You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@trafficserver.apache.org by bryancall <gi...@git.apache.org> on 2016/02/24 01:05:39 UTC
[GitHub] trafficserver pull request: TS-3938: Add hardening (fortify) as an...
GitHub user bryancall opened a pull request:
https://github.com/apache/trafficserver/pull/497
TS-3938: Add hardening (fortify) as an option to configure
You can merge this pull request into a Git repository by running:
$ git pull https://github.com/bryancall/trafficserver TS-3938
Alternatively you can review and apply these changes as the patch at:
https://github.com/apache/trafficserver/pull/497.patch
To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:
This closes #497
----
commit 3ea0471bcfd82eecf7a7b2892433399d9874a0be
Author: Bryan Call <bc...@apache.org>
Date: 2016-02-24T00:04:57Z
TS-3938: Add hardening (fortify) as an option to configure
----
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] trafficserver pull request: TS-3938: Add hardening (fortify) as an...
Posted by asfgit <gi...@git.apache.org>.
Github user asfgit closed the pull request at:
https://github.com/apache/trafficserver/pull/497
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] trafficserver pull request: TS-3938: Add hardening (fortify) as an...
Posted by bryancall <gi...@git.apache.org>.
Github user bryancall commented on the pull request:
https://github.com/apache/trafficserver/pull/497#issuecomment-188402711
@dragon512
One benefit of doing the sed at the end of the process is that the FLAGS are in sync. Adding addition variables would require that we don't modify the FLAGS in configure.ac after they are copied.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] trafficserver pull request: TS-3938: Add hardening (fortify) as an...
Posted by bryancall <gi...@git.apache.org>.
Github user bryancall commented on the pull request:
https://github.com/apache/trafficserver/pull/497#issuecomment-188403390
@jpeach
Do you foresee any issues with doing a double hardening (distributions doing it and having it on by default)?
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] trafficserver pull request: TS-3938: Add hardening (fortify) as an...
Posted by zwoop <gi...@git.apache.org>.
Github user zwoop commented on the pull request:
https://github.com/apache/trafficserver/pull/497#issuecomment-187996374
Does any of these flags change with the choice of compiler? LLVM / clang? Also, FORTIFY_SOURCE is good, we've had it trip in prod at least once (which is a good thing :).
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] trafficserver pull request: TS-3938: Add hardening (fortify) as an...
Posted by dragon512 <gi...@git.apache.org>.
Github user dragon512 commented on the pull request:
https://github.com/apache/trafficserver/pull/497#issuecomment-188371373
The sed command seems hacky to me. It would be clearer if we have a SHCXXFLAGS, etc ( ie Shared library flags or we can do the other way and make a PROGCXXFLAGS) so we can build them without the pie.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] trafficserver pull request: TS-3938: Add hardening (fortify) as an...
Posted by bryancall <gi...@git.apache.org>.
Github user bryancall commented on the pull request:
https://github.com/apache/trafficserver/pull/497#issuecomment-188399695
I updated to remove `-fno-omit-frame-pointer`.
@dragon512
Most distributions do hardening themselves. I think it would be better have an option for it.
Yes, it is a little hacky, but less lines and simpler than creating additional variables that would only be used for tsxs.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] trafficserver pull request: TS-3938: Add hardening (fortify) as an...
Posted by dragon512 <gi...@git.apache.org>.
Github user dragon512 commented on the pull request:
https://github.com/apache/trafficserver/pull/497#issuecomment-188374276
The other question I would have is why would we not want -fPie enable for any compiler that supports it.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] trafficserver pull request: TS-3938: Add hardening (fortify) as an...
Posted by jpeach <gi...@git.apache.org>.
Github user jpeach commented on the pull request:
https://github.com/apache/trafficserver/pull/497#issuecomment-188400207
> I think it would be better have an option for it.
I agree it should be an option, but let's consider defaulting it to "on" for 7.0
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---
[GitHub] trafficserver pull request: TS-3938: Add hardening (fortify) as an...
Posted by jpeach <gi...@git.apache.org>.
Github user jpeach commented on the pull request:
https://github.com/apache/trafficserver/pull/497#issuecomment-187996632
FWIW https://wiki.debian.org/Hardening
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastructure@apache.org or file a JIRA ticket
with INFRA.
---