On 6/17/26 15:58, Alexander Leidinger wrote:
Hi,

given the numerous talks at BSDCan about security in the last hours, and the 
mention of maybe enabling fortify by default, I want to point out
https://www.leidinger.net/blog/2025/05/24/freebsd-security-hardening-with-compiler-options/

I run a lot of this stuff on real workloads. Not in a high performance situation, 
more of a SOHO workload, but I have mysql, postgresql, redis, java application 
servers, python application servers, php, nginx, postfix, dovecot, squid, various 
dns servers (unbound, bind, adguardhome) and samba in >60 jails (some of them 
service jails, some of them normal jails, some of them service jails in normal 
jails). All of those build in a local poudirere with those options enabled.

This stuff works today, and we should maybe think about just enabling this 
stuff and go ahead. If it hinders a bit in the performance area, and it is 
important, it can be deactivated by those which need the last little bit of 
performance. In my situation where the CPUs are normally not near 100%, I can 
not feel a difference.

I missed the FORTIFY callout, but I have one more patch to fix the last failure 
in our test suite with it enabled: https://reviews.freebsd.org/D57356.  I note 
that in the associated PR, only one issue was a case where _FORITFY actually 
kind-of broke the underlying functionality[*].  The others are cases where the 
test simply shouldn't build with _FORTIFY_SOURCE because they're intentionally 
overflowing.

I poked Simon for a sanity check and I plan to wordsmith the comment I dropped 
in bsd.sys.mk tonight (and push it).  I don't have a problem pitching a diff to 
lift it to an =2 default as soon as right after that- I've received enough 
reports from folks that build and use it to suggest that nobody's world will be 
severely blown up, but it's worth cautioning about anyways when we raise the 
default.

Thanks,

Kyle Evans

[*] That functionality being that Annex K specifies how to handle too-large 
buffer sizes, which one presumably wouldn't be doing intentionally.

Reply via email to