1 |
On Csü, Január 17, 2008 20:57, Ned Ludd wrote: |
2 |
> |
3 |
> On Thu, 2008-01-17 at 20:03 +0100, atoth@××××××××××.hu wrote: |
4 |
>> I'd like to give it a try. I'd like to help by testing it. |
5 |
>> I've found this: |
6 |
>> http://www.gentoo.org/proj/en/hardened/toolchain-upgrade-guide.xml |
7 |
>> It seems to be a bit outdated, since binutils and glibc versions are all |
8 |
>> right now by default. Should I just unhardmask gcc-4* and go ahead? |
9 |
>> What about this one: https://bugs.gentoo.org/show_bug.cgi?id=106690? |
10 |
>> |
11 |
>> Provide me some hints, please! |
12 |
>> (Solar? Kevin?) |
13 |
> |
14 |
> Of course there is the KQ overlay. For those who simply want basic |
15 |
> hardening that have no desire to wait for it to hit the tree. I'd |
16 |
> suggest just unmasking gcc-4, build it and then injecting some gcc |
17 |
> specs to handle it auto building hardened alike bins. |
18 |
> |
19 |
> One of my setups looks like this. |
20 |
> |
21 |
> solar@hangover /etc/env.d/gcc $ gcc-config -l |
22 |
> [1] x86_64-pc-linux-gnu-3.4.6 |
23 |
> [2] x86_64-pc-linux-gnu-3.4.6-hardenednopie |
24 |
> [3] x86_64-pc-linux-gnu-3.4.6-hardenednopiessp |
25 |
> [4] x86_64-pc-linux-gnu-3.4.6-hardenednossp |
26 |
> [5] x86_64-pc-linux-gnu-3.4.6-vanilla |
27 |
> [6] x86_64-pc-linux-gnu-4.1.2 |
28 |
> [7] x86_64-pc-linux-gnu-4.1.2-hardened * |
29 |
> |
30 |
> solar@hangover /etc/env.d/gcc $ cat x86_64-pc-linux-gnu-4.1.2-hardened |
31 |
> PATH="/usr/x86_64-pc-linux-gnu/gcc-bin/4.1.2" |
32 |
> ROOTPATH="/usr/x86_64-pc-linux-gnu/gcc-bin/4.1.2" |
33 |
> GCC_PATH="/usr/x86_64-pc-linux-gnu/gcc-bin/4.1.2" |
34 |
> LDPATH="/usr/lib/gcc/x86_64-pc-linux-gnu/4.1.2:/usr/lib/gcc/x86_64-pc-linux-gnu/4.1.2/32" |
35 |
> MANPATH="/usr/share/gcc-data/x86_64-pc-linux-gnu/4.1.2/man" |
36 |
> INFOPATH="/usr/share/gcc-data/x86_64-pc-linux-gnu/4.1.2/info" |
37 |
> STDCXX_INCDIR="g++-v4" |
38 |
> GCC_SPECS="/usr/lib/gcc/x86_64-pc-linux-gnu/4.1.2/hardened.specs" |
39 |
> |
40 |
> |
41 |
> # |
42 |
> The line that matters here is the one that defines GCC_SPECS= |
43 |
> |
44 |
> http://dev.gentoo.org/~solar/hardened/gcc-4.1.1-x86_64-hardenednossp.specs |
45 |
> Or |
46 |
> http://dev.gentoo.org/~solar/hardened/gcc-4.1.1-x86-hardenednossp.specs |
47 |
> |
48 |
> |
49 |
> solar@hangover /etc/env.d/gcc $ wget -O - -q |
50 |
> http://dev.gentoo.org/~solar/x86_64-pc-linux-gnu-4.1.2-hardened.tar.bz2 |
51 |
> | tar jtf - |
52 |
> etc/env.d/gcc/x86_64-pc-linux-gnu-4.1.2-hardened |
53 |
> usr/lib64/gcc/x86_64-pc-linux-gnu/4.1.2/hardened.specs |
54 |
> |
55 |
> |
56 |
> On another box that is pure gcc-4 I also handle pie/pic/etc |
57 |
> via /etc/portage/env/ |
58 |
> |
59 |
> That setup looks like |
60 |
> |
61 |
> homeless env # find . -type l -ls |
62 |
> 586387 0 lrwxrwxrwx 1 root root 10 Oct 21 |
63 |
> 16:06 ./net-misc/openssh -> ../env.pie |
64 |
snip |
65 |
> 586413 0 lrwxrwxrwx 1 root root 10 Oct 21 |
66 |
> 16:06 ./www-servers/apache -> ../env.pie |
67 |
> 586424 0 lrwxrwxrwx 1 root root 10 Jan 7 |
68 |
> 21:08 ./www-servers/lighttpd -> ../env.pie |
69 |
> 586419 0 lrwxrwxrwx 1 root root 10 Oct 21 |
70 |
> 16:06 ./dev-util/cvs -> ../env.pie |
71 |
> |
72 |
> homeless env # cat env.pie |
73 |
> # This file can be sourced in on packages to build them as ET_DYN |
74 |
> |
75 |
> if [[ ${CFLAGS/-fPIC/} == $CFLAGS ]]; then |
76 |
> echo " * Exporting: old pic compiler flag in $EBUILD_PHASE" |
77 |
> CFLAGS="${CFLAGS} -fPIC" |
78 |
> CXXFLAGS="$CFLAGS" |
79 |
> fi |
80 |
> |
81 |
> if [[ ${LDFLAGS/-pie/} == $LDFLAGS ]]; then |
82 |
> echo " * Exporting: old pie linker flag in $EBUILD_PHASE" |
83 |
> LDFLAGS="$LDFLAGS -pie" |
84 |
> fi |
85 |
> |
86 |
> export CFLAGS CXXFLAGS LDFLAGS |
87 |
> |
88 |
> |
89 |
> Note: That both of the methods I have shown do not enable SSP in gcc-4. |
90 |
> |
91 |
|
92 |
Thanks for the suggestions. |
93 |
BTW: why don't you enable SSP? If I would spend my time on separate specs, |
94 |
I would surely go for SSP as well. Are there any known problems? |
95 |
|
96 |
> |
97 |
>> I feel myself alone. |
98 |
> |
99 |
> What you do in private is your own business. |
100 |
> |
101 |
|
102 |
Alone, not lonely. |
103 |
|
104 |
Thx, |
105 |
Dw. |
106 |
|
107 |
> |
108 |
> -- |
109 |
> Ned Ludd <solar@g.o> |
110 |
> Gentoo Linux |
111 |
> |
112 |
> -- |
113 |
> gentoo-hardened@l.g.o mailing list |
114 |
> |
115 |
|
116 |
|
117 |
-- |
118 |
gentoo-hardened@l.g.o mailing list |