Gentoo Archives: gentoo-dev

From: Duncan <1i5t5.duncan@×××.net>
To: gentoo-dev@l.g.o
Subject: [gentoo-dev] Re: Improve the security of the default profile
Date: Wed, 11 Sep 2013 04:50:42
Message-Id: pan$20382$f14f04a3$554ce8c3$ff3d9f67@cox.net
1 Rich Freeman posted on Tue, 10 Sep 2013 21:17:33 -0400 as excerpted:
2
3 > On Tue, Sep 10, 2013 at 6:41 PM, Richard Yao <ryao@g.o> wrote:
4 >> 1. The kernel expects -fno-stack-protector to be the default. What will
5 >> the effect be on kernel configuration once -fstack-protector is the
6 >> default?
7 >
8 > Nothing, since the kernel build system doesn't source make.conf. If
9 > somebody creates an ebuild that actually installs a kernel then it might
10 > be an issue, though it could be filtered if it is a problem.
11
12 If I'm not mistaken, dirtyepic intends to patch gcc directly to enable
13 -fstack-protector, changing the default at that level so it'll be used
14 unless -fno-stack-protector is in CFLAGS. At least, that's how I
15 interpret (dirtyepic):
16
17 "'filter-flags -fstack-protector [won't] actually work
18 (we have to patch the compiler, not just add it to the
19 default flags in the profiles or something)."
20
21 Which means that yes, it WILL affect the kernel (and anything else
22 separately compiled, unless -fno-stack-protector is given), since it'll
23 then be the gentoo-patched gcc default, not in make.conf.
24
25 (Tho jer points out that the parisc arch, among others, won't work with
26 that flag at all, and warns to that effect. So I guess the patch will
27 etiher be ifdeffed not to apply on such archs or will be conditionally
28 applied in the first place. The former is I believe preferred as
29 conditional patching is considered subpar.)
30
31 I guess hardened should know what -fstack-protector does to the kernel,
32 tho.
33
34 But in any case it's certainly worth a news item when it happens, as
35 people obviously build a lot of stuff with gcc independent of the tree,
36 and I'm sure some of it will break if that becomes the default, so
37 letting them know about it with a news item should help avoid at least
38 /some/ of the resulting bugs from such a default-change.
39
40 --
41 Duncan - List replies preferred. No HTML msgs.
42 "Every nonfree program has a lord, a master --
43 and if you use the program, he is your master." Richard Stallman

Replies