From Fedora Project Wiki
mNo edit summary
(Change rejected by FESCo)
 
(10 intermediate revisions by 2 users not shown)
Line 50: Line 50:
== Detailed Description ==
== Detailed Description ==
<!-- Expand on the summary, if appropriate.  A couple sentences suffices to explain the goal, but the more details you can provide the better. -->
<!-- Expand on the summary, if appropriate.  A couple sentences suffices to explain the goal, but the more details you can provide the better. -->
Currently GCC does not enable any security hardening flags by default. They have to be explicitly enabled by the developers one-by-one. [[https://wiki.ubuntu.com/ToolChain/CompilerFlags||Ubuntu]] however enables them and therefore has a hardened compiler by default. Each of these options can be explicitly disabled if required by the developer via a GCC command line flag.  I am currently proposing the following flags be enabled by default.
Currently GCC does not enable any security hardening flags by default. They have to be explicitly enabled by the developers one-by-one. Ubuntu (https://wiki.ubuntu.com/ToolChain/CompilerFlags) however enables them and therefore has a hardened compiler by default. Each of these options can be explicitly disabled if required by the developer via a GCC command line flag.  I am currently proposing the following flags be enabled by default.
 
'''-Wformat -Wformat-security -fstack-protector-strong  -D_FORTIFY_SOURCE=2 -O'''''
 
{| class="wikitable"
|-
! No !! Flag !! Use !! How to disable 
|-
| 1 || -Wformat || Check calls to "printf" and "scanf", etc., to make sure that the arguments supplied have types appropriate to the format string specified, and that the conversions specified in the  format string make sense. || -Wno-format
|-
| 2 || -Wformat-security || If -Wformat is specified, also warn about uses of format functions that represent possible security problems.  || -Wno-format should disable this as well
|-
| 3 || -fstack-protector-strong || Like -fstack-protector but includes additional functions to be protected --- those that have local array definitions, or have references to local frame addresses.
|| -fno-stack-protector
|}


'''-Wformat -Wformat-security -fstack-protector-strong --param=ssp-buffer-size=4 -D_FORTIFY_SOURCE=2'''''


== Benefit to Fedora ==
== Benefit to Fedora ==
Line 60: Line 73:
== Scope ==
== Scope ==
<!-- What work do the developers have to accomplish to complete the change in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
<!-- What work do the developers have to accomplish to complete the change in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
* Proposal owners: Patch gcc to enable these options by default. Patch should be very simple, since the compile/link code isnt actually touched.
* Proposal owners: Patch gcc to enable these options by default. Patch should be very simple, since the compile/link code isnt actually touched. Also glibc needs to be patched "because of pesky warning it prints without optimization."
<!-- What work do the feature owners have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
<!-- What work do the feature owners have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
* Other developers: Developers need to ensure that Fedora package is built and if any build failures they are corrected<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Other developers: Developers need to ensure that Fedora package is built and if any build failures they are corrected<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- What work do other developers have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->
<!-- What work do other developers have to accomplish to complete the feature in time for release?  Is it a large change affecting many parts of the distribution or is it a very isolated change? What are those changes?-->


* Release engineering:   <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Release engineering: [https://pagure.io/releng/issue/8204 #8204]
<!-- Does this feature require coordination with release engineering (e.g. changes to installer image generation or update package delivery)?  Is a mass rebuid required?  If a rel-eng ticket exists, add a link here.  -->
<!-- Does this feature require coordination with release engineering (e.g. changes to installer image generation or update package delivery)?  Is a mass rebuid required?  If a rel-eng ticket exists, add a link here.  -->


Line 79: Line 92:
<!-- What happens to systems that have had a previous versions of Fedora installed and are updated to the version containing this change? Will anything require manual configuration or data migration? Will any existing functionality be no longer supported? -->
<!-- What happens to systems that have had a previous versions of Fedora installed and are updated to the version containing this change? Will anything require manual configuration or data migration? Will any existing functionality be no longer supported? -->
None
None
Some packaging changes required, see:


== How To Test ==
== How To Test ==
Line 97: Line 107:
3. What are the expected results of those actions?
3. What are the expected results of those actions?
-->
-->
Run "gcc -Q --help=target" to check if these flags are enabled by default
Run "gcc -Q -v <foo.c>" to check if these flags are enabled by default


== User Experience ==
== User Experience ==
<!-- If this change proposal is noticeable by its target audience, how will their experiences change as a result?  Describe what they will see or notice. -->
<!-- If this change proposal is noticeable by its target audience, how will their experiences change as a result?  Describe what they will see or notice. -->
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
None
Fedora is more secure because the entire distribution is compiled with the correct security technologies enabled. Developers dont have to worry about enabling the right flags when they compile their application in Fedora because the compiler has them enabled by default.


== Dependencies ==
== Dependencies ==
Line 114: Line 124:


<!-- When is the last time the contingency mechanism can be put in place?  This will typically be the beta freeze. -->
<!-- When is the last time the contingency mechanism can be put in place?  This will typically be the beta freeze. -->
* Contingency deadline: <!-- REQUIRED FOR SYSTEM WIDE CHANGES -->
* Contingency deadline: Beta Feeze<!-- REQUIRED FOR SYSTEM WIDE CHANGES -->


<!-- Does finishing this feature block the release, or can we ship with the feature in incomplete state? -->
<!-- Does finishing this feature block the release, or can we ship with the feature in incomplete state? -->
Line 134: Line 144:




[[Category:ChangePageIncomplete]]
[[Category:ChangeRejected]]
<!-- When your change proposal page is completed and ready for review and announcement -->
<!-- When your change proposal page is completed and ready for review and announcement -->
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->
<!-- remove Category:ChangePageIncomplete and change it to Category:ChangeReadyForWrangler -->
<!-- The Wrangler announces the Change to the devel-announce list and changes the category to Category:ChangePageIncomplete (no action required) -->  
<!-- The Wrangler announces the Change to the devel-announce list and changes the category to Category:ChangePageIncomplete (no action required) -->  
<!-- After review, the Wrangler will move your page to Category:ChangeReadyForFesco... if it still needs more work it will move back to Category:ChangePageIncomplete-->
<!-- After review, the Wrangler will move your page to Category:ChangeReadyForFesco... if it still needs more work it will move back to Category:ChangeReadyForWrangler-->


<!-- Select proper category, default is Self Contained Change -->
<!-- Select proper category, default is Self Contained Change -->

Latest revision as of 20:06, 25 March 2019


Enable Compiler Security hardening flags by default in GCC

Summary

By Default enable a few security hardening flags which are used with GCC.

Owner

Current status

  • Targeted release: Fedora 31
  • Last updated: 2019-03-25

Detailed Description

Currently GCC does not enable any security hardening flags by default. They have to be explicitly enabled by the developers one-by-one. Ubuntu (https://wiki.ubuntu.com/ToolChain/CompilerFlags) however enables them and therefore has a hardened compiler by default. Each of these options can be explicitly disabled if required by the developer via a GCC command line flag. I am currently proposing the following flags be enabled by default.

-Wformat -Wformat-security -fstack-protector-strong -D_FORTIFY_SOURCE=2 -O

No Flag Use How to disable
1 -Wformat Check calls to "printf" and "scanf", etc., to make sure that the arguments supplied have types appropriate to the format string specified, and that the conversions specified in the format string make sense. -Wno-format
2 -Wformat-security If -Wformat is specified, also warn about uses of format functions that represent possible security problems. -Wno-format should disable this as well
3 -fstack-protector-strong Like -fstack-protector but includes additional functions to be protected --- those that have local array definitions, or have references to local frame addresses. -fno-stack-protector


Benefit to Fedora

We provide better security both for our packages and for applications/programs which users are building.

Scope

  • Proposal owners: Patch gcc to enable these options by default. Patch should be very simple, since the compile/link code isnt actually touched. Also glibc needs to be patched "because of pesky warning it prints without optimization."
  • Other developers: Developers need to ensure that Fedora package is built and if any build failures they are corrected
  • Release engineering: #8204
  • Policies and guidelines: The policies and guidelines do not need to be updated.
  • Trademark approval: Not needed for this change

Upgrade/compatibility impact

None

How To Test

Run "gcc -Q -v <foo.c>" to check if these flags are enabled by default

User Experience

Fedora is more secure because the entire distribution is compiled with the correct security technologies enabled. Developers dont have to worry about enabling the right flags when they compile their application in Fedora because the compiler has them enabled by default.

Dependencies

All packages will be rebuild with new GCC options.

Contingency Plan

  • Contingency mechanism: Roll back the GCC options and use the default ones.
  • Contingency deadline: Beta Feeze
  • Blocks release? No

Documentation

Release Notes

  • Release Notes tracking: <will be assigned by the Wrangler>