Re: F31 System-Wide Change proposal: Enable Compiler Security hardening flags by default in G

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 3/13/19 5:30 PM, Daniel P. Berrangé wrote:
> On Mon, Mar 11, 2019 at 01:56:14PM -0400, Ben Cotton wrote:
>> https://fedoraproject.org/wiki/Changes/HardenedCompiler
>>
>> == Summary ==
>> By Default enable a few security hardening flags which are used with GCC.
>>
>> == Owner ==
>> * Name: [[User:huzaifas|Huzaifa Sidhpurwala]]
>> * Email: huzaifas@xxxxxxxxxx
>> * Release notes owner: huzaifas@xxxxxxxxxx
>>
>>
>> == Detailed Description ==
>> Currently GCC does not enable any security hardening flags by default.
>> They have to be explicitly enabled by the developers one-by-one.
>> Ubuntu (https://wiki.ubuntu.com/ToolChain/CompilerFlags) however
>> enables them and therefore has a hardened compiler by default. Each of
>> these options can be explicitly disabled if required by the developer
>> via a GCC command line flag.  I am currently proposing the following
>> flags be enabled by default.
>>
>> '''-Wformat -Wformat-security -fstack-protector-strong
>> --param=ssp-buffer-size=4 -D_FORTIFY_SOURCE=2 -O'''''
> 
>> | 1 || -Wformat || Check calls to "printf" and "scanf", etc., to make
>> sure that the arguments supplied have types appropriate to the format
>> string specified, and that the conversions specified in the  format
>> string make sense. || -Wno-format
>> |-
>> | 2 || -Wformat-security || If -Wformat is specified, also warn about
>> uses of format functions that represent possible security problems.
>> || -Wno-format should disable this as well
> 
> These two are very valuable warnings. If a C application's existing
> build process has not already enabled them by default, I would expect
> they'll trigger a great number of warnings.
> 
> We're not using -Werror in Fedora though, so these will not cause a
> build failure.
> 
> Are we expecting Fedora maintainers to read the build logs & look for
> these new warnings & report them upstream for fixing ? I'm sceptical
> that many maintainers are going to put effort into that kind of thing
> if it isn't blocking their builds.
> 

Its upto the package maintainer to use -Werror to block builds which
show these warnings. I dont think we should enforce at this point. But
maybe at some time later we could:

1. Do an automated scan of build logs to figure out which packages show
these warnings and figure out how to handle them.

2. For critical packages like network daemons etc, we could actively
block packages which show these warnings.


Overall as i mentioned before, i would like to start somewhere :)

-- 
Huzaifa Sidhpurwala / Red Hat Product Security Team
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux