Compiling browser

Peter Smith peter.smith3882100 at gmail.com
Mon Apr 4 16:21:04 UTC 2011


On 3/25/11, Mike Hommey <mh at glandium.org> wrote:
> On Fri, Mar 25, 2011 at 04:08:28PM +0100, Peter Smith wrote:
>> This is proberly the I want to compile Firefox 3.6 on Debian Squeeze
>> and place everything in the /opt directory. I want the compiled
>> browser to have some security modifications. The first thing i have
>> added to mozconfig is the following three lines:
>>
>> export CFLAGS="-D_FORTIFY_SOURCE=2 -fstack-protector-all"
>> export CXXFLAGS="${CFLAGS}"
>> export CPPFLAGS="${CFLAGS}
>>
>> This makes hardening-check on firefox-bin output the following:
>>
>> Position Independent Executable: no, normal executable!
>> Stack protected: yes
>> Fortify Source functions: yes
>> Read-only relocations: no, not found!
>> Immediate binding: no, not found!
>>
>> I don't know what flags should be passed to gcc for activating
>> "Position Independent Executable", "Read-only relocations" and
>> "Immediate binding" or if it is a good idea at all? Is it enough to
>> activate the options i have to make the browser more secure?
>
> I guess you want to take a look at http://wiki.debian.org/Hardening

After reading the information and adding flags to ld, hardening-check
reports that every option is enabled on firefox-bin. I have tested
this for some time now, and so far i have not noticed any problems at
all.

How come that Iceweasel is not compiled with some of these security
options? I could imagine that for a critical application like a
browser, this could improve security significant.



More information about the pkg-mozilla-maintainers mailing list