| 1 |
Hello, so I've been running Gentoo Hardened for a few years on my |
| 2 |
laptop, my desktop, and a server made from an older desktop. |
| 3 |
|
| 4 |
Because of Grsecurity closing access to its source to non-subscribers, |
| 5 |
I decided that I would just try to stick with Gentoo-sources and |
| 6 |
harden the default profile and follow the KSSP guidelines to get as |
| 7 |
close as possible without losing the testing kernel. Because of this, |
| 8 |
I no longer used the PaX features and decided switch to the default |
| 9 |
profile and enabling my own flags. |
| 10 |
|
| 11 |
I enabled pie, ssp, and appended my CFLAGS with -fstack-protector-all |
| 12 |
and LDFLAGS with full RELRO support (and --sort-common). I saw that |
| 13 |
GCC still uses the FORTIFY patch so I didn't need to add that. So far |
| 14 |
I've had absolutely no issues with this setup but I was trying to see |
| 15 |
if there's anything else I could do to bridge it closer to where it |
| 16 |
was and noticed that there are several warnings against this as it |
| 17 |
could break packages (including glibc). I've had no breakages myself |
| 18 |
that are visable at least and no build failures. |
| 19 |
|
| 20 |
So I was just wondering if ~arch is ready for more secure defaults on |
| 21 |
the 17.0 profiles in the linker flags. There are several |
| 22 |
distributions which ship RELRO by default and I am not aware of any |
| 23 |
performance issues regarding this. At least to me it shouldn't be |
| 24 |
warned against unless there are lots of build failures these days. Of |
| 25 |
course though, I'm not a dev and would like to see your perspective on |
| 26 |
this. |
| 27 |
|
| 28 |
Thank you, |
| 29 |
Michael Brinkman |
Archives