Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 17 Jun 2026 16:11:57 -0400
From:      Kyle Evans <kevans@FreeBSD.org>
To:        Alexander Leidinger <Alexander@Leidinger.net>, FreeBSD Security list <freebsd-security@FreeBSD.org>
Subject:   Re: Switching on compiler/src options to harden FreeBSD
Message-ID:  <54152c1e-8c3a-47a5-83b2-4bd0f781e03f@FreeBSD.org>
In-Reply-To: <0d41bfe199e62c951591a2d528b323b0@Leidinger.net>

index | next in thread | previous in thread | raw e-mail

On 6/17/26 15:58, Alexander Leidinger wrote:
> Hi,
> 
> given the numerous talks at BSDCan about security in the last hours, and the mention of maybe enabling fortify by default, I want to point out
> https://www.leidinger.net/blog/2025/05/24/freebsd-security-hardening-with-compiler-options/
> 
> I run a lot of this stuff on real workloads. Not in a high performance situation, more of a SOHO workload, but I have mysql, postgresql, redis, java application servers, python application servers, php, nginx, postfix, dovecot, squid, various dns servers (unbound, bind, adguardhome) and samba in >60 jails (some of them service jails, some of them normal jails, some of them service jails in normal jails). All of those build in a local poudirere with those options enabled.
> 
> This stuff works today, and we should maybe think about just enabling this stuff and go ahead. If it hinders a bit in the performance area, and it is important, it can be deactivated by those which need the last little bit of performance. In my situation where the CPUs are normally not near 100%, I can not feel a difference.
> 
I missed the FORTIFY callout, but I have one more patch to fix the last failure in our test suite with it enabled: https://reviews.freebsd.org/D57356.  I note that in the associated PR, only one issue was a case where _FORITFY actually kind-of broke the underlying functionality[*].  The others are cases where the test simply shouldn't build with _FORTIFY_SOURCE because they're intentionally overflowing.

I poked Simon for a sanity check and I plan to wordsmith the comment I dropped in bsd.sys.mk tonight (and push it).  I don't have a problem pitching a diff to lift it to an =2 default as soon as right after that- I've received enough reports from folks that build and use it to suggest that nobody's world will be severely blown up, but it's worth cautioning about anyways when we raise the default.

Thanks,

Kyle Evans

[*] That functionality being that Annex K specifies how to handle too-large buffer sizes, which one presumably wouldn't be doing intentionally.


home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?54152c1e-8c3a-47a5-83b2-4bd0f781e03f>