Re: F31 System-Wide Change proposal: Enable Compiler Security hardening flags by default in G

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

* Tom Hughes:

> On 13/03/2019 03:27, Huzaifa Sidhpurwala wrote:
>
>> On 3/12/19 5:40 PM, Vít Ondruch wrote:
>>> Will it help to mitigate issues such as:
>>>
>>> https://bugzilla.redhat.com/show_bug.cgi?id=1284684
>>>
>> This is related to the following change which was made in Fedora 23:
>> https://fedoraproject.org/wiki/Changes/Harden_All_Packages.
>>
>> My proposal does not touch PIE or RELRO at all, but is related to
>> compiling code with protections which mitigate, format string attacks
>> and stack-based buffer overflows. It is pretty common to enable these
>> flags while compiling, its just strange that we dont enable these by
>> default.
>
> We do, just not by changing the compiler defaults.
>
> Instead they are in %{optflags} which all packages are expected
> to use for their compiler flags:
>
> https://docs.fedoraproject.org/en-US/packaging-guidelines/#_compiler_flags
>
> Here's what %optflags looks like for F29:
>
> -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2
> -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong
> -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1
> -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic
> -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection

I think Huzaifa knows that. 8-)

But I'm wondering to what extent this is not working.  Previous guidance
from the Red Hat Platform Tools team was changing the compiler defaults
was not a good idea.  If the data show that changing the defaults is the
only way to achieve decent coverage, then we will need to reevaluate
what we are doing.

However, starting out with -D_FORTIFY_SOURCE=2 (and not things like PIE
or -fstack-clash-protection) seems odd in any case because that's one of
the most difficult changes.

Thanks,
Florian
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux