On Mon, Mar 11, 2019 at 01:56:14PM -0400, Ben Cotton wrote:
https://fedoraproject.org/wiki/Changes/HardenedCompiler
== Summary ==
By Default enable a few security hardening flags which are used with GCC.
== Owner ==
* Name: [[User:huzaifas|Huzaifa Sidhpurwala]]
* Email: huzaifas(a)redhat.com
* Release notes owner: huzaifas(a)redhat.com
== Detailed Description ==
Currently GCC does not enable any security hardening flags by default.
They have to be explicitly enabled by the developers one-by-one.
Ubuntu (
https://wiki.ubuntu.com/ToolChain/CompilerFlags) however
enables them and therefore has a hardened compiler by default. Each of
these options can be explicitly disabled if required by the developer
via a GCC command line flag. I am currently proposing the following
flags be enabled by default.
'''-Wformat -Wformat-security -fstack-protector-strong
--param=ssp-buffer-size=4 -D_FORTIFY_SOURCE=2 -O'''''
| 1 || -Wformat || Check calls to "printf" and
"scanf", etc., to make
sure that the arguments supplied have types appropriate to the format
string specified, and that the conversions specified in the format
string make sense. || -Wno-format
|-
| 2 || -Wformat-security || If -Wformat is specified, also warn about
uses of format functions that represent possible security problems.
|| -Wno-format should disable this as well
These two are very valuable warnings. If a C application's existing
build process has not already enabled them by default, I would expect
they'll trigger a great number of warnings.
We're not using -Werror in Fedora though, so these will not cause a
build failure.
Are we expecting Fedora maintainers to read the build logs & look for
these new warnings & report them upstream for fixing ? I'm sceptical
that many maintainers are going to put effort into that kind of thing
if it isn't blocking their builds.
IOW what is the real benefit of enabling them ? Emitting more warnings
doesn't make Fedora more secure as the change claims. To be more secure
would require using -Werror=format-security which would be a harder sell
as a default policy for Fedora.
Regards,
Daniel
--
|:
https://berrange.com -o-
https://www.flickr.com/photos/dberrange :|
|:
https://libvirt.org -o-
https://fstop138.berrange.com :|
|:
https://entangle-photo.org -o-
https://www.instagram.com/dberrange :|