikipedia.org/wiki/Buffer_overflow_protection>.
>>>>>
>>>>> I definitely agree, that’s something I’ve been wanting to try out.
>>>>>
>>>>> The question is more how. Do we change the default #:configure-flags
>>>>> for ‘gnu-build-system’ to something like:
>>>>>
>>>>> '("CPPFLAGS=-D_FORTIFY_SOURCE=2"
>>>>> "CFLAGS=-O2 -g -fstack-protector-strong")
>>>>>
>>>>> ?
>>>>>
>>>>> That sounds like a good starting point, but I expect that (1) one third
>>>>> of the packages will fail to build, and (2) another third of the
>>>>> packages will not get these flags, for instance because they pass their
>>>>> own #:configure-flags.
>>>>>
>>>>> IOW, it will take a whole rebuild to find out exactly what’s going on
>>>>> and to fix any issues.
>>>>>
>>>>> Would you like to start working on it? Then we could create a branch,
>>>>> have Hydra build it, and incrementally fix things.
>>>>
>>>> We should pick this project back up. I was suprised to find we haven't
>>>> done anything like this after reading this recent blog post about Nix's
>>>> hardening effort:
>>>>
>>>> https://blog.mayflower.de/5800-Hardening-Compiler-Flags-for-NixOS.html?utm_source=twitterfeed&utm_medium=twitter
>>>
>>> Are the above flags the only flags we’d like to play with? There’s no
>>> harm in letting hydra rebuild the world with these flags on a separate
>>> branch — provided that all build nodes are usable.
>>>
>> There are indeed additional flags (for debian's hardening).
>>
>>
>> Here is the complete output (from the testing distribution):
>>
>> address@hidden:~$ DEB_BUILD_MAINT_OPTIONS=hardening=+all dpkg-buildflags
>> CFLAGS=-g -O2 -fdebug-prefix-map=/home/alexvong1995=. -fPIE
>> -fstack-protector-strong -Wformat -Werror=format-security
>> CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2
>> CXXFLAGS=-g -O2 -fdebug-prefix-map=/home/alexvong1995=. -fPIE
>> -fstack-protector-strong -Wformat -Werror=format-security
>> FCFLAGS=-g -O2 -fdebug-prefix-map=/home/alexvong1995=. -fPIE
>> -fstack-protector-strong
>> FFLAGS=-g -O2 -fdebug-prefix-map=/home/alexvong1995=. -fPIE
>> -fstack-protector-strong
>> GCJFLAGS=-g -O2 -fdebug-prefix-map=/home/alexvong1995=. -fPIE
>> -fstack-protector-strong
>> LDFLAGS=-fPIE -pie -Wl,-z,relro -Wl,-z,now
>> OBJCFLAGS=-g -O2 -fdebug-prefix-map=/home/alexvong1995=. -fPIE
>> -fstack-protector-strong -Wformat -Werror=format-security
>> OBJCXXFLAGS=-g -O2 -fdebug-prefix-map=/home/alexvong1995=. -fPIE
>> -fstack-protector-strong -Wformat -Werror=format-security
>>
>>
>> The `-fdebug-prefix-map' flag seems to be using the current working
>> directory.
>>
>>> ~~ Ricardo
>>
>> Cheers,
>> Alex
>>
>
> I think there's even more, I can add to this thread when I have access
> to my hardened vm systems again.
>
Yes, I think people running guix on top of another distro can tell how
their distro do the hardening, so we can see what are the existing
practices.
> Good to see that this is being picked up again.