Le 4 mai 2011 11:29:17, Allan McRae a écrit :
There have been requests for some hardening of our default CFLAGS/LDFLAGS (e.g. FS#18864). I believe this was discussed on this list previously and there were no real objections. So actually doing this has been on the table for some time but has been delayed by a combination of lack of time on my behalf and inconvenient timing with toolchain updates. I think now would be a good time to look at doing this.
The plan is to add "-fstack-protector-all -D_FORTIFY_SOURCE=2 --param=ssp-buffer-size=4" to our C{XX}FLAGS and "-Wl,-z,relro" to our LDFLAGS. We could also add "-Wl,-O1" and maybe "-Wl,--sort-common" to our LDFLAGS at the same time for some optimisation.
I am taking the approach of adding C/CXX/LDFLAGS rather than the patching the default compiler options approach most other distros use as it is more consistent with our patching policy and will reduce my maintenance burden. It also make it easier to disable an option if necessary by just changing their values. The disadvantage being that we have to make sure software listens to our CFLAGS values...
What I do not intend to add:
-Wl,-z,now - has a performance hit (mainly for large programs?). -fPIE -pie - large performance hit (5-10%) on i686, almost none on x86_64
These should be enabled for individual programs as the maintainer sees fit. PIE stuff is also more difficult and would probably require patching of the gcc specs file to start dealing with properly and would still lead to a bunch of issues. So that is something that I may look at in the distant future for x86_64 only.
So the plan is....
1) Finalise the CFLAGS/LDFLAGS 2) I get the toolchain built and working with these 3) I upload a pacman package with the changed makepkg.conf 4) Consider a [core] rebuild ???
Starting with #1. Are there any comments on the proposed CFLAGS/LDFLAGS or any further additions that people think might be of use at the same time.
Allan
Debian has a nice "hardening-check" script [1] to verify that an ELF binary have hardening features enabled. Maybe we could include something similar in our devtools ? Stéphane [1] http://packages.debian.org/sid/hardening-includes