tech-pkg archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Default hardening options

On Sat, Aug 14, 2021 at 11:38:44AM -0400, Greg Troxel wrote:
> Could you:
>   Post a draft patch to mk/, or whatever, so there's a crisp
>   thing for people to test?

Of course, attached.

>   Comment on where you think we are in terms of this possibly being
>   pre-branch, vs heading for just after Q3 is branched?

I think USE_SSP=strong is perfectly safe pre-branch.

I think USE_RELRO might still not work with a very small number of
obscure packages, but we should be able to fix those, even in the

They are mostly packages that ignore CFLAGS/LDFLAGS, which goes
against standard policy anyway.

>   Explain if turning on MKREPRO without also MKPIE and ALSR has any
>   negative security consequences?  (I am guessing no, because addreses
>   are already predicable and MKREPRO is about avoiding timestamps etc.)

All MKREPRO does is remove references to WRKDIR in debug output.
> I think you mean the following
> PKGSRC_USE_SSP?= 	strong
> PKGSRC_USE_RELRO?=	partial
> but wiz mentioned
>   yes for RELRO, and I don't see that as a valid value.

It is the same as "full". I am convinced that full RELRO is more
useful, with minimal drawbacks:
Index: defaults/mk.conf
RCS file: /cvsroot/pkgsrc/mk/defaults/mk.conf,v
retrieving revision 1.318
diff -u -r1.318 mk.conf
--- defaults/mk.conf	30 May 2021 23:41:05 -0000	1.318
+++ defaults/mk.conf	14 Aug 2021 17:18:59 -0000
@@ -241,7 +241,7 @@
 # Possible: yes, no
 # Default: no
 # If no, do not alter the build process. Otherwise, try to build reproducibly.
 # This allows packages built from the same tree and options to produce identical
 # results bit by bit.
@@ -271,7 +271,7 @@
 # Keywords: fortify FORTIFY_SOURCE
 # Link with RELRO by default (on supported platforms). This makes the
 # exploitation of some security vulnerabilities more difficult in some cases.
 # Possible values:
@@ -281,7 +281,7 @@
 # Keywords: relro
+PKGSRC_USE_SSP?= strong
 # Configure this to enable stack smashing protection (on supported platforms).
 # Possible values:
 #	no:	Do not pass any stack protection flags

Home | Main Index | Thread Index | Old Index