| 1 |
On Tue, 12 Sep 2006 15:02:16 -0400 |
| 2 |
7v5w7go9ub0o <7v5w7go9ub0o@×××××.com> wrote: |
| 3 |
|
| 4 |
> (O.K....... I'll be the sacrificial bozo :-) ) |
| 5 |
> |
| 6 |
> I've been running hardened kernels for a year or so with hardened pic |
| 7 |
> in make.conf; but never changed my profile to hardened. PAX seemed to |
| 8 |
> work fine (killed some flakey stuff), as did grsecurity. |
| 9 |
> |
| 10 |
> So IIUC, I now have 4.1.1 with neither PAX nor SPP (wondered why |
| 11 |
> Xorg worked so well without paxctl tweaks). |
| 12 |
> |
| 13 |
> IIUC, I have at least four alternatives: |
| 14 |
> |
| 15 |
> a. Change my profile, revert to 3.4, and recompile everything - in |
| 16 |
> anticipation of upgrading to 4.1.1 when it becomes hardened-capable. |
| 17 |
> (two big upgrades - not my favorite alternative) |
| 18 |
|
| 19 |
Well, you would only need to rebuild the stuff you've built with the |
| 20 |
4.1.1 compiler. You can find out what compiler version a package was |
| 21 |
built with by rifling through |
| 22 |
the /var/db/pkg/<category>/<package-version>/environment.bz2 files and |
| 23 |
checking which compiler version was first in line on the PATH variable. |
| 24 |
|
| 25 |
> b. Wait 'til 4.1.1 becomes ready and then compile everything with a |
| 26 |
> hardened profiles. (one big upgrade) |
| 27 |
> |
| 28 |
> c. Wait 'til 4.2.x is issued and then compile everything...... |
| 29 |
|
| 30 |
You don't really need to rebuild everything all in one go, provided you |
| 31 |
keep the previous compiler versions installed, so you could take a |
| 32 |
phased approach to it. |
| 33 |
|
| 34 |
> d. (?) Hand-job my gcc settings somehow (e.g.): |
| 35 |
> |
| 36 |
> "...the current toolchain implements the equivalent of CFLAGS="-fPIE |
| 37 |
> -fstack-protector-all" LDFLAGS="-Wl,-z,now -Wl,-z,relro" |
| 38 |
> automatically through GCC's specfile which is a more proper solution. |
| 39 |
|
| 40 |
Note; the comment about CFLAGS and LDFLAGS is really only to help |
| 41 |
illustrate what the hardened toolchain does. If you tried setting the |
| 42 |
above in CFLAGS and LDFLAGS things would go wrong - especially putting |
| 43 |
'-fPIE' in CFLAGS, which will cause TEXTRELs to appear in shared |
| 44 |
libraries, and probably interferes with preloading. |
| 45 |
|
| 46 |
As far as tweaking the specs yourself goes, you're welcome to try but I |
| 47 |
wouldn't recommend it unless you're confident you know what you're |
| 48 |
doing :) |
| 49 |
|
| 50 |
> For older hardened-gcc users, add USE="hardened pic" to |
| 51 |
> your /etc/make.conf and then upgrade with the following commands |
| 52 |
> # emerge --oneshot binutils gcc virtual/libc |
| 53 |
> # emerge -e world" |
| 54 |
> |
| 55 |
> So, given that I'm a newbie, and that my next move is all about |
| 56 |
> timing, the questions are: |
| 57 |
> |
| 58 |
> 1. How long 'til 4.1.1 will be released to hardend profiles (this is |
| 59 |
> not a nag, just need a planning window)? |
| 60 |
|
| 61 |
Well, I'm kinda aiming to have it done this year, but bear in mind even |
| 62 |
then it'll be "experimental" (like Grsecurity/PaX is on a 2.6 kernel) - |
| 63 |
mainly because the SSP implementation in 4.x is completely new, so we |
| 64 |
have little experience of it. |
| 65 |
|
| 66 |
> 2. Will alternative d. even work? If so, would reemerging the |
| 67 |
> hardened profile undo those tweaks when 4.1.1 is harde``ned ready? |
| 68 |
|
| 69 |
You don't emerge a profile, you just set the /etc/make.conf soft link. |
| 70 |
The profile just has the default USE flags, default packages and |
| 71 |
masking. As such it only changes what happens when you use emerge in |
| 72 |
the future; it doesn't change what you have now. |
| 73 |
|
| 74 |
> 3. How long 'til 4.2.x becomes hardened available, and will it be a |
| 75 |
> emerge world? |
| 76 |
|
| 77 |
4.2 is likely to be less of a jump than from 3.4 to 4.1 (we're |
| 78 |
skipping 4.0 as it didn't have any SSP). Once we have it sorted for 4.1 |
| 79 |
I'm expecting it'll just move forward with each release as it did for |
| 80 |
3.x. As to when - well, I'd worry about that later. |
| 81 |
|
| 82 |
> > Unmasking gcc-4.1.1 will work in as much as it'll build stuff that |
| 83 |
> > runs fine, but it'll compile everything vanilla unless you modify |
| 84 |
> > the specs file yourself. <======= |
| 85 |
> |
| 86 |
> |
| 87 |
> > This means that you won't get PIE executables (so PaX |
| 88 |
> > ASLR won't do anything), you won't be building with the stack |
| 89 |
> > protector, stuff won't be RELRO/BIND_NOW. |
| 90 |
> > |
| 91 |
> > See the docs on the project website for more information |
| 92 |
> > http://www.gentoo.org/proj/en/hardened/ <=== Yep.... with a |
| 93 |
> > microscope :-) |
| 94 |
|
| 95 |
-- |
| 96 |
Kevin F. Quinn |
Archives