[gentoo-dev] Re: Improve the security of the default profile
Ryan Hill dirtye...@gentoo.org wrote: * -Wl,-z,relro Enabled by default since binutils 2.18 This gives its real impact on secutiry only when combined with * -Wl,-z,now The latter is not enabled by default AFAIK. That's a bit misleading. Immediate binding does allow the GOT to be made readonly but relro does a lot more than that. It is somewhat pointless if not everything is readonly: In analogy, relro without now is a bit like making all your files readonly but leaving write-permissions on the directories. It only helps against too poorly designed exploits of corresponding bugs. In any case this is a firm no. The increase in loading times for apps that link lots of libraries is significant (if it wasn't, we wouldn't need lazy loading :p). You get the same delay for lazy linking, only not necessarily everything immediately when the application starts up. And even then it is only faster (at startup) if only very few symbols are needed near the beginning. Quite the opposite, total time of loading huge projects like kde or libreoffice can even be faster with now, since you do not need administration overhead for keeping track of resolving. I did not realize a measurable difference for kde and libreoffice even on my slow machines - random things like location on harddisk apparently had a much bigger impact on startup. Please really try before you fix your opinion. * -Wl,-z,noexecstack Well, portage will already tell you if your package installed any binaries with executable stacks For some it did warn - otherwise I would not have found the bug. But for some it did not. However, I cannot recall which packages these were, and I did not examine why. Anyway, since this probably only concerns certain gcc versions with -flto, I guess that we need not discuss much about this flag. However, isn't it time to use gnu now for all users? [...] Sure, but the sysv hash is teeny and backward compatibility is always nice if it's next to free. But it is not completely free, and the majority of users will never have any need for it - in factõ I do not know any use-case, but of course I do not know all ancient software sitting around somewhere. Those few who need it can add the option without difficulties.
[gentoo-dev] [PATCH systemd.eclass] Introduce systemd_install_serviced().
This function can be used to install service configuration templates.
Usage:
systemd_install_serviced ${FILESDIR}/foo.service.conf
or:
systemd_install_serviced ${FILESDIR}/barbaz foo.service
with the latter specifying related service name explicitly, former
expecting it to match ${basename%.conf}. The files are installed as:
/etc/systemd/system/foo.service.d/00gentoo.conf
They should be commented out templates that users can use to customize
the service easily.
---
gx86/eclass/systemd.eclass | 26 ++
1 file changed, 26 insertions(+)
diff --git a/gx86/eclass/systemd.eclass b/gx86/eclass/systemd.eclass
index 4566631..1575b78 100644
--- a/gx86/eclass/systemd.eclass
+++ b/gx86/eclass/systemd.eclass
@@ -131,6 +131,32 @@ systemd_newunit() {
newins ${@}
}
+# @FUNCTION: systemd_install_serviced
+# @USAGE: conf-file [service.d]
+# @DESCRIPTION:
+# Install the file conf-file as service.d/00gentoo.conf template.
+# The service.d argument specifies the configured service name.
+# If not specified, the configuration file name will be used with .conf
+# suffix stripped (e.g. foo.service.conf - foo.service).
+systemd_install_serviced() {
+ debug-print-function ${FUNCNAME} ${@}
+
+ local src=${1}
+ local service=${2}
+
+ if [[ ! ${service} ]]; then
+ [[ ${src} == *.conf ]] || die Source file needs .conf suffix
+ service=${src##*/}
+ service=${service%.conf}
+ fi
+ # avoid potentially common mistake
+ [[ ${service} != *.d ]] || die Service must not have .d suffix
+
+ local INSDESTTREE
+ insinto /etc/systemd/system/${service}.d
+ newins ${src} 00gentoo.conf
+}
+
# @FUNCTION: systemd_dotmpfilesd
# @USAGE: tmpfilesd1 [...]
# @DESCRIPTION:
--
1.8.3.2
[gentoo-dev] Re: Improve the security of the default profile
Ryan Hill dirtye...@gentoo.org wrote:
Martin Vaeth va...@mathematik.uni-wuerzburg.de wrote:
* -fstack-protector{-all}
No thank you. -fstack-protector has very limited coverage
I'd say it covers most cases where bugs can be made, [...]
The numbers I've seen show a maximum of 5% coverage for code that has a
large number of functions containing char arrays on the stack.
If you have no local array on the stack, it is rather hard to write
accidentally(!) code in the function which corrupts the stack.
(It still is possible e.g. through bad casting, but it is rather
unlikely that this happens by accident).
So coverage of these functions covers most cases of accidental bugs.
Of course, as Ciaranm already mentioned, there is no compiler flag
which transforms unsafe code into safe one, but if even just one or
two security bugs can be avoid this way, it was worth to add
this flag IMHO.
Most code doesn't fall into that category.
Isn't this good news? It means most code will not get *any*
penalty with -fstack-protector.
[gentoo-dev] About perl-5.18 unmasking
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi guys! Few days ago i was surprised, when i saw perl-5.18 unhardmasked. So, i want ask here. @Patrick, why you unmask it? You even not ack perl herd about it. It was in the tree about two weeks, too early for unmasking, furthermore, you added not all modules need for perl-5.18 in the tree. Now many users ask us why perl 5.18 broke our modules? Its not good. Testing on three boxes w/o problems, no major reason for unmasking. And also, many CPAN guys still no fix own modules for compile with-5.18 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.20 (GNU/Linux) iJwEAQECAAYFAlIsdO0ACgkQG9wOWsQutdat/QQAsLcbqEn6NZGFAoipWZuBCxMM Q5BPj7a43vLEuI08aCbOeiihVWqEEVqPOWJyXAoSohkOL5DhmRfv1e6z4JPX2BGv dH/HFBkFtWH3gVOg7BV+rvecSb/ds6M2zufjnSHfBxomAuSKiFru1lQGYoVbPOrZ Gwpy66uY2LZ9kBNkM/Q= =USUZ -END PGP SIGNATURE-
Re: [gentoo-dev] Re: Improve the security of the default profile
On Sat, Sep 07, 2013 at 07:12:04PM -0400, Rich Freeman wrote: On Sat, Sep 7, 2013 at 7:08 PM, Rick Zero_Chaos Farina zeroch...@gentoo.org wrote: Personally I'm using the hardened profile already and find the performance penalties negligible for a desktop user, and someone trying to run realtime on defaults is likely suicidal anyway. I suspect what keeps people away from hardened isn't the performance, but the risk of compatibility issues. Most operations these days aren't CPU-bound, but getting something like RBAC to work right is fairly involved... Rich Hi, from a longtime user perspective: I'm using hardened on desktops since about three or four years now and I can't remember any issues that were caused by the toolchain. Performance loss is imho negligible even on low powered systems like an atom netbook or my Raspberry Pi (I'm not saying, that there is none, but it's nothing dramatical). RBAC, SELinux or a PaX enabled kernel is a completly other matter (in terms of breakage and usability) but this thread was about toolchain not kernel, wasn't it? WKR Hinnerk signature.asc Description: Digital signature
[gentoo-dev] Reference Implementation for GLEP RAP Draft
Dear all, We have just pushed out a reference implementation for GLEP RAP (i.e. Prefix with libc) draft: http://article.gmane.org/gmane.linux.gentoo.alt/6663 Hope this will help people grab the idea behind it and help the council review and decide on the GLEP draft[1]. At the moment, amd64, x86 and arm running Linux are supported. Cheers, Benda 1. http://article.gmane.org/gmane.linux.gentoo.project/3023
Re: [gentoo-dev] [PATCH systemd.eclass] Introduce systemd_install_serviced().
Le dimanche 08 septembre 2013 à 13:12 +0200, Michał Górny a écrit :
This function can be used to install service configuration templates.
Usage:
systemd_install_serviced ${FILESDIR}/foo.service.conf
or:
systemd_install_serviced ${FILESDIR}/barbaz foo.service
with the latter specifying related service name explicitly, former
expecting it to match ${basename%.conf}. The files are installed as:
/etc/systemd/system/foo.service.d/00gentoo.conf
They should be commented out templates that users can use to customize
the service easily.
Looks like a good idea, do you have a few example packages where that
could be used ?
---
gx86/eclass/systemd.eclass | 26 ++
1 file changed, 26 insertions(+)
diff --git a/gx86/eclass/systemd.eclass b/gx86/eclass/systemd.eclass
index 4566631..1575b78 100644
--- a/gx86/eclass/systemd.eclass
+++ b/gx86/eclass/systemd.eclass
@@ -131,6 +131,32 @@ systemd_newunit() {
newins ${@}
}
+# @FUNCTION: systemd_install_serviced
+# @USAGE: conf-file [service.d]
+# @DESCRIPTION:
+# Install the file conf-file as service.d/00gentoo.conf template.
+# The service.d argument specifies the configured service name.
+# If not specified, the configuration file name will be used with .conf
+# suffix stripped (e.g. foo.service.conf - foo.service).
+systemd_install_serviced() {
+ debug-print-function ${FUNCNAME} ${@}
+
+ local src=${1}
+ local service=${2}
+
+ if [[ ! ${service} ]]; then
+ [[ ${src} == *.conf ]] || die Source file needs .conf suffix
+ service=${src##*/}
+ service=${service%.conf}
+ fi
+ # avoid potentially common mistake
+ [[ ${service} != *.d ]] || die Service must not have .d suffix
+
+ local INSDESTTREE
I guess this is a leftover ?
+ insinto /etc/systemd/system/${service}.d
+ newins ${src} 00gentoo.conf
+}
+
# @FUNCTION: systemd_dotmpfilesd
# @USAGE: tmpfilesd1 [...]
# @DESCRIPTION:
--
Gilles Dartiguelongue e...@gentoo.org
Gentoo
Re: [gentoo-dev] [PATCH systemd.eclass] Introduce systemd_install_serviced().
El dom, 08-09-2013 a las 17:14 +0200, Gilles Dartiguelongue escribió:
Le dimanche 08 septembre 2013 à 13:12 +0200, Michał Górny a écrit :
This function can be used to install service configuration templates.
Usage:
systemd_install_serviced ${FILESDIR}/foo.service.conf
or:
systemd_install_serviced ${FILESDIR}/barbaz foo.service
with the latter specifying related service name explicitly, former
expecting it to match ${basename%.conf}. The files are installed as:
/etc/systemd/system/foo.service.d/00gentoo.conf
They should be commented out templates that users can use to customize
the service easily.
Looks like a good idea, do you have a few example packages where that
could be used ?
For example distcc or ntp will use them to tell them what IPs should be
allowed or what servers should be used to sync time. This are for some
cases where we need to let people pass some options to the services
without using conf.d file (that some times is not fully compatible with
systemd).
Re: [gentoo-dev] About perl-5.18 unmasking
On 8 September 2013 14:00, Mikle Kolyada zlog...@gentoo.org wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi guys! Few days ago i was surprised, when i saw perl-5.18 unhardmasked. So, i want ask here. @Patrick, why you unmask it? You even not ack perl herd about it. It was in the tree about two weeks, too early for unmasking, furthermore, you added not all modules need for perl-5.18 in the tree. Now many users ask us why perl 5.18 broke our modules? Its not good. Testing on three boxes w/o problems, no major reason for unmasking. And also, many CPAN guys still no fix own modules for compile with-5.18 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.20 (GNU/Linux) iJwEAQECAAYFAlIsdO0ACgkQG9wOWsQutdat/QQAsLcbqEn6NZGFAoipWZuBCxMM Q5BPj7a43vLEuI08aCbOeiihVWqEEVqPOWJyXAoSohkOL5DhmRfv1e6z4JPX2BGv dH/HFBkFtWH3gVOg7BV+rvecSb/ds6M2zufjnSHfBxomAuSKiFru1lQGYoVbPOrZ Gwpy66uY2LZ9kBNkM/Q= =USUZ -END PGP SIGNATURE- Hi, If you feel it should not be unmask then please mask it again. Although it might be too late for that. Moreover, I don't think raising this issue to the mailing list is appropriate as a first step. Did you try to talk to him? If you feel he violated the perl@ team policies please consider following the QA policy for such violations https://www.gentoo.org/proj/en/glep/glep-0048.html -- Regards, Markos Chandras - Gentoo Linux Developer http://dev.gentoo.org/~hwoarang
Re: [gentoo-dev] [PATCH systemd.eclass] Introduce systemd_install_serviced().
Dnia 2013-09-08, o godz. 17:14:54
Gilles Dartiguelongue e...@gentoo.org napisał(a):
Le dimanche 08 septembre 2013 à 13:12 +0200, Michał Górny a écrit :
This function can be used to install service configuration templates.
Usage:
systemd_install_serviced ${FILESDIR}/foo.service.conf
or:
systemd_install_serviced ${FILESDIR}/barbaz foo.service
with the latter specifying related service name explicitly, former
expecting it to match ${basename%.conf}. The files are installed as:
/etc/systemd/system/foo.service.d/00gentoo.conf
They should be commented out templates that users can use to customize
the service easily.
Looks like a good idea, do you have a few example packages where that
could be used ?
Pacho answered this one for me ;).
---
gx86/eclass/systemd.eclass | 26 ++
1 file changed, 26 insertions(+)
diff --git a/gx86/eclass/systemd.eclass b/gx86/eclass/systemd.eclass
index 4566631..1575b78 100644
--- a/gx86/eclass/systemd.eclass
+++ b/gx86/eclass/systemd.eclass
@@ -131,6 +131,32 @@ systemd_newunit() {
newins ${@}
}
+# @FUNCTION: systemd_install_serviced
+# @USAGE: conf-file [service.d]
+# @DESCRIPTION:
+# Install the file conf-file as service.d/00gentoo.conf template.
+# The service.d argument specifies the configured service name.
+# If not specified, the configuration file name will be used with .conf
+# suffix stripped (e.g. foo.service.conf - foo.service).
+systemd_install_serviced() {
+ debug-print-function ${FUNCNAME} ${@}
+
+ local src=${1}
+ local service=${2}
+
+ if [[ ! ${service} ]]; then
+ [[ ${src} == *.conf ]] || die Source file needs .conf suffix
+ service=${src##*/}
+ service=${service%.conf}
+ fi
+ # avoid potentially common mistake
+ [[ ${service} != *.d ]] || die Service must not have .d suffix
+
+ local INSDESTTREE
I guess this is a leftover ?
Nope. 'insinto' sets INSDESTTREE. Due to lack of proper scoping
support in bash, we need to localize this variable to restore previous
'insinto' scope after leaving the function.
+ insinto /etc/systemd/system/${service}.d
+ newins ${src} 00gentoo.conf
+}
+
# @FUNCTION: systemd_dotmpfilesd
# @USAGE: tmpfilesd1 [...]
# @DESCRIPTION:
--
Best regards,
Michał Górny
signature.asc
Description: PGP signature
[gentoo-dev] Re: About perl-5.18 unmasking
On 9/09/2013 02:40, Markos Chandras wrote: Moreover, I don't think raising this issue to the mailing list is appropriate as a first step. Based on the number of replies to -commits that end up on here, it's no surprise that it can appear appropriate to raise an issue like this here initially. That said, perl is a pretty important package that affects a lot of people.
Re: [gentoo-dev] [PATCH systemd.eclass] Introduce systemd_install_serviced().
On Sun, 8 Sep 2013 17:46:28 +0200 Michał Górny mgo...@gentoo.org wrote: suffix + + local INSDESTTREE I guess this is a leftover ? Nope. 'insinto' sets INSDESTTREE. Due to lack of proper scoping support in bash, we need to localize this variable to restore previous 'insinto' scope after leaving the function. its much better to use a subshell like the other eclasses for that
[gentoo-dev] Re: Improve the security of the default profile
On Sat, 07 Sep 2013 19:08:57 -0400 Rick \Zero_Chaos\ Farina zeroch...@gentoo.org wrote: Personally I think this would be a great stepping stone. If we add - -fstack-protector to 4.8.1 it will improve security (only a little I know) and give us an idea of what issues we may have. After a short enjoyment of fixing any issues which come up we could more to - -fstack-protector-strong in 4.9. Okay it won't be available for 4.8.1. It's going to require a couple minor glibc changes and a lot of testing. A bunch of packages stick workarounds behind a hardened USE flag or do things like `filter-flags -fstack-protector` which don't actually work (we have to patch the compiler, not just add it to the default flags in the profiles or something). I need to check the interactions with hardened's spec files. And I need to get 4.8.1 out the door two weeks ago. Once we fix the fallout from the unmasking I'll get back to this. I also want to make a comment on the implications of this change that people may not have considered. Bugs caused by -fstack-protector can no longer be just dismissed as unsupported, invalid, or assigned to the hardened team and forgotten about. You will be expected to fix them, and `append-flags -fno-stack-protector` is not an acceptable fix. You can't champion for more secure defaults and then just disable them when they get in your way. So does anyone have any objections to making -fstack-protector the default? Now is the time to speak up. (and for the record I've changed my mind and would like to see this go forward, so please stop emailing me) -- Ryan Hillpsn: dirtyepic_sk gcc-porting/toolchain/wxwidgets @ gentoo.org 47C3 6D62 4864 0E49 8E9E 7F92 ED38 BD49 957A 8463 signature.asc Description: PGP signature
[gentoo-dev] Automated Package Removal and Addition Tracker, for the week ending 2013-09-08 23h59 UTC
The attached list notes all of the packages that were added or removed from the tree, for the week ending 2013-09-08 23h59 UTC. Removals: kde-misc/todo-list 2013-09-04 16:53:43 creffett dev-python/multiprocessing 2013-09-05 09:55:22 mgorny dev-python/turbogears 2013-09-05 09:56:01 mgorny net-dialup/hsfmodem 2013-09-07 09:20:57 pacho Additions: dev-python/ordereddict 2013-09-02 16:05:01 floppym dev-python/bjoern 2013-09-04 08:34:55 patrick dev-ruby/docile 2013-09-04 12:06:05 mrueg dev-qt/qtlockedfile 2013-09-04 14:34:43 kensington dev-qt/qtsingleapplication 2013-09-04 14:52:13 kensington perl-core/B-Debug 2013-09-05 05:16:24 patrick virtual/perl-B-Debug2013-09-05 05:17:16 patrick virtual/perl-Carp 2013-09-05 05:22:11 patrick perl-core/Exporter 2013-09-05 05:37:13 patrick virtual/perl-Exporter 2013-09-05 05:37:38 patrick perl-core/HTTP-Tiny 2013-09-05 05:38:52 patrick virtual/perl-HTTP-Tiny 2013-09-05 05:39:22 patrick dev-perl/String-Escape 2013-09-06 03:51:01 patrick mail-client/novell-groupwise-client 2013-09-06 18:16:07 dilfridge dev-python/funcparserlib2013-09-07 09:06:47 mgorny dev-python/qrcode 2013-09-07 11:36:36 mgorny dev-python/mockldap 2013-09-08 10:11:10 mgorny sys-apps/roccat-tools 2013-09-08 16:25:30 hwoarang -- Robin Hugh Johnson Gentoo Linux Developer E-Mail : robb...@gentoo.org GnuPG FP : 11AC BA4F 4778 E3F6 E4ED F38E B27B 944E 3488 4E85 Removed Packages: kde-misc/todo-list,removed,creffett,2013-09-04 16:53:43 dev-python/multiprocessing,removed,mgorny,2013-09-05 09:55:22 dev-python/turbogears,removed,mgorny,2013-09-05 09:56:01 net-dialup/hsfmodem,removed,pacho,2013-09-07 09:20:57 Added Packages: dev-python/ordereddict,added,floppym,2013-09-02 16:05:01 dev-python/bjoern,added,patrick,2013-09-04 08:34:55 dev-ruby/docile,added,mrueg,2013-09-04 12:06:05 dev-qt/qtlockedfile,added,kensington,2013-09-04 14:34:43 dev-qt/qtsingleapplication,added,kensington,2013-09-04 14:52:13 perl-core/B-Debug,added,patrick,2013-09-05 05:16:24 virtual/perl-B-Debug,added,patrick,2013-09-05 05:17:16 virtual/perl-Carp,added,patrick,2013-09-05 05:22:11 perl-core/Exporter,added,patrick,2013-09-05 05:37:13 virtual/perl-Exporter,added,patrick,2013-09-05 05:37:38 perl-core/HTTP-Tiny,added,patrick,2013-09-05 05:38:52 virtual/perl-HTTP-Tiny,added,patrick,2013-09-05 05:39:22 dev-perl/String-Escape,added,patrick,2013-09-06 03:51:01 mail-client/novell-groupwise-client,added,dilfridge,2013-09-06 18:16:07 dev-python/funcparserlib,added,mgorny,2013-09-07 09:06:47 dev-python/qrcode,added,mgorny,2013-09-07 11:36:36 dev-python/mockldap,added,mgorny,2013-09-08 10:11:10 sys-apps/roccat-tools,added,hwoarang,2013-09-08 16:25:30 Done.
[gentoo-dev] Re: Improve the security of the default profile
On Sun, 8 Sep 2013 11:05:16 + (UTC) Martin Vaeth va...@mathematik.uni-wuerzburg.de wrote: Ryan Hill dirtye...@gentoo.org wrote: In any case this is a firm no. The increase in loading times for apps that link lots of libraries is significant (if it wasn't, we wouldn't need lazy loading :p). You get the same delay for lazy linking, only not necessarily everything immediately when the application starts up. And even then it is only faster (at startup) if only very few symbols are needed near the beginning. Quite the opposite, total time of loading huge projects like kde or libreoffice can even be faster with now, since you do not need administration overhead for keeping track of resolving. I did not realize a measurable difference for kde and libreoffice even on my slow machines - random things like location on harddisk apparently had a much bigger impact on startup. Please really try before you fix your opinion. I'm basing my opinion on the experiences reported by other distros, by openwall, and by our own hardened team. In any case my opinion doesn't really matter because in the end since I'm not the one who gets to make that decision. I misrepresented that and I apologize. I would still be against making this change. However, isn't it time to use gnu now for all users? [...] Sure, but the sysv hash is teeny and backward compatibility is always nice if it's next to free. But it is not completely free, and the majority of users will never have any need for it - in factõ I do not know any use-case, but of course I do not know all ancient software sitting around somewhere. Those few who need it can add the option without difficulties. FWIW I agree but I am not the binutils maintainer. -- Ryan Hillpsn: dirtyepic_sk gcc-porting/toolchain/wxwidgets @ gentoo.org 47C3 6D62 4864 0E49 8E9E 7F92 ED38 BD49 957A 8463 signature.asc Description: PGP signature
