| 1 |
(O.K....... I'll be the sacrificial bozo :-) ) |
| 2 |
|
| 3 |
I've been running hardened kernels for a year or so with hardened pic in |
| 4 |
make.conf; but never changed my profile to hardened. PAX seemed to work |
| 5 |
fine (killed some flakey stuff), as did grsecurity. |
| 6 |
|
| 7 |
So IIUC, I now have 4.1.1 with neither PAX nor SPP (wondered why Xorg |
| 8 |
worked so well without paxctl tweaks). |
| 9 |
|
| 10 |
IIUC, I have at least four alternatives: |
| 11 |
|
| 12 |
a. Change my profile, revert to 3.4, and recompile everything - in |
| 13 |
anticipation of upgrading to 4.1.1 when it becomes hardened-capable. (two |
| 14 |
big upgrades - not my favorite alternative) |
| 15 |
|
| 16 |
b. Wait 'til 4.1.1 becomes ready and then compile everything with a |
| 17 |
hardened profiles. (one big upgrade) |
| 18 |
|
| 19 |
c. Wait 'til 4.2.x is issued and then compile everything...... |
| 20 |
|
| 21 |
d. (?) Hand-job my gcc settings somehow (e.g.): |
| 22 |
|
| 23 |
"...the current toolchain implements the equivalent of CFLAGS="-fPIE |
| 24 |
-fstack-protector-all" LDFLAGS="-Wl,-z,now -Wl,-z,relro" automatically |
| 25 |
through GCC's specfile which is a more proper solution. For older |
| 26 |
hardened-gcc users, add USE="hardened pic" to your /etc/make.conf and then |
| 27 |
upgrade with the following commands |
| 28 |
# emerge --oneshot binutils gcc virtual/libc |
| 29 |
# emerge -e world" |
| 30 |
|
| 31 |
|
| 32 |
So, given that I'm a newbie, and that my next move is all about timing, |
| 33 |
the questions are: |
| 34 |
|
| 35 |
1. How long 'til 4.1.1 will be released to hardend profiles (this is not a |
| 36 |
nag, just need a planning window)? |
| 37 |
|
| 38 |
2. Will alternative d. even work? If so, would reemerging the hardened |
| 39 |
profile undo those tweaks when 4.1.1 is hardened ready? |
| 40 |
|
| 41 |
3. How long 'til 4.2.x becomes hardened available, and will it be a emerge |
| 42 |
world? |
| 43 |
|
| 44 |
|
| 45 |
> |
| 46 |
> Unmasking gcc-4.1.1 will work in as much as it'll build stuff that runs |
| 47 |
> fine, but it'll compile everything vanilla unless you modify the specs |
| 48 |
> file yourself. <======= |
| 49 |
|
| 50 |
|
| 51 |
> This means that you won't get PIE executables (so PaX |
| 52 |
> ASLR won't do anything), you won't be building with the stack protector, |
| 53 |
> stuff won't be RELRO/BIND_NOW. |
| 54 |
> |
| 55 |
> See the docs on the project website for more information |
| 56 |
> http://www.gentoo.org/proj/en/hardened/ <=== Yep.... with a microscope |
| 57 |
> :-) |
| 58 |
|
| 59 |
|
| 60 |
TIA |
| 61 |
|
| 62 |
|
| 63 |
> |
| 64 |
|
| 65 |
|
| 66 |
-- |
| 67 |
gentoo-hardened@g.o mailing list |
Archives