From f33e96495e71bc5df1757d3c32f9a35c08c84be3 Mon Sep 17 00:00:00 2001 From: Nate Ohlson Date: Tue, 6 Aug 2024 16:36:43 -0500 Subject: [PATCH 1/3] Update disable safety and enable slow safety options in docs --- Doc/using/configure.rst | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/Doc/using/configure.rst b/Doc/using/configure.rst index 6a4a52bb6e8b12..bb2c88db46232e 100644 --- a/Doc/using/configure.rst +++ b/Doc/using/configure.rst @@ -911,8 +911,16 @@ Security Options Disable compiler options that are recommended by `OpenSSF`_ for security reasons with no performance overhead. If this option is not enabled, CPython will be built based on safety compiler options with no slow down. + When this option is enabled, CPython will not include the compiler options listed below. - .. _OpenSSF: https://openssf.org/ + Compiler options that are disabled with this option: + + * ``-fstack-protector-strong``: `Enable run-time checks for stack-based buffer overflows.`_ + * ``-Wtrampolines``: `Enable warnings about trampolines that require executable stacks`_ + + .. _OpenSSF: https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md + .. _Enable run-time checks for stack-based buffer overflows.: https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md#enable-run-time-checks-for-stack-based-buffer-overflows + .. _Enable warnings about trampolines that require executable stacks: https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md#enable-warning-about-trampolines-that-require-executable-stacks .. versionadded:: 3.14 @@ -920,8 +928,14 @@ Security Options Enable compiler options that are recommended by `OpenSSF`_ for security reasons which require overhead. If this option is not enabled, CPython will not be built based on safety compiler options which performance impact. + When this option is enabled, CPython will include the compiler options listed below. + + Compiler options that are enabled with this option: + + * ``-D_FORTIFY_SOURCE=3``: `Fortify sources with compile- and run-time checks for unsafe libc usage and buffer overflows`_ - .. _OpenSSF: https://openssf.org/ + .. _OpenSSF: https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md + .. _Fortify sources with compile- and run-time checks for unsafe libc usage and buffer overflows: https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md#fortify-sources-for-unsafe-libc-usage-and-buffer-overflows .. versionadded:: 3.14 From 67f3faf0734ccbcae4180896d61d35c1847b9cda Mon Sep 17 00:00:00 2001 From: Nate Ohlson Date: Tue, 6 Aug 2024 16:47:48 -0500 Subject: [PATCH 2/3] Make option names the link --- Doc/using/configure.rst | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/Doc/using/configure.rst b/Doc/using/configure.rst index bb2c88db46232e..0f57e11d51ed49 100644 --- a/Doc/using/configure.rst +++ b/Doc/using/configure.rst @@ -911,16 +911,16 @@ Security Options Disable compiler options that are recommended by `OpenSSF`_ for security reasons with no performance overhead. If this option is not enabled, CPython will be built based on safety compiler options with no slow down. - When this option is enabled, CPython will not include the compiler options listed below. + When this option is enabled, CPython will not be built with the compiler options listed below. Compiler options that are disabled with this option: - * ``-fstack-protector-strong``: `Enable run-time checks for stack-based buffer overflows.`_ - * ``-Wtrampolines``: `Enable warnings about trampolines that require executable stacks`_ + * `-fstack-protector-strong`_: Enable run-time checks for stack-based buffer overflows. + * `-Wtrampolines`_: Enable warnings about trampolines that require executable stacks. .. _OpenSSF: https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md - .. _Enable run-time checks for stack-based buffer overflows.: https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md#enable-run-time-checks-for-stack-based-buffer-overflows - .. _Enable warnings about trampolines that require executable stacks: https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md#enable-warning-about-trampolines-that-require-executable-stacks + .. _-fstack-protector-strong: https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md#enable-run-time-checks-for-stack-based-buffer-overflows + .. _-Wtrampolines: https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md#enable-warning-about-trampolines-that-require-executable-stacks .. versionadded:: 3.14 @@ -928,14 +928,14 @@ Security Options Enable compiler options that are recommended by `OpenSSF`_ for security reasons which require overhead. If this option is not enabled, CPython will not be built based on safety compiler options which performance impact. - When this option is enabled, CPython will include the compiler options listed below. + When this option is enabled, CPython will be built with the compiler options listed below. Compiler options that are enabled with this option: - * ``-D_FORTIFY_SOURCE=3``: `Fortify sources with compile- and run-time checks for unsafe libc usage and buffer overflows`_ + * `-D_FORTIFY_SOURCE=3`_: Fortify sources with compile- and run-time checks for unsafe libc usage and buffer overflows. .. _OpenSSF: https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md - .. _Fortify sources with compile- and run-time checks for unsafe libc usage and buffer overflows: https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md#fortify-sources-for-unsafe-libc-usage-and-buffer-overflows + .. _-D_FORTIFY_SOURCE=3: https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md#fortify-sources-for-unsafe-libc-usage-and-buffer-overflows .. versionadded:: 3.14 From 6875a68fec8a0c0a512b02f7594979336948cdb4 Mon Sep 17 00:00:00 2001 From: Nate Ohlson Date: Wed, 7 Aug 2024 11:54:09 -0500 Subject: [PATCH 3/3] Re-word some sentences for clarity --- Doc/using/configure.rst | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/Doc/using/configure.rst b/Doc/using/configure.rst index 0f57e11d51ed49..e00d1ee3e716e7 100644 --- a/Doc/using/configure.rst +++ b/Doc/using/configure.rst @@ -909,16 +909,16 @@ Security Options .. option:: --disable-safety - Disable compiler options that are recommended by `OpenSSF`_ for security reasons with no performance overhead. + Disable compiler options that are `recommended by OpenSSF`_ for security reasons with no performance overhead. If this option is not enabled, CPython will be built based on safety compiler options with no slow down. When this option is enabled, CPython will not be built with the compiler options listed below. - Compiler options that are disabled with this option: + The following compiler options are disabled with :option:`!--disable-safety`: * `-fstack-protector-strong`_: Enable run-time checks for stack-based buffer overflows. * `-Wtrampolines`_: Enable warnings about trampolines that require executable stacks. - .. _OpenSSF: https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md + .. _recommended by OpenSSF: https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md .. _-fstack-protector-strong: https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md#enable-run-time-checks-for-stack-based-buffer-overflows .. _-Wtrampolines: https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md#enable-warning-about-trampolines-that-require-executable-stacks @@ -926,15 +926,14 @@ Security Options .. option:: --enable-slower-safety - Enable compiler options that are recommended by `OpenSSF`_ for security reasons which require overhead. + Enable compiler options that are `recommended by OpenSSF`_ for security reasons which require overhead. If this option is not enabled, CPython will not be built based on safety compiler options which performance impact. When this option is enabled, CPython will be built with the compiler options listed below. - Compiler options that are enabled with this option: + The following compiler options are enabled with :option:`!--enable-slower-safety`: * `-D_FORTIFY_SOURCE=3`_: Fortify sources with compile- and run-time checks for unsafe libc usage and buffer overflows. - .. _OpenSSF: https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md .. _-D_FORTIFY_SOURCE=3: https://github.com/ossf/wg-best-practices-os-developers/blob/main/docs/Compiler-Hardening-Guides/Compiler-Options-Hardening-Guide-for-C-and-C++.md#fortify-sources-for-unsafe-libc-usage-and-buffer-overflows .. versionadded:: 3.14