Add security hardening for 4.0.1? (was: Introducing security hardening features for Lenny)

Armin Berres trigger at space-based.de
Tue Jan 29 22:04:22 UTC 2008


Hi!

I guess you have all seen the mail on -announce.
What do you think about trying to add some of these features for 4.0.1?
We recompile everything anyway and can immediately see if something
fails.
IMO at least the following flags make sense:

On Tue, 29 Jan 08 22:16, Moritz Muehlenhoff wrote:
> Stack protector
> ===============
> To enable, make sure that "-fstack-protector" ends up in the compiler flags.

> Format warnings
> ===============
> This feature adds a higher level of warning reporting for functions using
> format strings.  To enable, add "-Wformat" and "-Wformat-security" flags,
> and pay attention to compile-time warnings.

> relro
> =====
> This is enabled via "-Wl,zrelro".

No idea about this:

> Position Independent Executables
> ================================
> 
> Currently, modern kernels randomize the location of mmap and stack
> allocation, but the text segment (and subsequent brk memory) is always
> in the same place.  In kernels that support text ASLR, programs compiled
> for PIE will gain full position randomization.  This has some known
> problems on our more exotic archs, specifically hppa and m68k. These
> tool chains should be patched, so that enabling PIE is a NOP instead of
> forcing every maintainer to jump through hoops.
> 
> The flag -fPIE is very similar to -fPIC, but it applies to objects linked to
> form the final executable binary.  PIE is enabled by passing "-fPIE" to all
> object builds, and passing "-pie" to the final link.

Greetings,
Armin



More information about the pkg-kde-talk mailing list