| 1 |
On Thu, 2004-03-18 at 12:18, Martin Bene wrote: |
| 2 |
> Hi, |
| 3 |
> |
| 4 |
> Looks like support for hardened-gcc was dropped/removed a few days ago |
| 5 |
> with release of "dummy" hardened-gcc 5.0. |
| 6 |
> |
| 7 |
> For me, this is a fairly drastic and unexpected change - I hadn't heared |
| 8 |
> anything about end-of-life for hardened gcc previously. |
| 9 |
> |
| 10 |
> Also, from reading the bugtracker, it looks like there's supposed to be |
| 11 |
> a replacement for the functionality available in a few weeks? |
| 12 |
> |
| 13 |
|
| 14 |
> For now, change of make.conf compiler flags is proposed as a workaround? |
| 15 |
> |
| 16 |
> So, could someone please tell me |
| 17 |
> - What flags are suggested for make.conf |
| 18 |
|
| 19 |
In the purest form. |
| 20 |
|
| 21 |
/etc/make.conf |
| 22 |
CFLAGS="-fPIC -fstack-protector" |
| 23 |
LDFLAGS="-pie" |
| 24 |
|
| 25 |
My FLAGS are a bit more agressive and mileage may very. |
| 26 |
CFLAGS="-fPIC -fforce-addr -fomit-frame-pointer -fstack-protector-all" |
| 27 |
LDFLAGS="-pie -Wl,-z,now" |
| 28 |
|
| 29 |
If your using kernel supports PT_PAX_FLAGS you might even want to |
| 30 |
selectively enable. LDFLAGS="${LDFLAGS} -Wl,-z,noexecstack |
| 31 |
-Wl,-z,noexecheap" |
| 32 |
|
| 33 |
Note: |
| 34 |
{C{,XX},LD}FLAGS is an inferior solution and chances are you will end up |
| 35 |
with text relocations where hgcc could prevent them. So carefully review |
| 36 |
your installed binaries post install. I'm not sure but perhaps |
| 37 |
ASFLAGS="-K PIC" will help fix the text relocation problem showing up |
| 38 |
when doing this via make.conf |
| 39 |
|
| 40 |
> - How will this work with packages like lilo that previosuly didn't |
| 41 |
> work with hardened-gcc and had extra flags set in their ebuilds to turn |
| 42 |
> off hardened gcc? |
| 43 |
> |
| 44 |
|
| 45 |
It will probably break most boot loaders or any code thats making use of |
| 46 |
-nostdlib. I committed a fix for grub yesterday so we know that one |
| 47 |
works. glibc stable will probably bomb. I'd like it if somebody could |
| 48 |
confirm the ~arch fix I committed yesterday before I touch the stable |
| 49 |
glibc. |
| 50 |
|
| 51 |
> Personaly, I'd have prefered a smoother transition with |
| 52 |
> - some information on gentoo-hardened prior to disabling hardened-gcc |
| 53 |
> - leaving it in place until a replacement is actually available |
| 54 |
> |
| 55 |
|
| 56 |
Most of us would have here. I think the fundamental reason for this was |
| 57 |
hgcc not staying in sync with gcc versions while upgrading from the |
| 58 |
3.2.x. pappy@g.o should be able to explain his motivation for masking |
| 59 |
the package. He added the dummy script upon request to aid in a smoother |
| 60 |
transition. |
| 61 |
|
| 62 |
> Thanks, for your time, |
| 63 |
> |
| 64 |
good luck. |
| 65 |
|
| 66 |
|
| 67 |
> Martin |
| 68 |
> |
| 69 |
> |
| 70 |
> -- |
| 71 |
> gentoo-hardened@g.o mailing list |
| 72 |
-- |
| 73 |
Ned Ludd <solar@g.o> |
| 74 |
Gentoo Linux Developer |
Archives