< Changes
m (→How To Test) |
(Tidy formatting, etc since this uses and out-of-date template) |
||
Line 1: | Line 1: | ||
= Add _FORTIFY_SOURCE=3 to distribution build flags <!-- The name of your change proposal --> = | |||
{{Change_Proposal_Banner}} | |||
== Summary == | == Summary == | ||
Line 35: | Line 14: | ||
* Name: [[User:siddhesh| Siddhesh Poyarekar]] | * Name: [[User:siddhesh| Siddhesh Poyarekar]] | ||
<!-- Include you email address that you can be reached should people want to contact you about helping with your change, status is requested, or technical issues need to be resolved. If the change proposal is owned by a SIG, please also add a primary contact person. --> | <!-- Include you email address that you can be reached should people want to contact you about helping with your change, status is requested, or technical issues need to be resolved. If the change proposal is owned by a SIG, please also add a primary contact person. --> | ||
* Email: sipoyare@redhat.com | * Email: sipoyare@redhat.com | ||
* FESCo shepherd: [[User:FASAccountName| Shehperd name]] <email address> | * FESCo shepherd: [[User:FASAccountName| Shehperd name]] <email address> | ||
--> | --> | ||
== Current status == | == Current status == | ||
* Targeted release: [[Releases/38 | Fedora 38 ]] | [[Category:ChangeReadyForWrangler]] | ||
[[Category:SystemWideChange]] | |||
* Targeted release: [[Releases/38 | Fedora Linux 38 ]] | |||
* Last updated: <!-- this is an automatic macro — you don't need to change this line --> {{REVISIONYEAR}}-{{REVISIONMONTH}}-{{REVISIONDAY2}} | * Last updated: <!-- this is an automatic macro — you don't need to change this line --> {{REVISIONYEAR}}-{{REVISIONMONTH}}-{{REVISIONDAY2}} | ||
<!-- After the change proposal is accepted by FESCo, tracking bug is created in Bugzilla and linked to this page | <!-- After the change proposal is accepted by FESCo, tracking bug is created in Bugzilla and linked to this page | ||
Line 56: | Line 32: | ||
CLOSED as NEXTRELEASE -> change is completed and verified and will be delivered in next release under development | CLOSED as NEXTRELEASE -> change is completed and verified and will be delivered in next release under development | ||
--> | --> | ||
* FESCo issue: <will be assigned by the Wrangler> | |||
* Tracker bug: <will be assigned by the Wrangler> | * Tracker bug: <will be assigned by the Wrangler> | ||
* Release notes issue: <will be assigned by the Wrangler> | |||
== Detailed Description == | == Detailed Description == | ||
Line 81: | Line 59: | ||
Resolve bugs filed for build failures, either by fixing the bug exposed by `_FORTIFY_SOURCE=3` or by disabling `_FORTIFY_SOURCE=3` for the package if it is a false positive or if the package is unable to adapt to the change. | Resolve bugs filed for build failures, either by fixing the bug exposed by `_FORTIFY_SOURCE=3` or by disabling `_FORTIFY_SOURCE=3` for the package if it is a false positive or if the package is unable to adapt to the change. | ||
* Release engineering | * Release engineering: Mass rebuild required | ||
* Policies and guidelines: None <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | * Policies and guidelines: None <!-- REQUIRED FOR SYSTEM WIDE CHANGES --> | ||
<!-- Do the packaging guidelines or other documents need to be updated for this feature? If so, does it need to happen before or after the implementation is done? If a FPC ticket exists, add a link here. --> | <!-- Do the packaging guidelines or other documents need to be updated for this feature? If so, does it need to happen before or after the implementation is done? If a FPC ticket exists, add a link here. --> | ||
Line 149: | Line 122: | ||
Release Notes are not required for initial draft of the Change Proposal but has to be completed by the Change Freeze. | Release Notes are not required for initial draft of the Change Proposal but has to be completed by the Change Freeze. | ||
--> | --> | ||
Revision as of 19:52, 5 December 2022
Add _FORTIFY_SOURCE=3 to distribution build flags
Summary
Replace the current _FORTIFY_SOURCE=2
with _FORTIFY_SOURCE=3
to improve mitigation of security issues arising from buffer overflows in packages in Fedora.
Owner
- Name: Siddhesh Poyarekar
- Email: sipoyare@redhat.com
- FESCo shepherd: Shehperd name <email address>
-->
Current status
- Targeted release: Fedora Linux 38
- Last updated: 2022-12-05
- FESCo issue: <will be assigned by the Wrangler>
- Tracker bug: <will be assigned by the Wrangler>
- Release notes issue: <will be assigned by the Wrangler>
Detailed Description
Default C and C++ compiler flags to build packages in Fedora currently includes -Wp,-D_FORTIFY_SOURCE=2
, which enables fortification of some functions in glibc, thus providing some mitigation against buffer overflows. Since glibc 2.34 and GCC 12, there has been a new fortification level (_FORTIFY_SOURCE=3
) which improves the coverage of this mitigation.
The core change to bring in this mitigation is to change the default build flags in redhat-rpm-config
so that packages build by default with -Wp,-D_FORTIFY_SOURCE=3
. There are packages (e.g. systemd
) that do not interact well with _FORTIFY_SOURCE
and will also need a workaround to downgrade fortification to level 2. The change will also include this override.
Benefit to Fedora
Analysis of packages in Fedora rawhide indicate that the improvement of mitigation coverage is on average over 2.4x, in some cases protecting more than half of the fortified glibc calls in the target application.
This change will thus harden Fedora to a significant extent, thus making it a more secure distribution out of the box.
Scope
- Proposal owners:
Post a merge request to redhat-rpm-config with the actual change to build flags.
- Other developers:
Resolve bugs filed for build failures, either by fixing the bug exposed by _FORTIFY_SOURCE=3
or by disabling _FORTIFY_SOURCE=3
for the package if it is a false positive or if the package is unable to adapt to the change.
- Release engineering: Mass rebuild required
- Policies and guidelines: None
Guidelines should include workaround for packages that fail to build with -Wp,-D_FORTIFY_SOURCE=3
due to a false positive.
- Trademark approval: N/A (not needed for this Change)
Upgrade/compatibility impact
No ABI change, so there should be no impact on compatibility in a mixed environment.
How To Test
- Smoke testing of packages to ensure that they continue to work correctly. Some packages may have overflows exposed at runtime, which may need to be fixed.
User Experience
No noticeable change to users.
Dependencies
None.
Contingency Plan
- Contingency mechanism: (What to do? Who will do it?) If too many packages are found to be broken at runtime, the default for fortification will be left at
_FORTIFY_SOURCE=2
for Fedora 38. Change owner will do this inredhat-rpm-config
- Contingency deadline: Beta freeze
- Blocks release? Yes
- Blocks product? No
Documentation
More context on _FORTIFY_SOURCE=3
improvements.