Bug#759165: iceweasel: Enable all hardening (with hardening-wrapper)

[intrigeri]

Hi,

Simon Ruderich wrote (24 Aug 2014 23:17:56 GMT) :
> Please enable all available hardening (relo, now and pie) for
> iceweasel.

This was discussed a bit on #609975 and #653191. 

To sum up the relevant bits, Mike Hommey wrote "I'm really not a big
fan of -Wl,-z,relro and -Wl,-z,now. For instance, I'm not sure -z
relro buys anything worth, while it may have a significant startup
performance impact on big applications. (and if I'm not mistaken, -z
relro actually makes things not work with selinux, seeing how selinux
already breaks the mprotect that removes the write bit on code
sections after text relocations)."

Moritz has doubts about the relro part, and wrote that "Support for
selinux in Debian is marginal at best, anyway". Then, I don't think
anyone elaborated any further on these topics. E.g. I don't think that
Mike ever explained why he's not a fan of bindnow, nor elaborated on
the relro part.

I think the next thing to do is to benchmark startup time with and
without relro, on various classes of hardware. Then, we'll have useful
data at hand and can have a discussion about whether it buys enough to
be worth the increased startup time. Simon, are you interested to
do that?

Other data points:

  * Ubuntu builds Firefox with all these hardening options on (last
    time I checked, they were using hardening-wrapper); it could be
    useful to ask the Firefox maintainers in Ubuntu if they've got
    negative feedback about it

  * the Tor Browser enables all these hardening options but relro;
    they consider the latter to be a bug
    (https://trac.torproject.org/projects/tor/ticket/12103)

  * I've not looked at Fedora, OpenSUSE, etc., but it could be worth
    a look.

Cheers,
-- 
intrigeri