1 |
On Mon, 24 Oct 2011 13:26:01 +0200 |
2 |
""Paweł Hajdan, Jr."" <phajdan.jr@g.o> wrote: |
3 |
|
4 |
> On 10/24/11 12:58 PM, Anthony G. Basile wrote: |
5 |
> > Well not totally on their own, they'd report it and we'd have to see |
6 |
> > what we want to do on an ad hoc basis. |
7 |
> |
8 |
> Fair enough, that's why I suggested to make the hardened spec |
9 |
> non-default, so that they have to switch it, and include the info in |
10 |
> emerge --info so we can identify the reason. |
11 |
> |
12 |
> > So maybe the first step would be |
13 |
> > to just build 5 specs: |
14 |
> > |
15 |
> > [1] x86_64-pc-linux-gnu-4.4.5 |
16 |
> > [2] x86_64-pc-linux-gnu-4.4.5-hardenednopie |
17 |
> > [3] x86_64-pc-linux-gnu-4.4.5-hardenednopiessp |
18 |
> > [4] x86_64-pc-linux-gnu-4.4.5-hardenednossp |
19 |
> > [5] x86_64-pc-linux-gnu-4.4.5-vanilla |
20 |
> > |
21 |
> > Here [1] = fully hardened. Then ship with no other changes. When bug |
22 |
> > start to come in, you can deal with each --- some may be fixes at the |
23 |
> > package level (usually the build system), some may be ebuild fixes, some |
24 |
> > may need to go into the profiles. |
25 |
> |
26 |
> Right, this is exactly what I'm suggesting, just make [5] the default or |
27 |
> do some juggling so that [1] is vanilla and [5] is fully hardened or |
28 |
> something like that. |
29 |
|
30 |
I would expect x86_64-pc-linux-gnu-4.4.5 to be the vanilla profile and the |
31 |
fully hardened one to be something like x86_64-pc-linux-gnu-4.4.5-hardened. |
32 |
|
33 |
> > There is one other catch Zorry pointed out, glibc. There are some |
34 |
> > patches against glibc which would have to go in unconditionally. Take a |
35 |
> > look at eblit-src_unpack-post() in glibc-2.12.2.ebuild. Currently |
36 |
> > they're if use hardened. That conditional would be removed. |
37 |
> |
38 |
> Ah, ok. So we have another one. Let's find out our exact constraints: |
39 |
> |
40 |
> 1. Are those glibc patches required for gcc built with hardened support? |
41 |
> Will the gcc build fail without them, or will things fail at runtime |
42 |
> without them? |
43 |
> |
44 |
> 2. Enabling glibc patches would mean enabling PIC by default, right? Is |
45 |
> that OK? Can it cause breakages? |
46 |
> |
47 |
> 3. Am I reading things correctly that PIE is _not_ enabled by default, |
48 |
> but only when _using_ (i.e. active, not just built) PIE-enabled gcc specs? |
49 |
|
50 |
I imagine they're conditional for a reason. I just don't know what that |
51 |
reason is myself. ;) |
52 |
|
53 |
> >> Third - can we forcefully disable hardened features in packages that are |
54 |
> >> not compatible? My assumption is yes, and we should probably print a |
55 |
> >> warning then. |
56 |
> > |
57 |
> > There are a few things you can do here, yes. It is always possible to |
58 |
> > turn off hardening because the *last* resort solution is just switch |
59 |
> > compile specs in the ebuild. |
60 |
> |
61 |
> Do you mean calling gcc-config here or something else? If gcc-config, |
62 |
> it'd be quite hacky and fragile (parallel building of multiple packages, |
63 |
> having multiple versions of gcc installed). |
64 |
> |
65 |
> Is it possible to just pass flags to GCC: disable all this hardened |
66 |
> stuff? I know you can disable stack protector, but how about PIE or PIC, |
67 |
> and possible other hardening features? |
68 |
|
69 |
You might be able to use the GCC_SPECS env var. |
70 |
|
71 |
Personally I think this is a lot of work for not much benefit, but if you |
72 |
want to do it then who am I to argue. |
73 |
|
74 |
|
75 |
-- |
76 |
fonts, gcc-porting, it makes no sense how it makes no sense |
77 |
toolchain, wxwidgets but i'll take it free anytime |
78 |
@ gentoo.org EFFD 380E 047A 4B51 D2BD C64F 8AA8 8346 F9A4 0662 |