[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Hardening
|
From: |
ng0 |
|
Subject: |
Re: Hardening |
|
Date: |
Sat, 03 Sep 2016 11:34:17 +0000 |
Ludovic Courtès <address@hidden> writes:
> Leo Famulari <address@hidden> skribis:
>
>> On Wed, Dec 30, 2015 at 05:06:30PM +0100, Ludovic Courtès wrote:
>>> Alex Vong <address@hidden> skribis:
>>> > Yes, I grep for `fstack-protector-strong' in the guix code base and no
>>> > matches are found. It appears no packages are setting this flag
>>> > currently. I think this flag (perhaps also a couple others) should be
>>> > set by default since they help protect against buffer overflow
>>> > <https://en.wikipedia.org/wiki/Buffer_overflow_protection>.
>>>
>>> I definitely agree, that’s something I’ve been wanting to try out.
>>>
>>> The question is more how. Do we change the default #:configure-flags
>>> for ‘gnu-build-system’ to something like:
>>>
>>> '("CPPFLAGS=-D_FORTIFY_SOURCE=2"
>>> "CFLAGS=-O2 -g -fstack-protector-strong")
>>>
>>> ?
>>>
>>> That sounds like a good starting point, but I expect that (1) one third
>>> of the packages will fail to build, and (2) another third of the
>>> packages will not get these flags, for instance because they pass their
>>> own #:configure-flags.
>>>
>>> IOW, it will take a whole rebuild to find out exactly what’s going on
>>> and to fix any issues.
>>>
>>> Would you like to start working on it? Then we could create a branch,
>>> have Hydra build it, and incrementally fix things.
>>
>> We should pick this project back up. I was suprised to find we haven't
>> done anything like this after reading this recent blog post about Nix's
>> hardening effort:
>>
>> https://blog.mayflower.de/5800-Hardening-Compiler-Flags-for-NixOS.html?utm_source=twitterfeed&utm_medium=twitter
>
> Definitely! As discussed on IRC, an option would be to add a keyword
> parameter to ‘gnu-build-system’:
>
> #:hardening-flags '(fortify stack-protector)
>
> Then ‘configure’ in (guix build gnu-build-system) would translate that
> into CPPFLAGS and CFLAGS options for ‘configure’, as shown above.
>
> The main difficulty with this is that many packages will break. Thus,
> if we make it opt-out, we’ll have to fix packages one by one. It seems
> unavoidable though.
That's how everyone does it, enable per package or globally, test, apply
system-specific patches. Unavoidable but it works. I think we could
create a branch, let's call it 'hardening', globally harden everything
and see how much fails and how, look at how debian, gentoo, *bsd solve
the hardening fails and fix it for every individual packages.
> Thoughts?
>
> Ludo’.
>
--
ng0
For non-prism friendly talk find me on http://www.psyced.org