Full relro is a hardening feature enabled by the linker flags "-z,relro,-z,now". It's enabled in Gentoo hardened, but not by default. Other distros like Fedora or Ubuntu have enabled it by default for quite some time, I think it should be considered part of the "standard hardening" features that should be default on by now. I'd suggest to enable it with profile-23.0.
I understand your concern, but at some point there will be no difference between the default profile and the hardened profile
That would in my view be a good outcome. "Gentoo hardened" originated in a time where many exploit mitigation features where considered optional. Most of what originally was hardened, like stack protection and aslr, are considered default everywhere these days.
(In reply to Agostino Sarubbo from comment #1) > I understand your concern, but at some point there will be no difference > between the default profile and the hardened profile This isn't a reason by itself to not do it, and the aim is always to get stuff into vanilla builds if we can help it. Hardened is both a testing ground for new hardening stuff which might never make it to vanilla but also stuff where we want it to mature and then graduate. Anyway, here's a recent summary of the differences: https://wiki.gentoo.org/wiki/Hardened/Toolchain#Changes. Soon, we'll add -D_FORTIFY_SOURCE=3 and -D_GLIBCXX_ASSERTIONS to hardened.
> Full relro is a hardening feature enabled by the linker flags > "-z,relro,-z,now". It's enabled in Gentoo hardened, but not by default. > [...] > I'd suggest to enable it with profile-23.0. Works for me, but we need to nail down some technical details first. In hardened, this is enabled by hardwiring "-z,relro,-z,now" into LDFLAGS in gcc. That basically means all linker calls coming from gcc are handled (but, e.g., none from clang). Making this a bit more configurable and moving it to general default is straightforward. But... Would it make sense to do this inside ld.bfd instead? It already has a build time option ton enable "relro" by default, would need a similar one for "now". Then again, that would handle all usage of ld.bfd and none of (bäh) ld.gold and ld.lld ...
(In reply to Andreas K. Hüttel from comment #4) > > Full relro is a hardening feature enabled by the linker flags > > "-z,relro,-z,now". It's enabled in Gentoo hardened, but not by default. > > [...] > > I'd suggest to enable it with profile-23.0. At second thought... "-z relro" is already enabled by default in Gentoo since 2017 "-z now" is available in gcc via the hardening flags, so let's just move it out of there and control it with a separate useflag.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=adf44514cf590a860b3140efae31187854cf8cea commit adf44514cf590a860b3140efae31187854cf8cea Author: Sam James <sam@gentoo.org> AuthorDate: 2022-12-05 00:25:46 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-12-05 00:26:35 +0000 toolchain.eclass: allow default-znow, default-stack-clash-protection for 12.2.1_p20221203 Bug: https://bugs.gentoo.org/675050 Bug: https://bugs.gentoo.org/876923 Signed-off-by: Sam James <sam@gentoo.org> eclass/toolchain.eclass | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=975678507aa3cebb0d1d1919d4b684c64d50ffe7 commit 975678507aa3cebb0d1d1919d4b684c64d50ffe7 Author: Sam James <sam@gentoo.org> AuthorDate: 2022-12-05 00:25:19 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-12-05 00:26:34 +0000 sys-devel/gcc: use patchset 3 for 12.2.1_p20221203 Includes the default-* hardening bits. Bug: https://bugs.gentoo.org/675050 Bug: https://bugs.gentoo.org/876923 Signed-off-by: Sam James <sam@gentoo.org> sys-devel/gcc/Manifest | 1 + sys-devel/gcc/gcc-12.2.1_p20221203.ebuild | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8bfd8afef6dd8c66def48ef52abcb624c0077ad1 commit 8bfd8afef6dd8c66def48ef52abcb624c0077ad1 Author: Sam James <sam@gentoo.org> AuthorDate: 2024-03-23 15:04:34 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-03-23 15:38:51 +0000 sys-devel/clang-common: updates for 23.0 * Promote -Wl,-z,now to vanilla, following GCC (bug #876923) * Add USE=cet to control -fcf-protection, following GCC (bug #908600, bug #927298) Bug: https://bugs.gentoo.org/876923 Bug: https://bugs.gentoo.org/927298 Closes: https://bugs.gentoo.org/908600 Signed-off-by: Sam James <sam@gentoo.org> profiles/arch/amd64/package.use.mask | 1 + profiles/base/package.use.mask | 1 + profiles/features/musl/package.use.mask | 1 + .../clang-common/clang-common-17.0.6-r2.ebuild | 295 ++++++++++++++++++++ .../clang-common/clang-common-18.1.2-r1.ebuild | 297 +++++++++++++++++++++ .../clang-common/clang-common-19.0.0.9999.ebuild | 10 +- .../clang-common-19.0.0_pre20240316.ebuild | 10 +- sys-devel/clang-common/metadata.xml | 10 + 8 files changed, 621 insertions(+), 4 deletions(-)
This is fixed in the 23.0 profiles (available and stable now). Closing.
