[RFC] gcc/g++ default flags for Habitat builds #587
Comments
|
Thanks @reset. I would have brought this up in the Slack channel but felt it may be worth preserving the conversation in GitHub as it may wind up in broad sweeping change if implemented ... |
|
I'm +1 on improving the default flags used throughout core-plans. core-plans should provide artifacts that balance speed, security, and debug-ability. Some things we may want to consider:
|
The desired for more robust default build flags was raised in habitat-sh#587. The goal of this build is to add a couple of tools to make it easier to start investigating hardening core-plans: - a shell script that can be included in plans to enable compiler- and linker-level security features. - a new bin/check-security-feature.sh script can be used to check that the resulting package actually has the features in the compiled executables. Currently, we include the following flags: - `-fstack-protector-strong` - `-Wl,-z,relro` - `-Wl,-z,now` - `-D_FORTIFY_SOURCE=2 -O2` For details on these flags, see in source comments. * Possible Future Work I've excluded PIE-related flags for now because I've found them hard to set generally via CFLAGS. It may be easier to pursue PIE builds with a gcc built with `--default-enable-pie`. Another often-used set of flags are format-security warning flags. These flags would be useful if and only if we have a plan to maintain patches to fix the warnings or contribute fixes upstream. For information on what other large distributions do: - https://wiki.debian.org/Hardening - https://wiki.gentoo.org/wiki/Project:Hardened - https://fedoraproject.org/wiki/Changes/Harden_All_Packages Signed-off-by: Steven Danna <[email protected]>
The desired for more robust default build flags was raised in habitat-sh#587. The goal of this build is to add a couple of tools to make it easier to start investigating hardening core-plans: - a shell script that can be included in plans to enable compiler- and linker-level security features. - a new bin/check-security-feature.sh script can be used to check that the resulting package actually has the features in the compiled executables. Currently, we include the following flags: - `-fstack-protector-strong` - `-Wl,-z,relro` - `-Wl,-z,now` - `-D_FORTIFY_SOURCE=2 -O2` For details on these flags, see in source comments. * Possible Future Work I've excluded PIE-related flags for now because I've found them hard to set generally via CFLAGS. It may be easier to pursue PIE builds with a gcc built with `--default-enable-pie`. Another often-used set of flags are format-security warning flags. These flags would be useful if and only if we have a plan to maintain patches to fix the warnings or contribute fixes upstream. For information on what other large distributions do: - https://wiki.debian.org/Hardening - https://wiki.gentoo.org/wiki/Project:Hardened - https://fedoraproject.org/wiki/Changes/Harden_All_Packages Signed-off-by: Steven Danna <[email protected]>
eeyun
changed the title
|
I'm definitely +1 on this in concept. But I have some feedback and a request. I think a change like this that (if implemented) touches a significant portion of the packages in core needs to undergo the newly defined RFC process. That process right now is outlined in an actual RFC that's undergoing it's own RFC process (meta, right?). That being said I'd like to get some core plans maintainership feedback on this but I would prefer that this get closed and resubmitted following that process. I know this has been open for quite some time and I'm sorry it's taken so long for us to get any kind of reasonable feedback on it. @pantocrator27 or @stevendanna if you still feel passionately about this change would either of you be willing to spearhead the RFC effort around this? |
|
@eeyun I submitted a PR here to add some tooling into core-plans to make it possible to incrementally add these flags to builds: #881 I'm happy to do an RFC; however, there is an extent to which I think an incremental approach and gathering information might be preferable to setting policy since we have a lot to learn still. |
|
@stevendanna I could totally see that. I'm all for an incremental approach the only challenge is any changes against the default flags with either of these packages are going to touch like 90% of the world. We can adopt incrementally but we might need to talk about what that looks like in implementation/test? All of this to say, I trust you and if you've got ideas about how to do it you've 100% got my support. |
|
👍 for security. Would like to see how many of our plans would be affected by these extra flags and this could be accomplished if we ran your security script against any plans that require |
The desired for more robust default build flags was raised in #587. The goal of this build is to add a couple of tools to make it easier to start investigating hardening core-plans: - a shell script that can be included in plans to enable compiler- and linker-level security features. - a new bin/check-security-feature.sh script can be used to check that the resulting package actually has the features in the compiled executables. Currently, we include the following flags: - `-fstack-protector-strong` - `-Wl,-z,relro` - `-Wl,-z,now` - `-D_FORTIFY_SOURCE=2 -O2` For details on these flags, see in source comments. * Possible Future Work I've excluded PIE-related flags for now because I've found them hard to set generally via CFLAGS. It may be easier to pursue PIE builds with a gcc built with `--default-enable-pie`. Another often-used set of flags are format-security warning flags. These flags would be useful if and only if we have a plan to maintain patches to fix the warnings or contribute fixes upstream. For information on what other large distributions do: - https://wiki.debian.org/Hardening - https://wiki.gentoo.org/wiki/Project:Hardened - https://fedoraproject.org/wiki/Changes/Harden_All_Packages Signed-off-by: Steven Danna <[email protected]>
The desire for more robust default build flags was raised in habitat-sh#587. The goal of this change is to add a couple of tools to make it easier to start investigating hardening core-plans: - a shell script that can be included in plans to enable compiler- and linker-level security features. - a new bin/check-security-feature.sh script can be used to check that the resulting package actually has the features in the compiled executables. Currently, we include the following flags: - `-fstack-protector-strong` - `-Wl,-z,relro` - `-Wl,-z,now` - `-D_FORTIFY_SOURCE=2 -O2` For details on these flags, see the in-source comments. * Possible Future Work I've excluded PIE-related flags for now because I've found them hard to set generally via CFLAGS. It may be easier to pursue PIE builds with a gcc built with `--default-enable-pie`. Another often-used set of flags are format-security warning flags. These flags would be useful if and only if we have a plan to maintain patches to fix the warnings or contribute fixes upstream. For information on what other large distributions do: - https://wiki.debian.org/Hardening - https://wiki.gentoo.org/wiki/Project:Hardened - https://fedoraproject.org/wiki/Changes/Harden_All_Packages Signed-off-by: Steven Danna <[email protected]>
|
I have been doing this for almost a year on my habitat origins(I really didn't like that all the packages are compiled without any optimizations). A few more points(these could probably easily be used and then in
Addressing some of the flags @stevendanna mentioned:
|
|
@lilianmoraru Thanks for all of the awesome info. I made a quick stab at adding some of these flags in #881 but didn't apply it nearly as generally as have.
What kind of failures have you seen here? I haven't hit any but I've only rebuild a handful of simple package.
Yup, I ended up punting on this as well. I think to apply this on a large scale we would have to go the route of some of the distributions and have pretty complicated wrappers to decide on the right gcc flags on a per-invocation basis. |
|
It seems I got some of the flags wrong there(I've revisited them and some work with relro for example). For Habitat core plans I would recommend to avoid I will actually apply later the flags cleaner, without an "out of source" script, so |
Habitat's core plans should provide a reliable base system on which Habitat users can build applications. To meet this goal, core-plans software written in the C programming language should use compiler and linker flags that provide a level of performance and security at least as good as other Linux distributions. Multiple users have attempted to make progress on this issue in the past. For example, - habitat-sh/core-plans#587 - habitat-sh/core-plans#881 and the lack of optimization was recently discussed in the Habitat Slack. NOTE FOR REVIEW: I took a "slow and steady" approach to implementing this on the assumption that this would be mostly an effort that happens outside the core Hab team. I think a faster path is possible. Signed-off-by: Steven Danna <[email protected]>
Habitat's core plans should provide a reliable base system on which Habitat users can build applications. To meet this goal, core-plans software written in the C programming language should use compiler and linker flags that provide a level of performance and security at least as good as other Linux distributions. Multiple users have attempted to make progress on this issue in the past. For example, #587 #881 and the lack of optimization was recently discussed in the Habitat Slack. NOTE FOR REVIEW: I took a "slow and steady" approach to implementing this on the assumption that this would be mostly an effort that happens outside the core Hab team. I think a faster path is possible. Signed-off-by: Steven Danna <[email protected]>
Habitat's core plans should provide a reliable base system on which Habitat users can build applications. To meet this goal, core-plans software written in the C programming language should use compiler and linker flags that provide a level of performance and security at least as good as other Linux distributions. Multiple users have attempted to make progress on this issue in the past. For example, #587 #881 and the lack of optimization was recently discussed in the Habitat Slack. NOTE FOR REVIEW: I took a "slow and steady" approach to implementing this on the assumption that this would be mostly an effort that happens outside the core Hab team. I think a faster path is possible. Signed-off-by: Steven Danna <[email protected]>
I am wondering if any thought has been given to maybe setting default compile flags for gcc/g++. I know one of the use cases for Habitat is increased security and it appears that other package maintainers have these as part of their standard like https://fedoraproject.org/wiki/Changes/Harden_All_Packages.
Just food for thought!
The text was updated successfully, but these errors were encountered: