1 |
On Thu, 2008-01-17 at 20:03 +0100, atoth@××××××××××.hu wrote: |
2 |
> I'd like to give it a try. I'd like to help by testing it. |
3 |
> I've found this: |
4 |
> http://www.gentoo.org/proj/en/hardened/toolchain-upgrade-guide.xml |
5 |
> It seems to be a bit outdated, since binutils and glibc versions are all |
6 |
> right now by default. Should I just unhardmask gcc-4* and go ahead? |
7 |
> What about this one: https://bugs.gentoo.org/show_bug.cgi?id=106690? |
8 |
> |
9 |
> Provide me some hints, please! |
10 |
> (Solar? Kevin?) |
11 |
|
12 |
Of course there is the KQ overlay. For those who simply want basic |
13 |
hardening that have no desire to wait for it to hit the tree. I'd |
14 |
suggest just unmasking gcc-4, build it and then injecting some gcc |
15 |
specs to handle it auto building hardened alike bins. |
16 |
|
17 |
One of my setups looks like this. |
18 |
|
19 |
solar@hangover /etc/env.d/gcc $ gcc-config -l |
20 |
[1] x86_64-pc-linux-gnu-3.4.6 |
21 |
[2] x86_64-pc-linux-gnu-3.4.6-hardenednopie |
22 |
[3] x86_64-pc-linux-gnu-3.4.6-hardenednopiessp |
23 |
[4] x86_64-pc-linux-gnu-3.4.6-hardenednossp |
24 |
[5] x86_64-pc-linux-gnu-3.4.6-vanilla |
25 |
[6] x86_64-pc-linux-gnu-4.1.2 |
26 |
[7] x86_64-pc-linux-gnu-4.1.2-hardened * |
27 |
|
28 |
solar@hangover /etc/env.d/gcc $ cat x86_64-pc-linux-gnu-4.1.2-hardened |
29 |
PATH="/usr/x86_64-pc-linux-gnu/gcc-bin/4.1.2" |
30 |
ROOTPATH="/usr/x86_64-pc-linux-gnu/gcc-bin/4.1.2" |
31 |
GCC_PATH="/usr/x86_64-pc-linux-gnu/gcc-bin/4.1.2" |
32 |
LDPATH="/usr/lib/gcc/x86_64-pc-linux-gnu/4.1.2:/usr/lib/gcc/x86_64-pc-linux-gnu/4.1.2/32" |
33 |
MANPATH="/usr/share/gcc-data/x86_64-pc-linux-gnu/4.1.2/man" |
34 |
INFOPATH="/usr/share/gcc-data/x86_64-pc-linux-gnu/4.1.2/info" |
35 |
STDCXX_INCDIR="g++-v4" |
36 |
GCC_SPECS="/usr/lib/gcc/x86_64-pc-linux-gnu/4.1.2/hardened.specs" |
37 |
|
38 |
|
39 |
# |
40 |
The line that matters here is the one that defines GCC_SPECS= |
41 |
|
42 |
http://dev.gentoo.org/~solar/hardened/gcc-4.1.1-x86_64-hardenednossp.specs |
43 |
Or |
44 |
http://dev.gentoo.org/~solar/hardened/gcc-4.1.1-x86-hardenednossp.specs |
45 |
|
46 |
|
47 |
solar@hangover /etc/env.d/gcc $ wget -O - -q |
48 |
http://dev.gentoo.org/~solar/x86_64-pc-linux-gnu-4.1.2-hardened.tar.bz2 |
49 |
| tar jtf - |
50 |
etc/env.d/gcc/x86_64-pc-linux-gnu-4.1.2-hardened |
51 |
usr/lib64/gcc/x86_64-pc-linux-gnu/4.1.2/hardened.specs |
52 |
|
53 |
|
54 |
On another box that is pure gcc-4 I also handle pie/pic/etc |
55 |
via /etc/portage/env/ |
56 |
|
57 |
That setup looks like |
58 |
|
59 |
homeless env # find . -type l -ls |
60 |
586387 0 lrwxrwxrwx 1 root root 10 Oct 21 |
61 |
16:06 ./net-misc/openssh -> ../env.pie |
62 |
586389 0 lrwxrwxrwx 1 root root 10 Oct 21 |
63 |
16:06 ./net-misc/proftpd -> ../env.pie |
64 |
586390 0 lrwxrwxrwx 1 root root 10 Oct 21 |
65 |
16:06 ./net-misc/rsync -> ../env.pie |
66 |
586370 0 lrwxrwxrwx 1 root root 10 Oct 21 |
67 |
16:06 ./net-misc/oidentd -> ../env.pie |
68 |
586404 0 lrwxrwxrwx 1 root root 10 Oct 21 |
69 |
16:06 ./net-misc/ntp -> ../env.pie |
70 |
586406 0 lrwxrwxrwx 1 root root 10 Oct 21 |
71 |
16:06 ./net-irc/bitchx -> ../env.pie |
72 |
586402 0 lrwxrwxrwx 1 root root 10 Oct 21 |
73 |
16:06 ./net-irc/epic4 -> ../env.pie |
74 |
896065 0 lrwxrwxrwx 1 root root 10 Oct 21 |
75 |
16:06 ./net-dns/bind -> ../env.pie |
76 |
895896 0 lrwxrwxrwx 1 root root 10 Oct 21 |
77 |
16:06 ./net-ftp/proftpd -> ../env.pie |
78 |
895898 0 lrwxrwxrwx 1 root root 10 Oct 21 |
79 |
16:06 ./sys-apps/xinetd -> ../env.pie |
80 |
895900 0 lrwxrwxrwx 1 root root 10 Oct 21 |
81 |
16:06 ./app-admin/syslog-ng -> ../env.pie |
82 |
586408 0 lrwxrwxrwx 1 root root 10 Oct 21 |
83 |
16:06 ./net-mail/courier-imap -> ../env.pie |
84 |
586410 0 lrwxrwxrwx 1 root root 10 Oct 21 |
85 |
16:06 ./app-antivirus/clamav -> ../env.pie |
86 |
586415 0 lrwxrwxrwx 1 root root 10 Oct 21 |
87 |
16:06 ./dev-db/mysql -> ../env.pie |
88 |
586417 0 lrwxrwxrwx 1 root root 10 Oct 21 |
89 |
16:06 ./mail-mta/postfix -> ../env.pie |
90 |
586413 0 lrwxrwxrwx 1 root root 10 Oct 21 |
91 |
16:06 ./www-servers/apache -> ../env.pie |
92 |
586424 0 lrwxrwxrwx 1 root root 10 Jan 7 |
93 |
21:08 ./www-servers/lighttpd -> ../env.pie |
94 |
586419 0 lrwxrwxrwx 1 root root 10 Oct 21 |
95 |
16:06 ./dev-util/cvs -> ../env.pie |
96 |
|
97 |
homeless env # cat env.pie |
98 |
# This file can be sourced in on packages to build them as ET_DYN |
99 |
|
100 |
if [[ ${CFLAGS/-fPIC/} == $CFLAGS ]]; then |
101 |
echo " * Exporting: old pic compiler flag in $EBUILD_PHASE" |
102 |
CFLAGS="${CFLAGS} -fPIC" |
103 |
CXXFLAGS="$CFLAGS" |
104 |
fi |
105 |
|
106 |
if [[ ${LDFLAGS/-pie/} == $LDFLAGS ]]; then |
107 |
echo " * Exporting: old pie linker flag in $EBUILD_PHASE" |
108 |
LDFLAGS="$LDFLAGS -pie" |
109 |
fi |
110 |
|
111 |
export CFLAGS CXXFLAGS LDFLAGS |
112 |
|
113 |
|
114 |
Note: That both of the methods I have shown do not enable SSP in gcc-4. |
115 |
|
116 |
|
117 |
> I feel myself alone. |
118 |
|
119 |
What you do in private is your own business. |
120 |
|
121 |
|
122 |
-- |
123 |
Ned Ludd <solar@g.o> |
124 |
Gentoo Linux |
125 |
|
126 |
-- |
127 |
gentoo-hardened@l.g.o mailing list |