On Mon, Aug 25, 2014 at 10:30:06AM -0700, intrigeri wrote: > To sum up the relevant bits, Mike Hommey wrote "I'm really not a big > fan of -Wl,-z,relro and -Wl,-z,now. For instance, I'm not sure -z > relro buys anything worth, while it may have a significant startup > performance impact on big applications. (and if I'm not mistaken, -z
Hello, Thanks for your quick reply. relro shouldn't have any effect on the startup time. bindnow can cause slowdowns as all library symbols must be resolved, however I haven't noticed that yet. > relro actually makes things not work with selinux, seeing how selinux > already breaks the mprotect that removes the write bit on code > sections after text relocations)." I've no idea how relro or bindnow could be affected selinux, but I've also never used it. However I haven't heard of any hardening related issues with selinux, so I don't think it's an issue. > Moritz has doubts about the relro part, and wrote that "Support for > selinux in Debian is marginal at best, anyway". Then, I don't think > anyone elaborated any further on these topics. E.g. I don't think that > Mike ever explained why he's not a fan of bindnow, nor elaborated on > the relro part. Thanks for the summary. > I think the next thing to do is to benchmark startup time with and > without relro, on various classes of hardware. Then, we'll have useful > data at hand and can have a discussion about whether it buys enough to > be worth the increased startup time. Simon, are you interested to > do that? I don't have access to a diverse set of hardware where I can install Iceweasel. I just tested it on my machine (AMD 64-Bit) and noticed no changes regarding the startup time. Both with and without relro/bindnow Iceweasel takes about 3 seconds to start here (with cold caches it takes about 6 seconds, again no change). I can't test the hardened Iceweasel on more systems. To prevent further delays I think the additional hardening should be enabled and if there are performance regressions then it can be discussed if they are worth the improved security or not. Chromium in Debian is already using all hardening features. I've checked the bug tracker and found no bugs mentioning slow starts with hardening. The same is true for the official Chrome browser, it also enables all available hardening. The fact that 2 major browsers out there use all available hardening options is IMO a good argument to enable it too for Iceweasel on Debian. I think all hardening should be enabled as soon as possible for Iceweasel. A possible slowdown on some systems is IMO worth the improved security for all users, especially for a package like Iceweasel with hundreds of vulnerabilities in the past. Regards Simon -- + privacy is necessary + using gnupg http://gnupg.org + public key id: 0x92FEFDB7E44C32F9
signature.asc
Description: Digital signature
