On Mon, Jan 05, 2015 at 10:27:45AM +0100, Tomáš Chvátal wrote:
Dne Po 5. ledna 2015 10:10:04, Marcus Meissner napsal(a):
I ommited quoting to shorten my response :)
Overall the idea of hardening is great.
There really is no real impact on other than i586 platforms.
I would actually be glad if we do more nifty stuff taking from gentoo hardening.
of this we do this for a lot of years now: Default addition of the Stack Smashing Protector (SSP) -fstack-protector is in $RPM_OPT_FLAGS since SLES 10 and SUSE Linux 10.0 and -D_FORTIFY_SOURCE=2 is in $RPM_OPT_FLAGS since SLES 10 and SUSE Linux 10.0 Default to marking read-only, sections that can be so marked after the loader is finished (RELRO) Enabled in binutils directly since SUSE Linux 10.1 and SLES 10 Missing: Default full binding at load-time (BIND_NOW) It was not fully understood how this operates with dlopen and also with LD_PRELOADed overrides. See caveats in gentoo page too, it might have negative drawbacks. Automatic generation of Position Independent Executables (PIEs) This just started project.
Overall the approach should be this all should be included directly in our compiler, with some opt out cflags/ldflags switch, but by default on, it is better than having to edit bazilion of spec files one by one.
I am tracking this in bug https://bugzilla.suse.com/show_bug.cgi?id=912298 now. Richi found a Gentoo patch submitted for GCC 5.0 inclusion which enables PIE by default. He seems kind of reluctant to have a SUSE specific patch. Ciao, Marcus -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org