| Platforms offer varying security features; we'd like to support the best. |
| |
| This is a document that notes which security hardening we have implemented and |
| which things we'd like to see implemented for various platforms. We |
| specifically address exploitation mitigation and containment; security issues |
| such as x509 certification validation are not addressed here, yet. Patches, |
| suggestions and improvements are welcome! We always want the strongest set of |
| options by default on each supported platform. |
| |
| We attempt to use the C programming language correctly and in a standard way. |
| We do however use some compiler specific options such as defining integer |
| wrapping because we believe the practical benefit outweights the implied risks. |
| As such, we prefer to be explicit rather than implicit in our casting or other |
| possible ambiguity. |
| |
| We should treat all compiler and linker warnings as fatal errors. Currently, |
| consider autotools warnings to be an exception as we would like to support |
| platforms imperfectly rather than not at all. We generally wish to support |
| autotools bootstrapping on all of our supported platforms. This is not possible |
| on Plan 9. Currently autotools will complain on the BSD systems. |
| |
| On all platforms we attempt to support available compiler hardening and linking |
| options. Please do not disable these options. Additional compiler and linker |
| hardening options are welcome and the current options are implemented in the |
| following file: |
| |
| configure.ac |
| |
| On all platforms, we attempt to switch from the administrative user to an |
| unimportant role account which shares data with no other processes. If we start |
| as any user other than an administrative user, we will likely be unable to |
| switch to our normal unprivileged account. These users are defined at |
| `configure` time. It is most effective if such a user is not the traditional |
| 'nobody' or group 'nogroup' as is often the tradition. |
| |
| In addition to the above hardening options, we have tried to extend our |
| hardening when the platform supports it. Each additional security measure that |
| we take is documented as well as planned or desired improvements. |
| |
| We do not currently support or set ulimits, we should do so where possible. |
| |
| On Debian Gnu/Linux platforms, we ship with a minimal AppArmor profile, see |
| the policy for details: |
| |
| apparmor-profile |
| |
| We'd like to have an SELinux policy specifically for tlsdate. |
| We'd like to support capability dropping with libcap or libcap-ng. |
| We'd like to support libseccomp2 filters. |
| Other kernel hardening suggestions are welcome. |
| |
| On ChromeOS we use minijail and seccomp filters, see the following policies for |
| details: |
| |
| tlsdate-seccomp-amd64.policy |
| tlsdate-seccomp-arm.policy |
| tlsdate-seccomp-x86.policy |
| |
| These are enabled by default in ChromeOS. |
| |
| On FreeBSD, we'd like to support jails, chroot, and Capsicum. |
| |
| On OpenBSD, we'd like to support chroot and systrace. |
| |
| On NetBSD, we'd like to chroot. |
| |
| On DragonFly BSD, we'd like to support chroot and jails. |
| |
| On Mac OS X, we'd like to support chroot and seatbelt. |
| |
| On Plan9, we'd like to chroot. |
| |
| On Windows, we do nothing beyond compile time hardening. We'd like to do more. |
| |
| On other platforms, we'll try to run correctly with the understanding that any |
| bug is likely a much more serious problem. |
