| 1 |
On Mon, 24 Oct 2011 13:26:01 +0200 |
| 2 |
""Paweł Hajdan, Jr."" <phajdan.jr@g.o> wrote: |
| 3 |
|
| 4 |
> On 10/24/11 12:58 PM, Anthony G. Basile wrote: |
| 5 |
> > Well not totally on their own, they'd report it and we'd have to see |
| 6 |
> > what we want to do on an ad hoc basis. |
| 7 |
> |
| 8 |
> Fair enough, that's why I suggested to make the hardened spec |
| 9 |
> non-default, so that they have to switch it, and include the info in |
| 10 |
> emerge --info so we can identify the reason. |
| 11 |
> |
| 12 |
> > So maybe the first step would be |
| 13 |
> > to just build 5 specs: |
| 14 |
> > |
| 15 |
> > [1] x86_64-pc-linux-gnu-4.4.5 |
| 16 |
> > [2] x86_64-pc-linux-gnu-4.4.5-hardenednopie |
| 17 |
> > [3] x86_64-pc-linux-gnu-4.4.5-hardenednopiessp |
| 18 |
> > [4] x86_64-pc-linux-gnu-4.4.5-hardenednossp |
| 19 |
> > [5] x86_64-pc-linux-gnu-4.4.5-vanilla |
| 20 |
> > |
| 21 |
> > Here [1] = fully hardened. Then ship with no other changes. When bug |
| 22 |
> > start to come in, you can deal with each --- some may be fixes at the |
| 23 |
> > package level (usually the build system), some may be ebuild fixes, some |
| 24 |
> > may need to go into the profiles. |
| 25 |
> |
| 26 |
> Right, this is exactly what I'm suggesting, just make [5] the default or |
| 27 |
> do some juggling so that [1] is vanilla and [5] is fully hardened or |
| 28 |
> something like that. |
| 29 |
|
| 30 |
I would expect x86_64-pc-linux-gnu-4.4.5 to be the vanilla profile and the |
| 31 |
fully hardened one to be something like x86_64-pc-linux-gnu-4.4.5-hardened. |
| 32 |
|
| 33 |
> > There is one other catch Zorry pointed out, glibc. There are some |
| 34 |
> > patches against glibc which would have to go in unconditionally. Take a |
| 35 |
> > look at eblit-src_unpack-post() in glibc-2.12.2.ebuild. Currently |
| 36 |
> > they're if use hardened. That conditional would be removed. |
| 37 |
> |
| 38 |
> Ah, ok. So we have another one. Let's find out our exact constraints: |
| 39 |
> |
| 40 |
> 1. Are those glibc patches required for gcc built with hardened support? |
| 41 |
> Will the gcc build fail without them, or will things fail at runtime |
| 42 |
> without them? |
| 43 |
> |
| 44 |
> 2. Enabling glibc patches would mean enabling PIC by default, right? Is |
| 45 |
> that OK? Can it cause breakages? |
| 46 |
> |
| 47 |
> 3. Am I reading things correctly that PIE is _not_ enabled by default, |
| 48 |
> but only when _using_ (i.e. active, not just built) PIE-enabled gcc specs? |
| 49 |
|
| 50 |
I imagine they're conditional for a reason. I just don't know what that |
| 51 |
reason is myself. ;) |
| 52 |
|
| 53 |
> >> Third - can we forcefully disable hardened features in packages that are |
| 54 |
> >> not compatible? My assumption is yes, and we should probably print a |
| 55 |
> >> warning then. |
| 56 |
> > |
| 57 |
> > There are a few things you can do here, yes. It is always possible to |
| 58 |
> > turn off hardening because the *last* resort solution is just switch |
| 59 |
> > compile specs in the ebuild. |
| 60 |
> |
| 61 |
> Do you mean calling gcc-config here or something else? If gcc-config, |
| 62 |
> it'd be quite hacky and fragile (parallel building of multiple packages, |
| 63 |
> having multiple versions of gcc installed). |
| 64 |
> |
| 65 |
> Is it possible to just pass flags to GCC: disable all this hardened |
| 66 |
> stuff? I know you can disable stack protector, but how about PIE or PIC, |
| 67 |
> and possible other hardening features? |
| 68 |
|
| 69 |
You might be able to use the GCC_SPECS env var. |
| 70 |
|
| 71 |
Personally I think this is a lot of work for not much benefit, but if you |
| 72 |
want to do it then who am I to argue. |
| 73 |
|
| 74 |
|
| 75 |
-- |
| 76 |
fonts, gcc-porting, it makes no sense how it makes no sense |
| 77 |
toolchain, wxwidgets but i'll take it free anytime |
| 78 |
@ gentoo.org EFFD 380E 047A 4B51 D2BD C64F 8AA8 8346 F9A4 0662 |
Archives