Alex Vong <alexvong1...@gmail.com> writes: > Hi, > > Wow, this was long time ago. I've forgot this completely. > > Ricardo Wurmus <rek...@elephly.net> writes: > >> Leo Famulari <l...@famulari.name> writes: >> >>> On Wed, Dec 30, 2015 at 05:06:30PM +0100, Ludovic Courtès wrote: >>>> Alex Vong <alexvong1...@gmail.com> skribis: >>>> > Yes, I grep for `fstack-protector-strong' in the guix code base and no >>>> > matches are found. It appears no packages are setting this flag >>>> > currently. I think this flag (perhaps also a couple others) should be >>>> > set by default since they help protect against buffer overflow >>>> > <https://en.wikipedia.org/wiki/Buffer_overflow_protection>. >>>> >>>> I definitely agree, that’s something I’ve been wanting to try out. >>>> >>>> The question is more how. Do we change the default #:configure-flags >>>> for ‘gnu-build-system’ to something like: >>>> >>>> '("CPPFLAGS=-D_FORTIFY_SOURCE=2" >>>> "CFLAGS=-O2 -g -fstack-protector-strong") >>>> >>>> ? >>>> >>>> That sounds like a good starting point, but I expect that (1) one third >>>> of the packages will fail to build, and (2) another third of the >>>> packages will not get these flags, for instance because they pass their >>>> own #:configure-flags. >>>> >>>> IOW, it will take a whole rebuild to find out exactly what’s going on >>>> and to fix any issues. >>>> >>>> Would you like to start working on it? Then we could create a branch, >>>> have Hydra build it, and incrementally fix things. >>> >>> We should pick this project back up. I was suprised to find we haven't >>> done anything like this after reading this recent blog post about Nix's >>> hardening effort: >>> >>> https://blog.mayflower.de/5800-Hardening-Compiler-Flags-for-NixOS.html?utm_source=twitterfeed&utm_medium=twitter >> >> Are the above flags the only flags we’d like to play with? There’s no >> harm in letting hydra rebuild the world with these flags on a separate >> branch — provided that all build nodes are usable. >> > There are indeed additional flags (for debian's hardening). > > > Here is the complete output (from the testing distribution): > > alexvong1995@debian:~$ DEB_BUILD_MAINT_OPTIONS=hardening=+all dpkg-buildflags > CFLAGS=-g -O2 -fdebug-prefix-map=/home/alexvong1995=. -fPIE > -fstack-protector-strong -Wformat -Werror=format-security > CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2 > CXXFLAGS=-g -O2 -fdebug-prefix-map=/home/alexvong1995=. -fPIE > -fstack-protector-strong -Wformat -Werror=format-security > FCFLAGS=-g -O2 -fdebug-prefix-map=/home/alexvong1995=. -fPIE > -fstack-protector-strong > FFLAGS=-g -O2 -fdebug-prefix-map=/home/alexvong1995=. -fPIE > -fstack-protector-strong > GCJFLAGS=-g -O2 -fdebug-prefix-map=/home/alexvong1995=. -fPIE > -fstack-protector-strong > LDFLAGS=-fPIE -pie -Wl,-z,relro -Wl,-z,now > OBJCFLAGS=-g -O2 -fdebug-prefix-map=/home/alexvong1995=. -fPIE > -fstack-protector-strong -Wformat -Werror=format-security > OBJCXXFLAGS=-g -O2 -fdebug-prefix-map=/home/alexvong1995=. -fPIE > -fstack-protector-strong -Wformat -Werror=format-security > > > The `-fdebug-prefix-map' flag seems to be using the current working > directory. > >> ~~ Ricardo > > Cheers, > Alex >
I think there's even more, I can add to this thread when I have access to my hardened vm systems again. Good to see that this is being picked up again. -- ng0 For non-prism friendly talk find me on http://www.psyced.org
