Gentoo Archives: gentoo-dev

From: "Anthony G. Basile" <blueness@g.o>
To: gentoo-dev@l.g.o
Subject: Re: [gentoo-dev] [PATCH] To enable ssp default in Gcc the toolchain.eclass need some changes.
Date: Thu, 09 Jan 2014 23:03:53
Message-Id: 52CF2ACF.1090305@gentoo.org
In Reply to: Re: [gentoo-dev] [PATCH] To enable ssp default in Gcc the toolchain.eclass need some changes. by "Rick \\\"Zero_Chaos\\\" Farina"
1 On 01/09/2014 05:29 PM, Rick "Zero_Chaos" Farina wrote:
2 > -----BEGIN PGP SIGNED MESSAGE-----
3 > Hash: SHA1
4 >
5 > On 01/09/2014 05:21 PM, Michał Górny wrote:
6 >> Dnia 2014-01-09, o godz. 17:06:52
7 >> "Anthony G. Basile" <blueness@g.o> napisał(a):
8 >>
9 >>> On 01/09/2014 04:57 PM, Pacho Ramos wrote:
10 >>>> What are the advantages of disabling SSP to deserve that "special"
11 >>>> handling via USE flag or easily disabling it appending the flag?
12 >>> There are some cases where ssp could break things. I know of once case
13 >>> right now, but its somewhat exotic. Also, sometimes we *want* to break
14 >>> things for testing. I'm thinking here of instance where we want to test
15 >>> a pax hardened kernel to see if it catches abuses of memory which would
16 >>> otherwise be caught by executables emitted from a hardened toolchain.
17 >>> Take a look at the app-admin/paxtest suite.
18 >> Just to be clear, are we talking about potential system-wide breakage
19 >> or single, specific packages being broken by SSP? In other words, are
20 >> there cases when people will really want to disable SSP completely?
21 >>
22 >> Unless I'm misunderstanding something, your examples sound like you
23 >> just want -fno-stack-protector per-package. I don't really think you
24 >> actually want to rebuild whole gcc just to do some testing on a single
25 >> package...
26 >>
27 > Or just as easily set -fno-stack-protector in CFLAGS in make.conf.
28 >
29 > I never felt manipulating cflags with use flags was a great idea, but in
30 > this case is does feel extra pointless.
31 >
32 > Personally I don't feel this is needed, and the added benefit of
33 > clearing up a bogus "noblah" use flag makes me smile.
34 >
35 > Zorry, do we really need this flag?
36 >
37 >
38
39 toolchain.eclass currently uses nossp as well as nopie. You'd have to
40 rework that to get rid of the flag.
41
42 --
43 Anthony G. Basile, Ph.D.
44 Gentoo Linux Developer [Hardened]
45 E-Mail : blueness@g.o
46 GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA
47 GnuPG ID : F52D4BBA