FS#49361 - [firefox] Harden firefox by building with full read-only relocation
Attached to Project:
Arch Linux
Opened by Remi Gacogne (rgacogne) - Monday, 16 May 2016, 21:02 GMT
Last edited by Doug Newgard (Scimmia) - Wednesday, 08 June 2016, 15:54 GMT
Opened by Remi Gacogne (rgacogne) - Monday, 16 May 2016, 21:02 GMT
Last edited by Doug Newgard (Scimmia) - Wednesday, 08 June 2016, 15:54 GMT
|
Details
Hi,
This is basically the same feature request than #49360, but this time for Firefox. Firefox is particularly exposed as a web browser, and some other distros have already enabled full RELRO, see for example Red Hat [1]. The attached patch enables full RELRO. Firefox does not build currently with or without this patch on my host, apparently because of a compatibility issue with gcc6 that I did not investigate long enough to fix. Thanks! [1]: https://bugzilla.redhat.com/show_bug.cgi?id=1218034 
firefox-relro.patch
(0.3 KiB)
|
This task depends upon
Closed by Doug Newgard (Scimmia)
Wednesday, 08 June 2016, 15:54 GMT
Reason for closing: Implemented
Additional comments about closing: firefox 47.0-1
Wednesday, 08 June 2016, 15:54 GMT
Reason for closing: Implemented
Additional comments about closing: firefox 47.0-1
Comment by
Jan Alexander Steffens (heftig) -
Wednesday, 18 May 2016, 04:29 GMT
I'd rather see -z now added to the common LDFLAGS in makepkg.conf.
Comment by Remi Gacogne (rgacogne) -
Wednesday, 18 May 2016, 07:44 GMT
I fully agree and there is an ongoing effort to benchmark the
impact it would have from a performance point of view, along with
other hardening options. I'm afraid it's going to take some time
before it gets added to common LDFLAGS though, and I think it
would make sense to harden FF more quickly than the rest of our
packages.