| 1 |
On 6/15/17 11:20 AM, Matthias Maier wrote: |
| 2 |
> Hi Michael, |
| 3 |
> |
| 4 |
> On Sun, Jun 11, 2017, at 16:39 CDT, Michael Brinkman <thygreatswaggedone@×××××.com> wrote: |
| 5 |
> |
| 6 |
>> So I was just wondering if ~arch is ready for more secure defaults on |
| 7 |
>> the 17.0 profiles in the linker flags. There are several |
| 8 |
>> distributions which ship RELRO by default and I am not aware of any |
| 9 |
>> performance issues regarding this. |
| 10 |
> |
| 11 |
> We (i.e. toolchain) are in the process of enabling quite a number of |
| 12 |
> security hardening features on default profiles. In particular |
| 13 |
> |
| 14 |
> - (force) +pie +ssp for gcc-6 onwards in 17.0 profiles |
| 15 |
> |
| 16 |
|
| 17 |
there should be a way of turning these off systematically. the |
| 18 |
advantage of the current hardened gcc specs is that one can switch |
| 19 |
between them using gcc-config. if these are forced on for the default |
| 20 |
profile then there will be no easy way to systematically turn them off. |
| 21 |
|
| 22 |
for those who don't used hardened, gcc-config -l on hardened profile gives: |
| 23 |
|
| 24 |
[1] x86_64-pc-linux-gnu-5.4.0 * |
| 25 |
[2] x86_64-pc-linux-gnu-5.4.0-hardenednopie |
| 26 |
[3] x86_64-pc-linux-gnu-5.4.0-hardenednopiessp |
| 27 |
[4] x86_64-pc-linux-gnu-5.4.0-hardenednossp |
| 28 |
[5] x86_64-pc-linux-gnu-5.4.0-vanilla |
| 29 |
|
| 30 |
while on the default profiles it gives: |
| 31 |
|
| 32 |
[1] x86_64-pc-linux-gnu-5.4.0 * |
| 33 |
|
| 34 |
[5] on the hardened profile is equivalent to [1] on the vanilla. |
| 35 |
|
| 36 |
maybe we should consider merging the hardened and default profiles? |
| 37 |
|
| 38 |
-- |
| 39 |
Anthony G. Basile, Ph.D. |
| 40 |
Gentoo Linux Developer [Hardened] |
| 41 |
E-Mail : blueness@g.o |
| 42 |
GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA |
| 43 |
GnuPG ID : F52D4BBA |
Archives