Gentoo Archives: gentoo-hardened

From: Alexander Gabert <pappy@g.o>
To: gentoo-hardened@g.o
Cc: azarah@g.o
Subject: [gentoo-hardened] sys-devel/hardened-gcc-2.4.2 ~x86 ~hppa ~sparc ~ppc
Date: Tue, 07 Oct 2003 20:30:34
Message-Id: 1065558647.1126.32.camel@eskimo.external
1 dear gentoo hardened list readers,
2
3 i am proud to inform you that hardened-gcc-2.4.2, another "checked
4 build" with support for all the current gentoo arches has hit cvs just
5 some minutes ago... you will be able to emerge it as usual in some
6 hours.
7
8 please do test this package extensively in a chroot before installing it
9 on a live machine!
10
11 also do remember that it may break the gcc, the glibc, binutils and any
12 other sensitive component of the toolchain you need for keeping your
13 system usable!
14
15 given that legal disclaimer, here is the news:
16
17 -static problems with libgcc containing propolice guard functions will
18 be evaded by giving -lc automatically in the *libgcc: section if
19 -nostdlib is not found (builds that use -nostdlib like gcc or glibc are
20 not pulling in the libgcc automatically but also do not cause the error
21 because libgcc is not referred...) so the errors with the __guard
22 function will not show up, which also showed up more often when
23 USE="static" was used.
24
25 another headache was the sometimes left out guard setup and guard
26 function in binaries that apparently did not seem to need it, this is
27 automatically decided by the propolice source and fails miserably when
28 libraries are used that need the guard symbol... failing ebuilds are
29 galeon, mozilla and many other big gnome packages which may compile but
30 will probably only fail on startup with segfaults or error messages...
31 so we introduced a glibc-dependent guard.o in the building process when
32 hcc is used that automatically will introduce the functions needed
33 nevertheless needed or not (you pay with only very little code increase
34 in the binary, however there is no runtime penalty when the function is
35 not used, it is just there...).
36
37 hppa has no propolice and you are all set with etdyn only on that arch.
38
39 minor fixups have been made to the specs files of the nonintel arches.
40
41 given these all problems trying to be solved now by hcc-2.4.2 and the
42 great efforts by solar, whom i have to thank for his incredible
43 everlasting contributions (/usr/bin/isetdyn will become the hookup for
44 prepstrip in portage to get etdyn binaries stripped also) to that
45 engagement, and pipacs, the PaX guy, for making my nasty ideas become a
46 reality, and zhen for pushing this toy-tool forward to become the basic
47 skeleton for the first distributable "out of the box etdyn userland" in
48 form of a precompiled stage3, given all these contributions i really
49 have to say cheers to you fellows and say big big thanks for making my
50 days (and nights).
51
52 and of course i have to thank the contributors of the arch machines
53 around the world, as there is Horton and Solar for the sparc box, our
54 teamleader Method for the ppc (which i hope will survive by any possible
55 means...), antipent from gentoo-hppa for access to a very cool and fast
56 J class HP9000 and Daniel for giving us access to the ia64 and the amd64
57 to get our thing going there also :-)
58
59 Special thanks go also to the OpenBSD team who did a great job
60 pioneering the propolice gcc behaviour patching their very own libc with
61 the guard symbol and at the same time enhancing their dynamic loader
62 with a libc-independent version for guard, something we have to think
63 about also at a later point in time when it may become necessary...
64
65 the future will bring hardened stages and livecd with hcc and finally
66 support for the amd64 and ia64 platform :-)))
67
68 Last but not least i would personally express my good feelings and
69 experiences i made with the gcc and toolchain developers on #gentoo-dev,
70 notably Martin "Azarah" Schlemmer, who never gave up introducing me to
71 and helping me with the gentoo specifics and technical difficulties
72 regarding the behaviour of the GNU gcc compiler chain and our bug
73 hunting together getting the job done :-)
74
75 keep on bugging me if things break your machine and have a nice time
76 using etdyn and propolice userland with selinux or grsecurity!
77
78 thanks again for your support,
79
80 Alex
81
82
83 --
84 gentoo-hardened@g.o mailing list