Re: Default hardening options

To: nia <nia%NetBSD.org@localhost>
Subject: Re: Default hardening options
From: Thomas Klausner <wiz%NetBSD.org@localhost>
Date: Thu, 5 Aug 2021 01:28:02 +0200

On Wed, Aug 04, 2021 at 03:13:19PM +0000, nia wrote:
> How do we feel about turning up the default hardening options?
> 
> I generally build with PKGSRC_USE_SSP=strong on all my boxes.
> This is harder than NetBSD base, but I've never observed any
> problems or performance impact. Importantly, it protects any
> function that has stack-based arrays from stack-based buffer
> overflows.
> 
> I've noticed no problems caused by PKGSRC_USE_RELRO or
> PKGSRC_MKRERPO in my bulk builds. PKGSRC_USE_RELRO=partial
> would match NetBSD base.
> 
> I believe MKPIE is still a way off, it doesn't work with e.g.
> Haskell, but that should be turned on eventually if we want
> to match NetBSD's hardening options.

I'm building my local package set (~1500) on NetBSD-current/amd64 with

PKGSRC_USE_RELRO=       yes
PKGSRC_USE_SSP=         all
PKGSRC_USE_STACK_CHECK=        yes

for a long time now (2016?), and had no obvious problems except having
to fix some packages that do not honor LDFLAGS (for RELRO).
 Thomas

References:
- Default hardening options
  - From: nia

Prev by Date: Re: devel/libnet wrecks libreoffice build
Next by Date: daily pkgsrc CVS update output
Previous by Thread: Re: Default hardening options
Next by Thread: Re: Default hardening options
Indexes:

Home | Main Index | Thread Index | Old Index