| 1 |
On Tue, 09 May 2017 12:26:48 -0500 |
| 2 |
Matthias Maier <tamiko@g.o> wrote: |
| 3 |
|
| 4 |
> Title: GCC 6 defaults to USE="pie ssp" |
| 5 |
> Author: Matthias Maier <tamiko@g.o> |
| 6 |
> Content-Type: text/plain |
| 7 |
> Posted: 2017-05-07 |
| 8 |
> Revision: 1 |
| 9 |
> News-Item-Format: 1.0 |
| 10 |
> Display-If-Installed: >=sys-devel/gcc-6.3.0 |
| 11 |
> Display-If-Keyword: amd64 |
| 12 |
> |
| 13 |
> In Gentoo, several GCC features can be default disabled or enabled |
| 14 |
> via use-flags of sys-devel/gcc. Starting with gcc-4.8.3 we have |
| 15 |
> already enabled default SSP [1]. Since the PIE patchset for default |
| 16 |
> position independent executable support was integrated upstream |
| 17 |
> [2,3], starting with gcc-6.3 we are also enabling PIE by default (via |
| 18 |
> a default-enabled use-flag pie) in regular (non-hardened) profiles. |
| 19 |
> |
| 20 |
> [Additionally, following Gentoo policies, the default-off use-flags |
| 21 |
> nopie (only present in Hardened) and nossp are replaced starting with |
| 22 |
> gcc-6 by default-on use-flags pie and ssp.] |
| 23 |
|
| 24 |
|
| 25 |
There is a *huge* difference between: |
| 26 |
<flag name="nopie">Disable PIE support (NOT FOR GENERAL USE)</flag> |
| 27 |
and the negation of: |
| 28 |
pie - Build programs as Position Independent Executables (a security |
| 29 |
hardening technique) |
| 30 |
|
| 31 |
Enabling the latter builds *everything* as PIE. |
| 32 |
|
| 33 |
> Be advised that switching from an older version to GCC 6 will enable |
| 34 |
> the PIE feature by default. This should not cause many problems, but |
| 35 |
> it may be necessary to recompile parts of your userland. An indicator |
| 36 |
> are linker errors of the form [4] |
| 37 |
|
| 38 |
Do you realize that this breaks linking against about any static lib |
| 39 |
ever built before upgrading ? And I'm not even considering people |
| 40 |
toggling the flag. |
| 41 |
|
| 42 |
While I believe it might be a bit too early to default-enable pie, why |
| 43 |
not, but the news item *must* contain instructions that people should |
| 44 |
'emerge -e world' in order for it to work. |
| 45 |
|
| 46 |
Also, I don't believe default-pie should even be a useflag. It's always |
| 47 |
been forced-on for hardened and forced-off for non-hardened I think. |
| 48 |
Switching between the two types of profiles has always been difficult |
| 49 |
because of that kind of differences. I strongly believe this should stay |
| 50 |
that way (that is: this cant be toggled by a simple useflag). |
| 51 |
|
| 52 |
Bests, |
| 53 |
|
| 54 |
Alexis. |
Archives