Bug#653191: iceweasel: Please enable hardening options

intrigeri intrigeri at debian.org
Wed Oct 9 08:54:24 UTC 2013 

Hi Florent & all,

Florent Daigniere wrote (09 Oct 2013 08:05:39 GMT) :
> Is it possible to re-consider enabling the other hardening options?
> Namely PIE, RELRO and BINDNOW

Thank you for raising this again.

Summing up previous discussion so that we don't have to rehash it:

  * Mike Hommey wrote: "I'm really not a big fan of -Wl,-z,relro
    and -Wl,-z,now. For instance, I'm not sure -z relro buys anything
    worth, while it may have a significant startup performance impact
    on big applications. (and if I'm not mistaken, -z relro actually
    makes things not work with selinux, seeing how selinux already
    breaks the mprotect that removes the write bit on code sections
    after text relocations)."

  * Moritz replied that he had doubts about the relro part, and that
    "Support for selinux in Debian is marginal at best, anyway".

Regarding relro and bindnow, could anyone with the relevant skills
please sum up what kind of attacks this protects against, what are the
limitations in terms of security, and what is the performance cost in
the context of something like Iceweasel? Cc'ing Jake in case he feels
like giving a hand :)

Mike, I don't think you put it clearly why you may dislike -Wl,-z,now
yet — could you please elaborate?

Regarding SELinux, there's now a release goal proposal [1] for Jessie,
but it didn't seem to get any more serious traction than the rest of
SELinux work in Debian these days. I can only wish them good luck, but
I cannot say I'm convinced this goal will be reached.

[1] https://wiki.debian.org/ReleaseGoals/SELinux

> Virtually all the other distributions enable all hardening bells and
> whistles as they consider web-browsers critical packages. IMHO
>  firefox had enough memory corruption bugs documented over the years
>  to warrant the performance cost of enabling these options.

Indeed, Ubuntu enables all of PIE, stack protected, Fortify Source
functions, Read-only relocations, and Immediate binding. They're doing
it with hardening-wrapper. I failed to port this to the Iceweasel
packaging (FTBFS, IIRC), but I didn't try that hard. It might be that
they're relying on their gcc hardening patches too (if that still
applies these days, I guess Moritz will know better).

Cheers,
-- 
  intrigeri
  | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
  | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc

More information about the pkg-mozilla-maintainers mailing list