Harden the web browser at compile time

Originally created by Tails on #5802 (Redmine)

Rationale

Given our current release schedule, there’s one week in six when Tails users are vulnerable to a bunch of known security issues in Iceweasel.

Roadmap

Find out what additional hardening compilation option can possibly be added to Iceweasel by the Debian maintainer. The Debian security team might be happy to help. Here’s what the maintainer’s already stated opinions on the topic (Debian bug #609975 and Debian bug #653191: I’m really not a big fan of -Wl,-z,relro and -Wl,-z,now. For instance, I’m not sure -z relro buys anything worth, while it may have a significant startup performance impact on big applications. (and if I’m not mistaken, -z relro actually makes things not work with selinux, seeing how selinux already breaks the mprotect that removes the write bit on code sections after text relocations). Moritz has doubts about the relro part, and Support for selinux in Debian is marginal at best, anyway. Last discussion about this was started on Debian bug #759165.
Design a great plan.
Implement a great plan.
See what the maintainer is happy to take.
If still needed, add more hardening compilation options to our own Iceweasel builds.

How others do

Hardening compilation options currently enabled in:

upstream Firefox: none (31.0b7 and 24.6.0esr, for Linux 64-bit and 32-bit)
TBB 4.0 nightly (20141007): everything enabled
TBB 3.6.6, TBB 4.0-alpha-2:
- enabled: PIE, stack protected, fortify source, bindnow
- disabled: relro (https://trac.torproject.org/projects/tor/ticket/12103)
Debian’s Iceweasel 17.0.3 ESR:
- enabled: stack protected, Fortify Source functions
- disabled: PIE, Read-only relocations, Immediate binding
Ubuntu’s Firefox (using hardening-wrapper: PIE, stack protected, Fortify Source functions, Read-only relocations, Immediate binding

Related to…

Once we have AppArmor support in Tails (#5370 (closed)), we’ll probably want to use it as an additional way to contain the least powerful exploits a bit more.
Incremental upgrades may help putting out a minor Tails release a bit faster after a Firefox ESR release.

Related issues

Related to #7953 (closed)
Related to #7155 (closed)

_Originally created by Tails on [#5802 (Redmine)](https://public-redmine-archive.tails.boum.org/code/issues/5802)_

# Rationale

Given our current [release
schedule](https://tails.boum.org/contribute/release_schedule/), there’s
one week in six when Tails users are vulnerable to a bunch of known
security issues in Iceweasel.

# Roadmap

1.  Find out what additional hardening compilation option can possibly
    be added to Iceweasel by the Debian maintainer. The Debian security
    team might be happy to help. Here’s what the maintainer’s already
    stated opinions on the topic ([Debian bug
    #609975](http://bugs.debian.org/609975) and [Debian bug
    #653191](http://bugs.debian.org/653191\)): *I’m really not a big
    fan of -Wl,-z,relro and -Wl,-z,now. For instance, I’m not sure -z
    relro buys anything worth, while it may have a significant startup
    performance impact on big applications. (and if I’m not mistaken, -z
    relro actually makes things not work with selinux, seeing how
    selinux already breaks the mprotect that removes the write bit on
    code sections after text relocations).* Moritz [has
    doubts](http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=653191#27)
    about the relro part, and *Support for selinux in Debian is marginal
    at best, anyway*. Last discussion about this was started on [Debian
    bug #759165](https://bugs.debian.org/759165).
2.  Design a great plan.
3.  Implement a great plan.
4.  See what the maintainer is happy to take.
5.  If still needed, add more hardening compilation options to our own
    Iceweasel builds.

# How others do

Hardening compilation options currently enabled in:

- upstream Firefox: none (31.0b7 and 24.6.0esr, for Linux 64-bit and
    32-bit)
      - <http://glandium.org/blog/?p=3310>
      - <https://bugzilla.gnome.org/show_bug.cgi?id=737849>
      - <https://bugzilla.mozilla.org/show_bug.cgi?id=620058>
      - <https://bugzilla.mozilla.org/show_bug.cgi?id=857628>
      - <https://bugzilla.mozilla.org/show_bug.cgi?id=1018210>
      - <https://bugzilla.mozilla.org/show_bug.cgi?id=777948>
  - TBB 4.0 nightly (20141007): everything enabled
  - TBB 3.6.6, TBB 4.0-alpha-2:
      - enabled: PIE, stack protected, fortify source, bindnow
      - disabled: relro
        (<https://trac.torproject.org/projects/tor/ticket/12103)>
  - Debian’s Iceweasel 17.0.3 ESR:
      - enabled: stack protected, Fortify Source functions
      - disabled: PIE, Read-only relocations, Immediate binding
  - Ubuntu’s Firefox (using
    [hardening-wrapper](http://packages.debian.org/hardening%2Dwrapper\)):
    PIE, stack protected, Fortify Source functions, Read-only
    relocations, Immediate binding

# Related to…

- Once we have AppArmor support in Tails (tails/tails#5370), we’ll probably want
    to use it as an additional way to contain the least powerful
    exploits a bit more.
  - Incremental upgrades may help putting out a minor Tails release a
    bit faster after a Firefox ESR release.

### Related issues

- **Related to** tails/tails#7953
  - **Related to** tails/tails#7155

Edited May 15, 2020 by import-from-Redmine

To upload designs, you'll need to enable LFS and have admin enable hashed storage. More information