Harden the web browser at compile time
_Originally created by Tails on [#5802 (Redmine)](https://public-redmine-archive.tails.boum.org/code/issues/5802)_
{{toc}}
# Rationale
Given our current [release
schedule](https://tails.boum.org/contribute/release_schedule/), there’s
one week in six when Tails users are vulnerable to a bunch of known
security issues in Iceweasel.
# Roadmap
1. Find out what additional hardening compilation option can possibly
be added to Iceweasel by the Debian maintainer. The Debian security
team might be happy to help. Here’s what the maintainer’s already
stated opinions on the topic ([Debian bug
#609975](http://bugs.debian.org/609975) and [Debian bug
#653191](http://bugs.debian.org/653191\)): *I’m really not a big
fan of -Wl,-z,relro and -Wl,-z,now. For instance, I’m not sure -z
relro buys anything worth, while it may have a significant startup
performance impact on big applications. (and if I’m not mistaken, -z
relro actually makes things not work with selinux, seeing how
selinux already breaks the mprotect that removes the write bit on
code sections after text relocations).* Moritz [has
doubts](http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=653191#27)
about the relro part, and *Support for selinux in Debian is marginal
at best, anyway*. Last discussion about this was started on [Debian
bug #759165](https://bugs.debian.org/759165).
2. Design a great plan.
3. Implement a great plan.
4. See what the maintainer is happy to take.
5. If still needed, add more hardening compilation options to our own
Iceweasel builds.
# How others do
Hardening compilation options currently enabled in:
- upstream Firefox: none (31.0b7 and 24.6.0esr, for Linux 64-bit and
32-bit)
- <http://glandium.org/blog/?p=3310>
- <https://bugzilla.gnome.org/show_bug.cgi?id=737849>
- <https://bugzilla.mozilla.org/show_bug.cgi?id=620058>
- <https://bugzilla.mozilla.org/show_bug.cgi?id=857628>
- <https://bugzilla.mozilla.org/show_bug.cgi?id=1018210>
- <https://bugzilla.mozilla.org/show_bug.cgi?id=777948>
- TBB 4.0 nightly (20141007): everything enabled
- TBB 3.6.6, TBB 4.0-alpha-2:
- enabled: PIE, stack protected, fortify source, bindnow
- disabled: relro
(<https://trac.torproject.org/projects/tor/ticket/12103)>
- Debian’s Iceweasel 17.0.3 ESR:
- enabled: stack protected, Fortify Source functions
- disabled: PIE, Read-only relocations, Immediate binding
- Ubuntu’s Firefox (using
[hardening-wrapper](http://packages.debian.org/hardening%2Dwrapper\)):
PIE, stack protected, Fortify Source functions, Read-only
relocations, Immediate binding
# Related to…
- Once we have AppArmor support in Tails (tails/tails#5370), we’ll probably want
to use it as an additional way to contain the least powerful
exploits a bit more.
- Incremental upgrades may help putting out a minor Tails release a
bit faster after a Firefox ESR release.
### Related issues
- **Related to** tails/tails#7953
- **Related to** tails/tails#7155
issue