Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-dev

From: "Anthony G. Basile" <blueness@g.o>
To: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] Building hardened gcc specs always, just not enabling them by default
Date: Sun, 23 Oct 2011 19:48:11
Message-Id: 4EA46F53.10400@gentoo.org
In Reply to: Re: [gentoo-dev] Building hardened gcc specs always, just not enabling them by default by Alexandre Rostovtsev
1 On 10/23/2011 03:20 PM, Alexandre Rostovtsev wrote:
2 > On Sun, Oct 23, 2011 at 3:03 PM, Anthony G. Basile <blueness@g.o> wrote:
3 >> Where would the hardened profiles fit in this? This requires some
4 >> thought. Right now "hardened" means three choices: 1) hardened
5 >> toolchain, 2) hardened-sources kernel, 3) hardened profile. Some
6 >> packages are masked or added to the profile for the toolchain, some for
7 >> the kernel. We'd have to disentangle those. I'm not sure how the
8 >> details would play out.
9 > My impression was that for the hardened kernels case, specific USE
10 > flags such as "pax_kernel" are supposed to be used instead of the
11 > generic "hardened".
12 >
13 > -Alexandre
14 >
15 Yes. Because some people wanted binaries built with a vanilla toolchain
16 running under a pax kernel. So, we encouraged the use of a different
17 USE flag to tell ebuilds that this package *might* be run under a
18 pax_kernel and therefore should have certain pax markings. Since that
19 has nothing to do with a hardened toolchain, we encouraged the use of a
20 new local flag, pax_kernel. However, this is a weak USE flag because
21 pax marking a binary that runs under a vanilla kernel is harmless, as
22 the kernel will simply ignore the pt_pax program header in the ELF. And
23 all binaries built in gentoo have this header automatically because of a
24 patch in binutils. Its added "just in case". You can see it when you
25 do readelf -l /path/to/elf.
26
27 So if you look in the hardened profiles, you'll see some things masked
28 like net-im/skype because of the kernel, and some things masked like
29 =sys-devel/gdb-7.0* because of the toolchain. If the hardened toolchain
30 moves into mainstream, then we'll have to sort through those and figure
31 out how to incorporate them into the main profiles. How would we say,
32 if you use gcc-config and choose gcc-4.5.1-hardened spec, mask
33 gdb-7.0*? I don't think its impossible, but I'm not seeing how to
34 proceed right now.
35
36 --
37 Anthony G. Basile, Ph.D.
38 Gentoo Linux Developer [Hardened]
39 E-Mail : blueness@g.o
40 GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535
41 GnuPG ID : D0455535

Replies

Subject Author
Re: [gentoo-dev] Building hardened gcc specs always, just not enabling them by default "Paweł Hajdan
Report Message
Find on MARC Find on Google Groups