41 messages in org.freebsd.freebsd-archIntegration of ProPolice in FreeBSD| From | Sent On | Attachments |
|---|---|---|
| Jeremie Le Hen | Apr 18, 2008 1:48 pm | |
| Antoine Brodin | Apr 18, 2008 3:03 pm | |
| Marcel Moolenaar | Apr 18, 2008 3:52 pm | |
| Jeremie Le Hen | Apr 18, 2008 4:47 pm | |
| Jeremie Le Hen | Apr 18, 2008 5:28 pm | |
| Max Laier | Apr 18, 2008 5:48 pm | |
| Marcel Moolenaar | Apr 18, 2008 6:46 pm | |
| Marcel Moolenaar | Apr 18, 2008 7:20 pm | |
| Jeremie Le Hen | Apr 18, 2008 11:35 pm | |
| Steve Kargl | Apr 19, 2008 12:17 am | |
| Garance A Drosehn | Apr 19, 2008 12:37 am | |
| Garance A Drosehn | Apr 19, 2008 12:44 am | |
| Garance A Drosehn | Apr 19, 2008 12:59 am | |
| Garance A Drosehn | Apr 19, 2008 1:23 am | |
| Peter Jeremy | Apr 19, 2008 7:13 am | |
| Jeremie Le Hen | Apr 19, 2008 1:04 pm | |
| Jeremie Le Hen | Apr 19, 2008 1:15 pm | |
| Jeremie Le Hen | Apr 19, 2008 1:56 pm | |
| Steve Kargl | Apr 19, 2008 3:56 pm | |
| Jeremie Le Hen | Apr 19, 2008 4:01 pm | |
| Garance A Drosehn | Apr 19, 2008 6:47 pm | |
| Mark Linimon | Apr 19, 2008 9:24 pm | |
| Ed Schouten | Apr 20, 2008 9:58 am | |
| Antoine Brodin | Apr 20, 2008 10:20 am | |
| Jeremie Le Hen | Apr 23, 2008 1:19 pm | |
| John Baldwin | Apr 23, 2008 2:03 pm | |
| Jeremie Le Hen | Apr 23, 2008 2:36 pm | |
| John Baldwin | Apr 23, 2008 7:54 pm | |
| Antoine Brodin | Apr 23, 2008 8:25 pm | |
| David O'Brien | Apr 27, 2008 1:58 am | |
| Jeremie Le Hen | May 2, 2008 7:03 am |  .diff |
| Marcel Moolenaar | May 2, 2008 3:52 pm | |
| David O'Brien | May 4, 2008 4:00 am | |
| Jeremie Le Hen | May 5, 2008 9:13 pm | |
| Jeremie Le Hen | May 14, 2008 9:13 am | |
| Jeremie Le Hen | Jun 9, 2008 8:13 pm | .diff |
| Kris Kennaway | Jun 24, 2008 10:27 pm | |
| Kris Kennaway | Jun 24, 2008 11:12 pm | |
| Jeremie Le Hen | Jun 25, 2008 9:30 am | |
| Kris Kennaway | Jun 25, 2008 12:01 pm | |
| Robert Watson | Jun 26, 2008 12:13 pm |
| Subject: | Integration of ProPolice in FreeBSD | |
|---|---|---|
| From: | Jeremie Le Hen (jere...@le-hen.org) | |
| Date: | Apr 19, 2008 4:01:00 pm | |
| List: | org.freebsd.freebsd-arch | |
Hi,
On Fri, Apr 18, 2008 at 08:37:24PM -0400, Garance A Drosehn wrote:
At 10:47 PM +0200 4/18/08, Jeremie Le Hen wrote:
I will change my patch to make SSP opt-out. This will address Marcel's concern too.
This is a big-enough change that we should ease into it, as Max suggests. It can be very painful to back out of this, so we don't want to rush into the change and then find out that we really really regret it.
Honestly, the really painful part when reverting this patch was the disappearance of SSP symbols from libc. But I think this will never happen because they have already been in libc for about a year. Enabling/disabling SSP should not hurt.
You've probably described this somewhere, but let me ask for a little more info.
There is "enabled" in the sense that the symbols exist in libc, so programs *can* be compiled with -fstack-protector-all or -fstack-protector options. But nothing much really happens until we start building programs with those options turned on. Once a program is built with one of those options, then that program has code in it which will check for stack-smashing in that one program.
So, in my mind there's the step of "enabling SSP", and then there's the step of "compiling programs with stack-protection on". I think we could also split that the second step in stages:
a) add stack-protection to all setuid programs in the base system. b) add stack-protection to all "/usr/sbin" programs in the base. c) add stack-protection to all programs in the base. d) compile ports with stack-protection on.
Is that a reasonable breakdown? We could (perhaps) have four switches, and people could turn on whatever wants they wanted. But as far as the *default* values, we might want "class A" to default on for 8.0-release, but the other classes to default off. Then (maybe) add another class each time we make another release.
On Sat, Apr 19, 2008 at 05:14:00PM +1000, Peter Jeremy wrote:
I would agree that a phased approach to enabling SSP is warranted but I believe it should wind up enabled by default in -current fairly rapidly. Once the Project has gained more familiarity with SSP and its impacts, a decision can be made as to whether it should default to on or off in -stable and releases.
Provided the very little performance overhead [1], my leaning goes toward Peter here. Moreover given that some ports simply don't compile with SSP (qemu, gcc4, etherboot), my personal opinion is it should be enabled by default for ports on -CURRENT in order to spot those out.
Note that the port bits have not been provided yet, I will contact portmgr@ for this.
[1] http://www.trl.ibm.com/projects/security/ssp/node5.html
Thanks. Regards,
-- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org >