FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo Development

 
 
LinkBack Thread Tools
 
Old 10-20-2011, 08:47 AM
"Paweł Hajdan, Jr."
 
Default Moving more hardening features to default?

I've noticed
<http://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags>, i.e.
Debian is starting to make more and more hardening features default, at
least for most packages.

Should we start doing that too? What are possible problems with that? It
seems like it's mostly about USE=hardened, right?

I've noticed that several binary drivers like nvidia-drivers are masked
on hardened - is it a problem with hardened-sources, or with hardened
toolchain?
 
Old 10-20-2011, 10:40 AM
"Anthony G. Basile"
 
Default Moving more hardening features to default?

On 10/20/2011 04:47 AM, "Paweł Hajdan, Jr." wrote:
> I've noticed
> <http://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags>, i.e.
> Debian is starting to make more and more hardening features default, at
> least for most packages.
>
> Should we start doing that too? What are possible problems with that? It
> seems like it's mostly about USE=hardened, right?
>
> I've noticed that several binary drivers like nvidia-drivers are masked
> on hardened - is it a problem with hardened-sources, or with hardened
> toolchain?
>
The nvidia-driver problem is due to PaX in the kernel, so its
hardened-sources.

USE=hardened refers to only toolchain hardening. The problems there are
mostly packages which break with PIE because they (ab)use assembly.
Things like virtualbox and some codecs. This can become a thorny mess.

It would probably be nearly painless to bring in -D_FORTIFY_SOURCES=2
and ssp into mainstream though. Packages which break because of either
of those two features are broken and should be fixed anyhow.

--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail : blueness@gentoo.org
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535
GnuPG ID : D0455535
 
Old 10-20-2011, 10:46 AM
Tomáš Chvátal
 
Default Moving more hardening features to default?

2011/10/20 Anthony G. Basile <blueness@gentoo.org>:

> USE=hardened refers to only toolchain hardening. *The problems there are
> mostly packages which break with PIE because they (ab)use assembly.
> Things like virtualbox and some codecs. *This can become a thorny mess.
>
> It would probably be nearly painless to bring in -D_FORTIFY_SOURCES=2
> and ssp into mainstream though. *Packages which break because of either
> of those two features are broken and should be fixed anyhow.
>

This sounds like good idea to do so,
I would say that most hardened features should be merged to to main
profile as soon as they won't cause major PITA for the regular users.

Cheers

Tom
 
Old 10-20-2011, 11:46 AM
Diego Elio Pettenò
 
Default Moving more hardening features to default?

Il giorno gio, 20/10/2011 alle 06.40 -0400, Anthony G. Basile ha
scritto:
> It would probably be nearly painless to bring in -D_FORTIFY_SOURCES=2
> and ssp into mainstream though. Packages which break because of
> either
> of those two features are broken and should be fixed anyhow.

-D_FORTIFY_SOURCES=2 has been enabled in mainline since GCC 4.3.3-r1 if
my memory serves me right.

--
Diego Elio Pettenò — Flameeyes
http://blog.flameeyes.eu/
 
Old 10-20-2011, 12:41 PM
Rich Freeman
 
Default Moving more hardening features to default?

2011/10/20 Tomáš Chvátal <scarabeus@gentoo.org>:
> I would say that most hardened features should be merged to to main
> profile as soon as they won't cause major PITA for the regular users.

I agree - especially for stuff that doesn't require active setup
(stack protection, PaX, etc).

If there are features that we could turn on but for a few packages,
maybe the solution there is to discuss them on-list and target them
for future adoption and make an effort to fix the impacted ebuilds.
Fix could mean either making the package work with the hardened
feature, or disabling it just for that package (filter-flags, tag
binaries not to run with features, etc).

The hardened profile can still of course be the place where we push
the envelope at the cost of more packages being masked, and there will
always be things like MAC that represent a big change in how a system
is run that will take a long time to become mainstream.

Rich
 
Old 10-20-2011, 12:49 PM
Mike Frysinger
 
Default Moving more hardening features to default?

On Thursday 20 October 2011 07:46:57 Diego Elio Petten wrote:
> Il giorno gio, 20/10/2011 alle 06.40 -0400, Anthony G. Basile ha scritto:
> > It would probably be nearly painless to bring in -D_FORTIFY_SOURCES=2
> > and ssp into mainstream though. Packages which break because of
> > either
> > of those two features are broken and should be fixed anyhow.
>
> -D_FORTIFY_SOURCES=2 has been enabled in mainline since GCC 4.3.3-r1 if
> my memory serves me right.

it isn't in mainline gcc. but it is in all Gentoo gcc versions since 4.3.3.
first added like 3 years ago.
-mike
 
Old 10-20-2011, 12:55 PM
Mike Frysinger
 
Default Moving more hardening features to default?

On Thursday 20 October 2011 04:47:14 Paweł Hajdan, Jr. wrote:
> I've noticed
> <http://wiki.debian.org/ReleaseGoals/SecurityHardeningBuildFlags>, i.e.
> Debian is starting to make more and more hardening features default, at
> least for most packages.

seems a bit light on what actually is being used

random thoughts:
- we've long defaulted to linking with relro
- defaulting to bindnow is pretty much a no go for USE=-hardened
- building everything as PIC/PIE comes with performance penalty for some
architectures (e.g. x86), and is often the source of build issues with the
hardened port
- we've long defaulted to building with _FORTIFY_SOURCE
- i'd need to see actual overhead data with SSP to see about enabling it by
default
-mike
 
Old 10-20-2011, 12:57 PM
Mike Frysinger
 
Default Moving more hardening features to default?

On Thursday 20 October 2011 08:41:55 Rich Freeman wrote:
> 2011/10/20 Tomáš Chvátal:
> > I would say that most hardened features should be merged to to main
> > profile as soon as they won't cause major PITA for the regular users.
>
> I agree - especially for stuff that doesn't require active setup
> (stack protection, PaX, etc).

except PaX requires kernel patches and is known to break things. not an
acceptable default.
-mike
 
Old 10-20-2011, 02:36 PM
"Anthony G. Basile"
 
Default Moving more hardening features to default?

On 10/20/2011 08:57 AM, Mike Frysinger wrote:
> On Thursday 20 October 2011 08:41:55 Rich Freeman wrote:
>> 2011/10/20 Tomáš Chvátal:
>>> I would say that most hardened features should be merged to to main
>>> profile as soon as they won't cause major PITA for the regular users.
>> I agree - especially for stuff that doesn't require active setup
>> (stack protection, PaX, etc).
> except PaX requires kernel patches and is known to break things. not an
> acceptable default.
> -mike
I would not recommend PaX at this time. As Mike said, it breaks things,
sometimes important things. Eg. python ctypes was broken there for a
while on hardened. Also, unlike toolchain, it requires that you
configure your kernel correctly, ie have familiarity with what works and
what doesn't under certain PaX features. This may be trivial for us,
but might be more than we want to put newbies through.

--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail : blueness@gentoo.org
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535
GnuPG ID : D0455535
 
Old 10-20-2011, 04:47 PM
Rich Freeman
 
Default Moving more hardening features to default?

On Thu, Oct 20, 2011 at 10:36 AM, Anthony G. Basile <blueness@gentoo.org> wrote:
> I would not recommend PaX at this time. *As Mike said, it breaks things,
> sometimes important things. *Eg. python ctypes was broken there for a
> while on hardened. *Also, unlike toolchain, it requires that you
> configure your kernel correctly, ie have familiarity with what works and
> what doesn't under certain PaX features. *This may be trivial for us,
> but might be more than we want to put newbies through.

I used it as an example because it is passive for the most part, and I
think most of the configuration could be handled by the ebuilds.

However, I didn't mean to suggest that it was ready to be made a
default. If the list of broken packages were small enough I think
that it would be fair to consider it as a future default to work
towards.

I was trying to draw a contrast between passive things like
stack-protection and things that really get in your face like MAC.

Rich
 

Thread Tools




All times are GMT. The time now is 04:00 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org