Skip to content
GitLab
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
  • T tails
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 974
    • Issues 974
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 26
    • Merge requests 26
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • tails
  • tails
  • Issues
  • #5802
Closed
Open
Issue created Jul 18, 2013 by import-from-Redmine@import-from-Redmine

Harden the web browser at compile time

Originally created by Tails on #5802 (Redmine)

{{toc}}

Rationale

Given our current release schedule, there’s one week in six when Tails users are vulnerable to a bunch of known security issues in Iceweasel.

Roadmap

  1. Find out what additional hardening compilation option can possibly be added to Iceweasel by the Debian maintainer. The Debian security team might be happy to help. Here’s what the maintainer’s already stated opinions on the topic (Debian bug #609975 and Debian bug #653191: I’m really not a big fan of -Wl,-z,relro and -Wl,-z,now. For instance, I’m not sure -z relro buys anything worth, while it may have a significant startup performance impact on big applications. (and if I’m not mistaken, -z relro actually makes things not work with selinux, seeing how selinux already breaks the mprotect that removes the write bit on code sections after text relocations). Moritz has doubts about the relro part, and Support for selinux in Debian is marginal at best, anyway. Last discussion about this was started on Debian bug #759165.
  2. Design a great plan.
  3. Implement a great plan.
  4. See what the maintainer is happy to take.
  5. If still needed, add more hardening compilation options to our own Iceweasel builds.

How others do

Hardening compilation options currently enabled in:

  • upstream Firefox: none (31.0b7 and 24.6.0esr, for Linux 64-bit and 32-bit)
    • http://glandium.org/blog/?p=3310
    • https://bugzilla.gnome.org/show_bug.cgi?id=737849
    • https://bugzilla.mozilla.org/show_bug.cgi?id=620058
    • https://bugzilla.mozilla.org/show_bug.cgi?id=857628
    • https://bugzilla.mozilla.org/show_bug.cgi?id=1018210
    • https://bugzilla.mozilla.org/show_bug.cgi?id=777948
  • TBB 4.0 nightly (20141007): everything enabled
  • TBB 3.6.6, TBB 4.0-alpha-2:
    • enabled: PIE, stack protected, fortify source, bindnow
    • disabled: relro (https://trac.torproject.org/projects/tor/ticket/12103)
  • Debian’s Iceweasel 17.0.3 ESR:
    • enabled: stack protected, Fortify Source functions
    • disabled: PIE, Read-only relocations, Immediate binding
  • Ubuntu’s Firefox (using hardening-wrapper: PIE, stack protected, Fortify Source functions, Read-only relocations, Immediate binding

Related to…

  • Once we have AppArmor support in Tails (#5370 (closed)), we’ll probably want to use it as an additional way to contain the least powerful exploits a bit more.
  • Incremental upgrades may help putting out a minor Tails release a bit faster after a Firefox ESR release.

Related issues

  • Related to #7953 (closed)
  • Related to #7155 (closed)
Edited May 15, 2020 by import-from-Redmine
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Time tracking