1 |
On 6/15/17 11:20 AM, Matthias Maier wrote: |
2 |
> Hi Michael, |
3 |
> |
4 |
> On Sun, Jun 11, 2017, at 16:39 CDT, Michael Brinkman <thygreatswaggedone@×××××.com> wrote: |
5 |
> |
6 |
>> So I was just wondering if ~arch is ready for more secure defaults on |
7 |
>> the 17.0 profiles in the linker flags. There are several |
8 |
>> distributions which ship RELRO by default and I am not aware of any |
9 |
>> performance issues regarding this. |
10 |
> |
11 |
> We (i.e. toolchain) are in the process of enabling quite a number of |
12 |
> security hardening features on default profiles. In particular |
13 |
> |
14 |
> - (force) +pie +ssp for gcc-6 onwards in 17.0 profiles |
15 |
> |
16 |
|
17 |
there should be a way of turning these off systematically. the |
18 |
advantage of the current hardened gcc specs is that one can switch |
19 |
between them using gcc-config. if these are forced on for the default |
20 |
profile then there will be no easy way to systematically turn them off. |
21 |
|
22 |
for those who don't used hardened, gcc-config -l on hardened profile gives: |
23 |
|
24 |
[1] x86_64-pc-linux-gnu-5.4.0 * |
25 |
[2] x86_64-pc-linux-gnu-5.4.0-hardenednopie |
26 |
[3] x86_64-pc-linux-gnu-5.4.0-hardenednopiessp |
27 |
[4] x86_64-pc-linux-gnu-5.4.0-hardenednossp |
28 |
[5] x86_64-pc-linux-gnu-5.4.0-vanilla |
29 |
|
30 |
while on the default profiles it gives: |
31 |
|
32 |
[1] x86_64-pc-linux-gnu-5.4.0 * |
33 |
|
34 |
[5] on the hardened profile is equivalent to [1] on the vanilla. |
35 |
|
36 |
maybe we should consider merging the hardened and default profiles? |
37 |
|
38 |
-- |
39 |
Anthony G. Basile, Ph.D. |
40 |
Gentoo Linux Developer [Hardened] |
41 |
E-Mail : blueness@g.o |
42 |
GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA |
43 |
GnuPG ID : F52D4BBA |