Re: Default hardening options

To: Greg Troxel <gdt%lexort.com@localhost>
Subject: Re: Default hardening options
From: nia <nia%NetBSD.org@localhost>
Date: Sat, 14 Aug 2021 17:23:44 +0000

On Sat, Aug 14, 2021 at 11:38:44AM -0400, Greg Troxel wrote:
> Could you:
> 
>   Post a draft patch to mk/defaults.mk, or whatever, so there's a crisp
>   thing for people to test?

Of course, attached.

>   Comment on where you think we are in terms of this possibly being
>   pre-branch, vs heading for just after Q3 is branched?

I think USE_SSP=strong is perfectly safe pre-branch.

I think USE_RELRO might still not work with a very small number of
obscure packages, but we should be able to fix those, even in the
freeze.

They are mostly packages that ignore CFLAGS/LDFLAGS, which goes
against standard policy anyway.

> 
>   Explain if turning on MKREPRO without also MKPIE and ALSR has any
>   negative security consequences?  (I am guessing no, because addreses
>   are already predicable and MKREPRO is about avoiding timestamps etc.)

All MKREPRO does is remove references to WRKDIR in debug output.
> 
> I think you mean the following
> 
> PKGSRC_USE_SSP?= 	strong
> PKGSRC_USE_RELRO?=	partial
> PKGSRC_MKREPRO?=	yes
> 
> but wiz mentioned
> 
>   yes for RELRO, and I don't see that as a valid value.

It is the same as "full". I am convinced that full RELRO is more
useful, with minimal drawbacks:

https://www.redhat.com/en/blog/hardening-elf-binaries-using-relocation-read-only-relro

Index: defaults/mk.conf
===================================================================
RCS file: /cvsroot/pkgsrc/mk/defaults/mk.conf,v
retrieving revision 1.318
diff -u -r1.318 mk.conf
--- defaults/mk.conf	30 May 2021 23:41:05 -0000	1.318
+++ defaults/mk.conf	14 Aug 2021 17:18:59 -0000
@@ -241,7 +241,7 @@
 # Possible: yes, no
 # Default: no
 
-PKGSRC_MKREPRO?= no
+PKGSRC_MKREPRO?= yes
 # If no, do not alter the build process. Otherwise, try to build reproducibly.
 # This allows packages built from the same tree and options to produce identical
 # results bit by bit.
@@ -271,7 +271,7 @@
 #
 # Keywords: fortify FORTIFY_SOURCE
 
-PKGSRC_USE_RELRO?= no
+PKGSRC_USE_RELRO?= full
 # Link with RELRO by default (on supported platforms). This makes the
 # exploitation of some security vulnerabilities more difficult in some cases.
 # Possible values:
@@ -281,7 +281,7 @@
 #
 # Keywords: relro
 
-PKGSRC_USE_SSP?= yes
+PKGSRC_USE_SSP?= strong
 # Configure this to enable stack smashing protection (on supported platforms).
 # Possible values:
 #	no:	Do not pass any stack protection flags

Follow-Ups:
- Re: Default hardening options
  - From: Greg Troxel

References:
- Default hardening options
  - From: nia
- Re: Default hardening options
  - From: Greg Troxel

Prev by Date: Re: Default hardening options
Next by Date: Re: Default hardening options
Previous by Thread: Re: Default hardening options
Next by Thread: Re: Default hardening options
Indexes:

Home | Main Index | Thread Index | Old Index