1 |
dear gentoo hardened list readers, |
2 |
|
3 |
i am proud to inform you that hardened-gcc-2.4.2, another "checked |
4 |
build" with support for all the current gentoo arches has hit cvs just |
5 |
some minutes ago... you will be able to emerge it as usual in some |
6 |
hours. |
7 |
|
8 |
please do test this package extensively in a chroot before installing it |
9 |
on a live machine! |
10 |
|
11 |
also do remember that it may break the gcc, the glibc, binutils and any |
12 |
other sensitive component of the toolchain you need for keeping your |
13 |
system usable! |
14 |
|
15 |
given that legal disclaimer, here is the news: |
16 |
|
17 |
-static problems with libgcc containing propolice guard functions will |
18 |
be evaded by giving -lc automatically in the *libgcc: section if |
19 |
-nostdlib is not found (builds that use -nostdlib like gcc or glibc are |
20 |
not pulling in the libgcc automatically but also do not cause the error |
21 |
because libgcc is not referred...) so the errors with the __guard |
22 |
function will not show up, which also showed up more often when |
23 |
USE="static" was used. |
24 |
|
25 |
another headache was the sometimes left out guard setup and guard |
26 |
function in binaries that apparently did not seem to need it, this is |
27 |
automatically decided by the propolice source and fails miserably when |
28 |
libraries are used that need the guard symbol... failing ebuilds are |
29 |
galeon, mozilla and many other big gnome packages which may compile but |
30 |
will probably only fail on startup with segfaults or error messages... |
31 |
so we introduced a glibc-dependent guard.o in the building process when |
32 |
hcc is used that automatically will introduce the functions needed |
33 |
nevertheless needed or not (you pay with only very little code increase |
34 |
in the binary, however there is no runtime penalty when the function is |
35 |
not used, it is just there...). |
36 |
|
37 |
hppa has no propolice and you are all set with etdyn only on that arch. |
38 |
|
39 |
minor fixups have been made to the specs files of the nonintel arches. |
40 |
|
41 |
given these all problems trying to be solved now by hcc-2.4.2 and the |
42 |
great efforts by solar, whom i have to thank for his incredible |
43 |
everlasting contributions (/usr/bin/isetdyn will become the hookup for |
44 |
prepstrip in portage to get etdyn binaries stripped also) to that |
45 |
engagement, and pipacs, the PaX guy, for making my nasty ideas become a |
46 |
reality, and zhen for pushing this toy-tool forward to become the basic |
47 |
skeleton for the first distributable "out of the box etdyn userland" in |
48 |
form of a precompiled stage3, given all these contributions i really |
49 |
have to say cheers to you fellows and say big big thanks for making my |
50 |
days (and nights). |
51 |
|
52 |
and of course i have to thank the contributors of the arch machines |
53 |
around the world, as there is Horton and Solar for the sparc box, our |
54 |
teamleader Method for the ppc (which i hope will survive by any possible |
55 |
means...), antipent from gentoo-hppa for access to a very cool and fast |
56 |
J class HP9000 and Daniel for giving us access to the ia64 and the amd64 |
57 |
to get our thing going there also :-) |
58 |
|
59 |
Special thanks go also to the OpenBSD team who did a great job |
60 |
pioneering the propolice gcc behaviour patching their very own libc with |
61 |
the guard symbol and at the same time enhancing their dynamic loader |
62 |
with a libc-independent version for guard, something we have to think |
63 |
about also at a later point in time when it may become necessary... |
64 |
|
65 |
the future will bring hardened stages and livecd with hcc and finally |
66 |
support for the amd64 and ia64 platform :-))) |
67 |
|
68 |
Last but not least i would personally express my good feelings and |
69 |
experiences i made with the gcc and toolchain developers on #gentoo-dev, |
70 |
notably Martin "Azarah" Schlemmer, who never gave up introducing me to |
71 |
and helping me with the gentoo specifics and technical difficulties |
72 |
regarding the behaviour of the GNU gcc compiler chain and our bug |
73 |
hunting together getting the job done :-) |
74 |
|
75 |
keep on bugging me if things break your machine and have a nice time |
76 |
using etdyn and propolice userland with selinux or grsecurity! |
77 |
|
78 |
thanks again for your support, |
79 |
|
80 |
Alex |
81 |
|
82 |
|
83 |
-- |
84 |
gentoo-hardened@g.o mailing list |