Harden the web browser at compile time

Originally created by Tails on #5802 (Redmine)

{{toc}}

Rationale

Given our current release schedule, there’s one week in six when Tails users are vulnerable to a bunch of known security issues in Iceweasel.

Roadmap

1. Find out what additional hardening compilation option can possibly be added to Iceweasel by the Debian maintainer. The Debian security team might be happy to help. Here’s what the maintainer’s already stated opinions on the topic (Debian bug #609975 and Debian bug #653191: I’m really not a big fan of -Wl,-z,relro and -Wl,-z,now. For instance, I’m not sure -z relro buys anything worth, while it may have a significant startup performance impact on big applications. (and if I’m not mistaken, -z relro actually makes things not work with selinux, seeing how selinux already breaks the mprotect that removes the write bit on code sections after text relocations). Moritz has doubts about the relro part, and Support for selinux in Debian is marginal at best, anyway. Last discussion about this was started on Debian bug #759165.
2. Design a great plan.
3. Implement a great plan.
4. See what the maintainer is happy to take.
5. If still needed, add more hardening compilation options to our own Iceweasel builds.

How others do

Hardening compilation options currently enabled in:

• upstream Firefox: none (31.0b7 and 24.6.0esr, for Linux 64-bit and 32-bit)
  • http://glandium.org/blog/?p=3310
  • https://bugzilla.gnome.org/show_bug.cgi?id=737849
  • https://bugzilla.mozilla.org/show_bug.cgi?id=620058
  • https://bugzilla.mozilla.org/show_bug.cgi?id=857628
  • https://bugzilla.mozilla.org/show_bug.cgi?id=1018210
  • https://bugzilla.mozilla.org/show_bug.cgi?id=777948
• TBB 4.0 nightly (20141007): everything enabled
• TBB 3.6.6, TBB 4.0-alpha-2:
  • enabled: PIE, stack protected, fortify source, bindnow
  • disabled: relro (https://trac.torproject.org/projects/tor/ticket/12103)
• Debian’s Iceweasel 17.0.3 ESR:
  • enabled: stack protected, Fortify Source functions
  • disabled: PIE, Read-only relocations, Immediate binding
• Ubuntu’s Firefox (using hardening-wrapper: PIE, stack protected, Fortify Source functions, Read-only relocations, Immediate binding

Related to…

• Once we have AppArmor support in Tails (#5370 (closed)), we’ll probably want to use it as an additional way to contain the least powerful exploits a bit more.
• Incremental upgrades may help putting out a minor Tails release a bit faster after a Firefox ESR release.

Related issues

• Related to #7953 (closed)
• Related to #7155 (closed)