[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #21448 [Applications/Tor Browser]: Identify what build flags we should be using for security, and use them
#21448: Identify what build flags we should be using for security, and use them
--------------------------------------+--------------------------
Reporter: arthuredelstein | Owner: tbb-team
Type: defect | Status: new
Priority: Medium | Milestone:
Component: Applications/Tor Browser | Version:
Severity: Normal | Resolution:
Keywords: tbb-security | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
--------------------------------------+--------------------------
Comment (by gk):
Replying to [comment:6 arthuredelstein]:
> Here are some security flags I think we can add to the gcc-based builds
(Linux and mingw). There is heavy overlap with the proposed flags in
https://bugzilla.mozilla.org/show_bug.cgi?id=620058. (I think we should be
able to add similar flags to the clang based builds -- I will look into
that after we settle on flags to add to gcc.)
> {{{
> -Werror=format
> -Werror=format-security
> -fstack-protector-strong
> --param ssp-buffer-size=4
> -pie -fPIE
> -D_FORTIFY_SOURCE=2 -O1
> -Wl,-z,relro,-z,now
> -ftrapv
> }}}
Uhm. We are doing already most of those things. Have you looked at our
gitian build scripts? And I am not so sure we should build with `ftrapv`
see comment:1:ticket:18310.
> Note I am leaving out more advanced mitigations like -fvtable-verify=std
for this iteration because getting these to work is likely to be complex.
That is broken and not working due to Mozilla internals, see:
https://bugzilla.mozilla.org/show_bug.cgi?id=1046600
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21448#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs