1 |
On Tue, 12 Sep 2006 15:02:16 -0400 |
2 |
7v5w7go9ub0o <7v5w7go9ub0o@×××××.com> wrote: |
3 |
|
4 |
> (O.K....... I'll be the sacrificial bozo :-) ) |
5 |
> |
6 |
> I've been running hardened kernels for a year or so with hardened pic |
7 |
> in make.conf; but never changed my profile to hardened. PAX seemed to |
8 |
> work fine (killed some flakey stuff), as did grsecurity. |
9 |
> |
10 |
> So IIUC, I now have 4.1.1 with neither PAX nor SPP (wondered why |
11 |
> Xorg worked so well without paxctl tweaks). |
12 |
> |
13 |
> IIUC, I have at least four alternatives: |
14 |
> |
15 |
> a. Change my profile, revert to 3.4, and recompile everything - in |
16 |
> anticipation of upgrading to 4.1.1 when it becomes hardened-capable. |
17 |
> (two big upgrades - not my favorite alternative) |
18 |
|
19 |
Well, you would only need to rebuild the stuff you've built with the |
20 |
4.1.1 compiler. You can find out what compiler version a package was |
21 |
built with by rifling through |
22 |
the /var/db/pkg/<category>/<package-version>/environment.bz2 files and |
23 |
checking which compiler version was first in line on the PATH variable. |
24 |
|
25 |
> b. Wait 'til 4.1.1 becomes ready and then compile everything with a |
26 |
> hardened profiles. (one big upgrade) |
27 |
> |
28 |
> c. Wait 'til 4.2.x is issued and then compile everything...... |
29 |
|
30 |
You don't really need to rebuild everything all in one go, provided you |
31 |
keep the previous compiler versions installed, so you could take a |
32 |
phased approach to it. |
33 |
|
34 |
> d. (?) Hand-job my gcc settings somehow (e.g.): |
35 |
> |
36 |
> "...the current toolchain implements the equivalent of CFLAGS="-fPIE |
37 |
> -fstack-protector-all" LDFLAGS="-Wl,-z,now -Wl,-z,relro" |
38 |
> automatically through GCC's specfile which is a more proper solution. |
39 |
|
40 |
Note; the comment about CFLAGS and LDFLAGS is really only to help |
41 |
illustrate what the hardened toolchain does. If you tried setting the |
42 |
above in CFLAGS and LDFLAGS things would go wrong - especially putting |
43 |
'-fPIE' in CFLAGS, which will cause TEXTRELs to appear in shared |
44 |
libraries, and probably interferes with preloading. |
45 |
|
46 |
As far as tweaking the specs yourself goes, you're welcome to try but I |
47 |
wouldn't recommend it unless you're confident you know what you're |
48 |
doing :) |
49 |
|
50 |
> For older hardened-gcc users, add USE="hardened pic" to |
51 |
> your /etc/make.conf and then upgrade with the following commands |
52 |
> # emerge --oneshot binutils gcc virtual/libc |
53 |
> # emerge -e world" |
54 |
> |
55 |
> So, given that I'm a newbie, and that my next move is all about |
56 |
> timing, the questions are: |
57 |
> |
58 |
> 1. How long 'til 4.1.1 will be released to hardend profiles (this is |
59 |
> not a nag, just need a planning window)? |
60 |
|
61 |
Well, I'm kinda aiming to have it done this year, but bear in mind even |
62 |
then it'll be "experimental" (like Grsecurity/PaX is on a 2.6 kernel) - |
63 |
mainly because the SSP implementation in 4.x is completely new, so we |
64 |
have little experience of it. |
65 |
|
66 |
> 2. Will alternative d. even work? If so, would reemerging the |
67 |
> hardened profile undo those tweaks when 4.1.1 is harde``ned ready? |
68 |
|
69 |
You don't emerge a profile, you just set the /etc/make.conf soft link. |
70 |
The profile just has the default USE flags, default packages and |
71 |
masking. As such it only changes what happens when you use emerge in |
72 |
the future; it doesn't change what you have now. |
73 |
|
74 |
> 3. How long 'til 4.2.x becomes hardened available, and will it be a |
75 |
> emerge world? |
76 |
|
77 |
4.2 is likely to be less of a jump than from 3.4 to 4.1 (we're |
78 |
skipping 4.0 as it didn't have any SSP). Once we have it sorted for 4.1 |
79 |
I'm expecting it'll just move forward with each release as it did for |
80 |
3.x. As to when - well, I'd worry about that later. |
81 |
|
82 |
> > Unmasking gcc-4.1.1 will work in as much as it'll build stuff that |
83 |
> > runs fine, but it'll compile everything vanilla unless you modify |
84 |
> > the specs file yourself. <======= |
85 |
> |
86 |
> |
87 |
> > This means that you won't get PIE executables (so PaX |
88 |
> > ASLR won't do anything), you won't be building with the stack |
89 |
> > protector, stuff won't be RELRO/BIND_NOW. |
90 |
> > |
91 |
> > See the docs on the project website for more information |
92 |
> > http://www.gentoo.org/proj/en/hardened/ <=== Yep.... with a |
93 |
> > microscope :-) |
94 |
|
95 |
-- |
96 |
Kevin F. Quinn |