1 |
Hello, so I've been running Gentoo Hardened for a few years on my |
2 |
laptop, my desktop, and a server made from an older desktop. |
3 |
|
4 |
Because of Grsecurity closing access to its source to non-subscribers, |
5 |
I decided that I would just try to stick with Gentoo-sources and |
6 |
harden the default profile and follow the KSSP guidelines to get as |
7 |
close as possible without losing the testing kernel. Because of this, |
8 |
I no longer used the PaX features and decided switch to the default |
9 |
profile and enabling my own flags. |
10 |
|
11 |
I enabled pie, ssp, and appended my CFLAGS with -fstack-protector-all |
12 |
and LDFLAGS with full RELRO support (and --sort-common). I saw that |
13 |
GCC still uses the FORTIFY patch so I didn't need to add that. So far |
14 |
I've had absolutely no issues with this setup but I was trying to see |
15 |
if there's anything else I could do to bridge it closer to where it |
16 |
was and noticed that there are several warnings against this as it |
17 |
could break packages (including glibc). I've had no breakages myself |
18 |
that are visable at least and no build failures. |
19 |
|
20 |
So I was just wondering if ~arch is ready for more secure defaults on |
21 |
the 17.0 profiles in the linker flags. There are several |
22 |
distributions which ship RELRO by default and I am not aware of any |
23 |
performance issues regarding this. At least to me it shouldn't be |
24 |
warned against unless there are lots of build failures these days. Of |
25 |
course though, I'm not a dev and would like to see your perspective on |
26 |
this. |
27 |
|
28 |
Thank you, |
29 |
Michael Brinkman |