[tbb-bugs] #21448 [Applications/Tor Browser]: Identify what build flags we should be using for security, and use them

Tor Bug Tracker & Wiki blackhole at torproject.org
Mon Feb 20 07:59:58 UTC 2017


#21448: Identify what build flags we should be using for security, and use them
--------------------------------------+--------------------------
 Reporter:  arthuredelstein           |          Owner:  tbb-team
     Type:  defect                    |         Status:  new
 Priority:  Medium                    |      Milestone:
Component:  Applications/Tor Browser  |        Version:
 Severity:  Normal                    |     Resolution:
 Keywords:  tbb-security              |  Actual Points:
Parent ID:                            |         Points:
 Reviewer:                            |        Sponsor:
--------------------------------------+--------------------------

Comment (by gk):

 Replying to [comment:6 arthuredelstein]:
 > Here are some security flags I think we can add to the gcc-based builds
 (Linux and mingw). There is heavy overlap with the proposed flags in
 https://bugzilla.mozilla.org/show_bug.cgi?id=620058. (I think we should be
 able to add similar flags to the clang based builds -- I will look into
 that after we settle on flags to add to gcc.)
 > {{{
 > -Werror=format
 > -Werror=format-security
 > -fstack-protector-strong
 > --param ssp-buffer-size=4
 > -pie -fPIE
 > -D_FORTIFY_SOURCE=2 -O1
 > -Wl,-z,relro,-z,now
 > -ftrapv
 > }}}

 Uhm. We are doing already most of those things. Have you looked at our
 gitian build scripts? And I am not so sure we should build with `ftrapv`
 see comment:1:ticket:18310.

 > Note I am leaving out more advanced mitigations like -fvtable-verify=std
 for this iteration because getting these to work is likely to be complex.

 That is broken and not working due to Mozilla internals, see:
 https://bugzilla.mozilla.org/show_bug.cgi?id=1046600

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/21448#comment:7>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tbb-bugs mailing list