| 1 |
So how it can be verified, that the compiled ELF has RELRO and NOW? |
| 2 |
1. RELRO can be verified by calling readelf with the -l option and look |
| 3 |
for RELRO. If it's there, the ELF was compiled with RELRO |
| 4 |
2. NOW can be verified by calling readelf with the -d option and look for |
| 5 |
BIND_NOW |
| 6 |
If the ELF has both, it's full RELRO. If it has only RELRO, but no |
| 7 |
BIND_NOW, it's lazy. |
| 8 |
|
| 9 |
If I comment out the append flag row in the xorg eclass, the resulting ELF |
| 10 |
will be full relro. Without explicitly specifying relro and now. That's |
| 11 |
probably because of the hardened toolchain. |
| 12 |
|
| 13 |
I will give a try to the radeon driver soon. Now it's only Xorg and most |
| 14 |
of the drivers compiled with full relro, except for the video card driver. |
| 15 |
-- |
| 16 |
dr Tóth Attila, Radiológus, 06-20-825-8057 |
| 17 |
Attila Toth MD, Radiologist, +36-20-825-8057 |
| 18 |
|
| 19 |
2013.Október 1.(K) 22:26 időpontban Hinnerk van Bruinehsen ezt írta: |
| 20 |
> On Tue, Oct 01, 2013 at 10:34:07PM +0300, Alex Efros wrote: |
| 21 |
>> Hi! |
| 22 |
>> |
| 23 |
>> On Tue, Oct 01, 2013 at 09:21:00PM +0200, Hinnerk van Bruinehsen wrote: |
| 24 |
>> > If you want to try, you could try the xorg-2.eclass from here: |
| 25 |
>> > |
| 26 |
>> > https://github.com/N8Fear/hvb-overlay/blob/master/eclass/xorg-2.eclass |
| 27 |
>> > |
| 28 |
>> > either by temporarily overwriting the one from the portage tree or |
| 29 |
>> otherwise by |
| 30 |
>> |
| 31 |
>> Overwriting one from the portage is ok, I think. What next - rebuild |
| 32 |
>> x11-base/xorg-server-1.14.3 and restart Xorg to check is it works ok? |
| 33 |
>> |
| 34 |
>> -- |
| 35 |
>> WBR, Alex. |
| 36 |
> |
| 37 |
> That should do it - and on the next sync everything should be back to |
| 38 |
> normal. |
| 39 |
> Btw: seems like building the driver (xf86-video-intel in my case) seems to |
| 40 |
> break X (no screens found). |
| 41 |
> I think it still would be an improvement nonetheless if xorg-server could |
| 42 |
> be |
| 43 |
> build with full relro. |
| 44 |
> The question is if it's the same for other drivers (building the drivers |
| 45 |
> break |
| 46 |
> X, building the server itself with full relro works). |
| 47 |
> |
| 48 |
> One other more or less losely related thing: x86-input-synaptics works |
| 49 |
> with |
| 50 |
> full relro for me. |
| 51 |
> |
| 52 |
> |
Archives