On 6/17/26 15:58, Alexander Leidinger wrote:
Hi,
given the numerous talks at BSDCan about security in the last hours, and the
mention of maybe enabling fortify by default, I want to point out
https://www.leidinger.net/blog/2025/05/24/freebsd-security-hardening-with-compiler-options/
I run a lot of this stuff on real workloads. Not in a high performance situation,
more of a SOHO workload, but I have mysql, postgresql, redis, java application
servers, python application servers, php, nginx, postfix, dovecot, squid, various
dns servers (unbound, bind, adguardhome) and samba in >60 jails (some of them
service jails, some of them normal jails, some of them service jails in normal
jails). All of those build in a local poudirere with those options enabled.
This stuff works today, and we should maybe think about just enabling this
stuff and go ahead. If it hinders a bit in the performance area, and it is
important, it can be deactivated by those which need the last little bit of
performance. In my situation where the CPUs are normally not near 100%, I can
not feel a difference.
I missed the FORTIFY callout, but I have one more patch to fix the last failure
in our test suite with it enabled: https://reviews.freebsd.org/D57356. I note
that in the associated PR, only one issue was a case where _FORITFY actually
kind-of broke the underlying functionality[*]. The others are cases where the
test simply shouldn't build with _FORTIFY_SOURCE because they're intentionally
overflowing.
I poked Simon for a sanity check and I plan to wordsmith the comment I dropped
in bsd.sys.mk tonight (and push it). I don't have a problem pitching a diff to
lift it to an =2 default as soon as right after that- I've received enough
reports from folks that build and use it to suggest that nobody's world will be
severely blown up, but it's worth cautioning about anyways when we raise the
default.
Thanks,
Kyle Evans
[*] That functionality being that Annex K specifies how to handle too-large
buffer sizes, which one presumably wouldn't be doing intentionally.