From nobody Wed Jun 17 20:11:57 2026 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ggZl71bXRz6hjqT for ; Wed, 17 Jun 2026 20:12:03 +0000 (UTC) (envelope-from kevans@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "YR1" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4ggZl716yqz41f8; Wed, 17 Jun 2026 20:12:03 +0000 (UTC) (envelope-from kevans@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781727123; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Z++HkWdYU5XIaqWuf52OLmKAw9rwmCU2opgDtmV1frI=; b=DCqDZsZIlxJqwE7BuJCRr68rPRe5sTGng8mTMvNkVP644YfriyLuUHg7NBsghSluD509Q/ LRIxJgod3NalivbFs14RxTDtcHyL0afBDQnwzVMYCKXs0oYOYs8khNxd2U2tN61XRkLIpE V3UUd22zAMHPkTtXSgMOMqYdRQkQAiIMhurK5kEQOu/XWgBL8Zt/bgXUjbtnDoN79yZ8Ip b4iddTpSHuzduEizSWWp32Sse79AeKYLpEP3PU6A0Bn/EgzkPz7ocT2UPklzhhT+HYJVZE HAeZXQW5dxkBh6bN146OkisvIwrbQnZ6x6gxHx3dto2uEVYdPl0Ope4ePHcQyQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781727123; a=rsa-sha256; cv=none; b=lOpjE2WDbxGX9Q+xtbuOM5SX/i4ZTW+yg9WX/AA7fzj3OrWZcRxE0BsHx+5HcAizr4vigT QG6rAZ62yjs3y/P2JukXEaIFPWq+NN53NDIqwLVzASLFRrQ2AUaJh35qqPAGGjXTnTBiPN +7TiyBlgF0+N01GqajbGrBCYIpMH5cQoFdkCVrBgd4QMnIZ45ZhPC9nO6YYzTsb5E5Pc9R KsMOJq96jOdbU+BIBRK98HcxuJFRYnRJEM5NFslF90AaAmpEYAvJFM9K+wf7d/RGqtFcKS kQZQjPtHF0C+sG5/+ZsdSEiRQRTeRkFV32jAYjmWq7OQDi0ehN5SVrgA0muEFg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781727123; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Z++HkWdYU5XIaqWuf52OLmKAw9rwmCU2opgDtmV1frI=; b=t0asWo6GocUYU+l5AzCyGVMSNEBJ6KWEfYH8Iw2Bvg19evwtbmOylTiiQ7CbRHMU7oqSei Fxu8l803eoGfzbBaGB2Bcu3bwv9b29QqE2plT71iCJD5je10OV6dJ0ZF7Ehk/a5rqjJuOF 81xOkGrx9SW93zVcbM+fwGf+XDtnwwKPYy4dD9364hLj5GaDDVz5LUGLY256f4DkxWOI8v D29JAA1yBR5Yh+cYY0bsqMf4rg84vIhTTPvLrkDZeFpB2SnIKyxzq3+f/uFwav49rNu/CR CTyNtvGIhRMrUKXvAGo9IUMX5WtRo5raJxeBGJxmGZ8Dhvm2NqVnEbTRmuHxjQ== Received: from [10.19.140.219] (unknown [91.209.212.136]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) (Authenticated sender: kevans/mail) by smtp.freebsd.org (Postfix) with ESMTPSA id 4ggZl56sSpzvsH; Wed, 17 Jun 2026 20:12:01 +0000 (UTC) (envelope-from kevans@FreeBSD.org) Message-ID: <54152c1e-8c3a-47a5-83b2-4bd0f781e03f@FreeBSD.org> Date: Wed, 17 Jun 2026 16:11:57 -0400 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: Switching on compiler/src options to harden FreeBSD To: Alexander Leidinger , FreeBSD Security list References: <0d41bfe199e62c951591a2d528b323b0@Leidinger.net> Content-Language: en-US From: Kyle Evans In-Reply-To: <0d41bfe199e62c951591a2d528b323b0@Leidinger.net> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit On 6/17/26 15:58, Alexander Leidinger wrote: > Hi, > > given the numerous talks at BSDCan about security in the last hours, and the mention of maybe enabling fortify by default, I want to point out > https://www.leidinger.net/blog/2025/05/24/freebsd-security-hardening-with-compiler-options/ > > I run a lot of this stuff on real workloads. Not in a high performance situation, more of a SOHO workload, but I have mysql, postgresql, redis, java application servers, python application servers, php, nginx, postfix, dovecot, squid, various dns servers (unbound, bind, adguardhome) and samba in >60 jails (some of them service jails, some of them normal jails, some of them service jails in normal jails). All of those build in a local poudirere with those options enabled. > > This stuff works today, and we should maybe think about just enabling this stuff and go ahead. If it hinders a bit in the performance area, and it is important, it can be deactivated by those which need the last little bit of performance. In my situation where the CPUs are normally not near 100%, I can not feel a difference. > I missed the FORTIFY callout, but I have one more patch to fix the last failure in our test suite with it enabled: https://reviews.freebsd.org/D57356. I note that in the associated PR, only one issue was a case where _FORITFY actually kind-of broke the underlying functionality[*]. The others are cases where the test simply shouldn't build with _FORTIFY_SOURCE because they're intentionally overflowing. I poked Simon for a sanity check and I plan to wordsmith the comment I dropped in bsd.sys.mk tonight (and push it). I don't have a problem pitching a diff to lift it to an =2 default as soon as right after that- I've received enough reports from folks that build and use it to suggest that nobody's world will be severely blown up, but it's worth cautioning about anyways when we raise the default. Thanks, Kyle Evans [*] That functionality being that Annex K specifies how to handle too-large buffer sizes, which one presumably wouldn't be doing intentionally.