[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: hardening
From: |
ng0 |
Subject: |
Re: hardening |
Date: |
Thu, 22 Mar 2018 13:16:31 +0000 |
Let's keep this thread as the thread to discuss possible solutions and work
in that field.
Yesterday Marius wrote on IRC
(https://gnunet.org/bot/log/guix/2018-03-21#T1657250):
[ ] <mbakke> This is a pretty good article about build flags
(mainly hardening related):
https://developers.redhat.com/blog/2018/03/21/compiler-and-linker-flags-...
[ ] <mbakke> It would be great to have a "#:hardening?"
option with additional provisions for specific flags.
The link in full:
https://developers.redhat.com/blog/2018/03/21/compiler-and-linker-flags-gcc/
Nix has an a functionality to disable hardening:
https://github.com/NixOS/nixpkgs/search?utf8=%E2%9C%93&q=harden&type=
for example visible here:
https://github.com/NixOS/nixpkgs/commit/f5b04628f00e98e4c757466ab6be2c125d89feeb
I have some more notes on Gentoo I'll add next month.
Food for thought:
If we go all in, we might have to recompile the bootstrap binaries.
keyword #:hardening-flags is a good entry for manually fixing packages up to
the point where they work with hardened flags. Caveat is, not everything will
work good or even at all with hardened-flags and toolchain.
So we are presented with 2 options.
1) Selectively harden what is possible through the keyword mentioned above
or
2) harden by default and switch off flags through something like
#:hardening-exclude
which would default to the empty list and otherwise would remove the
elements in its
list from the list of flags.
Further thoughts:
#:hardened? could be a simple check so that having package-graphs which are not
hardened
are possible. We would default to #t, off would be #f obviously.
My work in progress so far is to work this into the gnu-build-system, which
seemed like
a good starting point.
I'm in favor of option 2 coupled with the keyword to disable hardening
altogether.
WDYT?
--
A88C8ADD129828D7EAC02E52E22F9BBFEE348588
https://n0.is