Re: Hardening (was: Re: tor: update to 0.2.9.9)

[ng0]

ng0 <address@hidden> writes:

> Leo Famulari <address@hidden> writes:
>
>> On Tue, Jan 24, 2017 at 08:56:48PM +0000, ng0 wrote:
>>> Leo Famulari <address@hidden> writes:
>>> > Should we build Tor with "--enable-expensive-hardening"?
>>> 
>>> I will take a look later what can be applied other than the
>>> default configure flags.
>>> 
>>> I'm all for hardening, but it seems that the first basic ideas
>>> for Guix are stuck in the idea state.
>>
>> As far as I can tell, --enable-expensive-hardening is specific to Tor,
>> so it's not relevant to the project of hardening all Guix packages.
>
> Yes.
>
> I'm building this change right now:
>
> +    (arguments
> +     `(#:configure-flags (list "--enable-expensive-hardening"
> +                               "--enable-gcc-hardening"
> +                               "--enable-linker-hardening")))
>
> Taken from Gentoo, I trust their hardening project to debug and
> discover good usage.
>
>>> It would be great to see some movement on this during this
>>> year. I volunteer to help with it, though I don't have as much
>>> experience with SELinux (and only basic experience with
>>> GrSecurity without a modular kernel like GuixSD uses).
>>
>> Yes, this effort needs a champion.

No, I would say this needs an effort of more than one person. At
best a team of people who either are willing to learn about
system hardening or already know enough, maybe even a combination
of both to share knowledge :)

-- 
♥Ⓐ  ng0 -- https://www.inventati.org/patternsinthechaos/