Default hardening options

To: tech-pkg%NetBSD.org@localhost
Subject: Default hardening options
From: nia <nia%NetBSD.org@localhost>
Date: Wed, 4 Aug 2021 15:13:19 +0000

How do we feel about turning up the default hardening options?

I generally build with PKGSRC_USE_SSP=strong on all my boxes.
This is harder than NetBSD base, but I've never observed any
problems or performance impact. Importantly, it protects any
function that has stack-based arrays from stack-based buffer
overflows.

I've noticed no problems caused by PKGSRC_USE_RELRO or
PKGSRC_MKRERPO in my bulk builds. PKGSRC_USE_RELRO=partial
would match NetBSD base.

I believe MKPIE is still a way off, it doesn't work with e.g.
Haskell, but that should be turned on eventually if we want
to match NetBSD's hardening options.

Follow-Ups:
- Re: Default hardening options
  - From: Greg Troxel
- Re: Default hardening options
  - From: Greg Troxel
- Re: Default hardening options
  - From: Thomas Klausner
- Re: Default hardening options
  - From: Jonathan Perkin

Prev by Date: Re: devel/libnet wrecks libreoffice build
Next by Date: Re: Default hardening options
Previous by Thread: devel/libnet wrecks libreoffice build
Next by Thread: Re: Default hardening options
Indexes:

Home | Main Index | Thread Index | Old Index