Bug#759165: iceweasel: Enable all hardening (with hardening-wrapper)

Simon Ruderich simon at ruderich.org
Tue Aug 26 21:21:45 UTC 2014 

On Mon, Aug 25, 2014 at 10:30:06AM -0700, intrigeri wrote:
> To sum up the relevant bits, Mike Hommey wrote "I'm really not a big
> fan of -Wl,-z,relro and -Wl,-z,now. For instance, I'm not sure -z
> relro buys anything worth, while it may have a significant startup
> performance impact on big applications. (and if I'm not mistaken, -z

Hello,

Thanks for your quick reply.

relro shouldn't have any effect on the startup time. bindnow can
cause slowdowns as all library symbols must be resolved, however
I haven't noticed that yet.

> relro actually makes things not work with selinux, seeing how selinux
> already breaks the mprotect that removes the write bit on code
> sections after text relocations)."

I've no idea how relro or bindnow could be affected selinux, but
I've also never used it. However I haven't heard of any hardening
related issues with selinux, so I don't think it's an issue.

> Moritz has doubts about the relro part, and wrote that "Support for
> selinux in Debian is marginal at best, anyway". Then, I don't think
> anyone elaborated any further on these topics. E.g. I don't think that
> Mike ever explained why he's not a fan of bindnow, nor elaborated on
> the relro part.

Thanks for the summary.

> I think the next thing to do is to benchmark startup time with and
> without relro, on various classes of hardware. Then, we'll have useful
> data at hand and can have a discussion about whether it buys enough to
> be worth the increased startup time. Simon, are you interested to
> do that?

I don't have access to a diverse set of hardware where I can
install Iceweasel. I just tested it on my machine (AMD 64-Bit)
and noticed no changes regarding the startup time. Both with and
without relro/bindnow Iceweasel takes about 3 seconds to start
here (with cold caches it takes about 6 seconds, again no
change). I can't test the hardened Iceweasel on more systems.

To prevent further delays I think the additional hardening should
be enabled and if there are performance regressions then it can
be discussed if they are worth the improved security or not.


Chromium in Debian is already using all hardening features. I've
checked the bug tracker and found no bugs mentioning slow starts
with hardening. The same is true for the official Chrome browser,
it also enables all available hardening.

The fact that 2 major browsers out there use all available
hardening options is IMO a good argument to enable it too for
Iceweasel on Debian.


I think all hardening should be enabled as soon as possible for
Iceweasel. A possible slowdown on some systems is IMO worth the
improved security for all users, especially for a package like
Iceweasel with hundreds of vulnerabilities in the past.

Regards
Simon
-- 
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-mozilla-maintainers/attachments/20140826/5ddf741a/attachment.sig>

More information about the pkg-mozilla-maintainers mailing list