-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/07/2013 01:25 PM, Ryan Hill wrote: > On Thu, 05 Sep 2013 12:13:28 +0200 > Agostino Sarubbo <a...@gentoo.org> wrote: > >> Hello, >> >> during an irc debate, me and other people just noticed that the default >> profile could use more flags to enhance the security. >> >> An hint is here: >> https://wiki.ubuntu.com/ToolChain/CompilerFlags >> >> Please argue about what we _don't_ use. >> >> Note: please CC me in your response. > > * -fstack-protector{-all} > No thank you. -fstack-protector has very limited coverage (which is why > Ubuntu felt they needed to mess with the min size) and -fstack-protector-all > has enough overhead that every distro that experimented with it dropped it in > the end. If security is important enough to you that you are willing to take > the hit then you should be using hardened where it's the default. > > There is a new option, -fstack-protector-strong, that's intended to be a > balance between the two extremes and something that distros can enable by > default. It was just added to mainline so it should be in GCC 4.9. So let's > revisit this a couple years down the line. > > * -D_FORTIFY_SOURCE=2 > Enabled by default since gcc-4.5.0 (patch) > > * -Wformat -Wformat-security > Enabled by default since gcc 4.3.3 (patch) > > * -Wl,-z,relro > Enabled by default since binutils 2.18 (and as far back as 2.15 for the HJL > releases). (patch) > > * -Wl,--hash-style={both,gnu} > Enabled by default since binutils 2.18 except on mips where it is unsupported. > (patch sets it to "both", developer profiles set it to "gnu" for ignored > LDFLAGs > detection) > > * -Wl,--no-copy-dt-needed-entries/-Wl,--no-add-needed > Enabled by default since binutils 2.22. (upstream default) > > * -Wl,--as-needed > Enabled by default since July 2010 (in profiles). I think this is the > upstream > default now as well. > > In addition to these we also enable -Wtrampolines and warn on DT_TEXTRELs. > > > Thank you so much for spelling it out for us. I don't even know where to begin looking for how some of this stuff is enabled so you telling us what is enabled makes a huge difference.
I'm semi-familiar with -fstack-protector-strong and I look forward to revisiting that at a later date (and I'd love to help do the testing so hold me to if if you like). Thanks, Zero -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.20 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJSK4OVAAoJEKXdFCfdEflK/N4P/3zPgskznIRwgkEVmqJgOGKL jUQSva6zOptAGUX3TBdmxppERiWwRR+qh00+JdRP34rH+yEaU3THyjoSreTzunXW +oFcBeNR6qiiYGTKoGwQTtM0gxbkFvCx6fe/AAGkwYinTrorL8eo3VmnjBvzvBP4 Gmw138SMA/JGLG4A2s5vQBlBZlwvFOyNwP6RzAt9SoNsYVuskDMnFiw77pnqbEYT OwdkGRwG29995L+p3O4lbsj7UjLx7S4/SpFfh9OK2EObQ7IKTb4M/y7TUv4vMSxG b4uEtNRH2ymr/u8kHOLeVBFBvKbtB35hE1ubLN0ugtuAvQKyD/tECC1msXuKidqi vjrhxqtMG4c9+7yY1My0S9CkFqR015ReiC9mFgbVO588XKDOCT7QtcCqGVfvEOrS /CNh0qMS5JeBwAya4rmiZpGkc0LTW3rjzLsJfu3sVAd6nvHh1923gSpnJpnd7u9X EpGORP29NUyu3W7zggJm36JEX+pNvTlG1NmR7ux9NWVFKVfUVBU/wAnfHmCpTHo8 O8FI2Z3GlEwXNXL9nvDn7DJRVsC4TOl6SbHteVRY0soGmyoQhf9I1D0idLFLv88k HHeTzhVt0dl0OiWBs8n7AU42bA/QMUvLF4wUJM+zBjkZHNgWvbL895eyAOJdGAyo 2HEguV/K746RLBHhRRTe =gq9h -----END PGP SIGNATURE-----
