| 1 |
On Tue, 2004-11-30 at 13:12 +0000, David Cannings wrote: |
| 2 |
> The page at http://www.gentoo.org/proj/en/hardened/propolice.xml |
| 3 |
> suggests the following regarding SSP: |
| 4 |
> |
| 5 |
> "If you would the protection on by default add -fstack-protector to your |
| 6 |
> CFLAGS in /etc/make.conf." |
| 7 |
> |
| 8 |
> However, this is contradicted by other pages on the hardened project |
| 9 |
> website which say USE="hardened" is the correct way. Obviously |
| 10 |
> USE="hardened" is correct (as it implies -fstack-protector-all), but the |
| 11 |
> above could confuse people. |
| 12 |
> |
| 13 |
> I arrived at that page from the grsecurity/PaX documentation at |
| 14 |
> http://www.gentoo.org/proj/en/hardened/grsecurity2.xml, I can't see it |
| 15 |
> linked elsewhere but I haven't looked exhaustively. |
| 16 |
> |
| 17 |
> The rest of the documentation is great, it seems the Gentoo documents |
| 18 |
> cover more than the grsecurity ones in some aspects. I've now got a |
| 19 |
> kernel with PaX/grsecurity and I'm just rebuilding world to get SSP. |
| 20 |
|
| 21 |
Unfortunately that propolice document is outdated in several aspects and |
| 22 |
shouldn't be linked by any current documents so thanks for pointing this |
| 23 |
out. I am in the process of writing a more complete and up-to-date SSP |
| 24 |
guide that will replace that guide in the future. |
| 25 |
|
| 26 |
For now the most up-to-date explanation regarding turning on SSP |
| 27 |
building is probably in the Hardened FAQ: |
| 28 |
|
| 29 |
http://www.gentoo.org/proj/en/hardened/hardenedfaq.xml#hardenedcflags |
| 30 |
|
| 31 |
-- |
| 32 |
Adam Mondl <tocharian@××××××.org> |
Archives