1 |
(O.K....... I'll be the sacrificial bozo :-) ) |
2 |
|
3 |
I've been running hardened kernels for a year or so with hardened pic in |
4 |
make.conf; but never changed my profile to hardened. PAX seemed to work |
5 |
fine (killed some flakey stuff), as did grsecurity. |
6 |
|
7 |
So IIUC, I now have 4.1.1 with neither PAX nor SPP (wondered why Xorg |
8 |
worked so well without paxctl tweaks). |
9 |
|
10 |
IIUC, I have at least four alternatives: |
11 |
|
12 |
a. Change my profile, revert to 3.4, and recompile everything - in |
13 |
anticipation of upgrading to 4.1.1 when it becomes hardened-capable. (two |
14 |
big upgrades - not my favorite alternative) |
15 |
|
16 |
b. Wait 'til 4.1.1 becomes ready and then compile everything with a |
17 |
hardened profiles. (one big upgrade) |
18 |
|
19 |
c. Wait 'til 4.2.x is issued and then compile everything...... |
20 |
|
21 |
d. (?) Hand-job my gcc settings somehow (e.g.): |
22 |
|
23 |
"...the current toolchain implements the equivalent of CFLAGS="-fPIE |
24 |
-fstack-protector-all" LDFLAGS="-Wl,-z,now -Wl,-z,relro" automatically |
25 |
through GCC's specfile which is a more proper solution. For older |
26 |
hardened-gcc users, add USE="hardened pic" to your /etc/make.conf and then |
27 |
upgrade with the following commands |
28 |
# emerge --oneshot binutils gcc virtual/libc |
29 |
# emerge -e world" |
30 |
|
31 |
|
32 |
So, given that I'm a newbie, and that my next move is all about timing, |
33 |
the questions are: |
34 |
|
35 |
1. How long 'til 4.1.1 will be released to hardend profiles (this is not a |
36 |
nag, just need a planning window)? |
37 |
|
38 |
2. Will alternative d. even work? If so, would reemerging the hardened |
39 |
profile undo those tweaks when 4.1.1 is hardened ready? |
40 |
|
41 |
3. How long 'til 4.2.x becomes hardened available, and will it be a emerge |
42 |
world? |
43 |
|
44 |
|
45 |
> |
46 |
> Unmasking gcc-4.1.1 will work in as much as it'll build stuff that runs |
47 |
> fine, but it'll compile everything vanilla unless you modify the specs |
48 |
> file yourself. <======= |
49 |
|
50 |
|
51 |
> This means that you won't get PIE executables (so PaX |
52 |
> ASLR won't do anything), you won't be building with the stack protector, |
53 |
> stuff won't be RELRO/BIND_NOW. |
54 |
> |
55 |
> See the docs on the project website for more information |
56 |
> http://www.gentoo.org/proj/en/hardened/ <=== Yep.... with a microscope |
57 |
> :-) |
58 |
|
59 |
|
60 |
TIA |
61 |
|
62 |
|
63 |
> |
64 |
|
65 |
|
66 |
-- |
67 |
gentoo-hardened@g.o mailing list |