| 1 |
On Thu, 2008-01-17 at 20:03 +0100, atoth@××××××××××.hu wrote: |
| 2 |
> I'd like to give it a try. I'd like to help by testing it. |
| 3 |
> I've found this: |
| 4 |
> http://www.gentoo.org/proj/en/hardened/toolchain-upgrade-guide.xml |
| 5 |
> It seems to be a bit outdated, since binutils and glibc versions are all |
| 6 |
> right now by default. Should I just unhardmask gcc-4* and go ahead? |
| 7 |
> What about this one: https://bugs.gentoo.org/show_bug.cgi?id=106690? |
| 8 |
> |
| 9 |
> Provide me some hints, please! |
| 10 |
> (Solar? Kevin?) |
| 11 |
|
| 12 |
Of course there is the KQ overlay. For those who simply want basic |
| 13 |
hardening that have no desire to wait for it to hit the tree. I'd |
| 14 |
suggest just unmasking gcc-4, build it and then injecting some gcc |
| 15 |
specs to handle it auto building hardened alike bins. |
| 16 |
|
| 17 |
One of my setups looks like this. |
| 18 |
|
| 19 |
solar@hangover /etc/env.d/gcc $ gcc-config -l |
| 20 |
[1] x86_64-pc-linux-gnu-3.4.6 |
| 21 |
[2] x86_64-pc-linux-gnu-3.4.6-hardenednopie |
| 22 |
[3] x86_64-pc-linux-gnu-3.4.6-hardenednopiessp |
| 23 |
[4] x86_64-pc-linux-gnu-3.4.6-hardenednossp |
| 24 |
[5] x86_64-pc-linux-gnu-3.4.6-vanilla |
| 25 |
[6] x86_64-pc-linux-gnu-4.1.2 |
| 26 |
[7] x86_64-pc-linux-gnu-4.1.2-hardened * |
| 27 |
|
| 28 |
solar@hangover /etc/env.d/gcc $ cat x86_64-pc-linux-gnu-4.1.2-hardened |
| 29 |
PATH="/usr/x86_64-pc-linux-gnu/gcc-bin/4.1.2" |
| 30 |
ROOTPATH="/usr/x86_64-pc-linux-gnu/gcc-bin/4.1.2" |
| 31 |
GCC_PATH="/usr/x86_64-pc-linux-gnu/gcc-bin/4.1.2" |
| 32 |
LDPATH="/usr/lib/gcc/x86_64-pc-linux-gnu/4.1.2:/usr/lib/gcc/x86_64-pc-linux-gnu/4.1.2/32" |
| 33 |
MANPATH="/usr/share/gcc-data/x86_64-pc-linux-gnu/4.1.2/man" |
| 34 |
INFOPATH="/usr/share/gcc-data/x86_64-pc-linux-gnu/4.1.2/info" |
| 35 |
STDCXX_INCDIR="g++-v4" |
| 36 |
GCC_SPECS="/usr/lib/gcc/x86_64-pc-linux-gnu/4.1.2/hardened.specs" |
| 37 |
|
| 38 |
|
| 39 |
# |
| 40 |
The line that matters here is the one that defines GCC_SPECS= |
| 41 |
|
| 42 |
http://dev.gentoo.org/~solar/hardened/gcc-4.1.1-x86_64-hardenednossp.specs |
| 43 |
Or |
| 44 |
http://dev.gentoo.org/~solar/hardened/gcc-4.1.1-x86-hardenednossp.specs |
| 45 |
|
| 46 |
|
| 47 |
solar@hangover /etc/env.d/gcc $ wget -O - -q |
| 48 |
http://dev.gentoo.org/~solar/x86_64-pc-linux-gnu-4.1.2-hardened.tar.bz2 |
| 49 |
| tar jtf - |
| 50 |
etc/env.d/gcc/x86_64-pc-linux-gnu-4.1.2-hardened |
| 51 |
usr/lib64/gcc/x86_64-pc-linux-gnu/4.1.2/hardened.specs |
| 52 |
|
| 53 |
|
| 54 |
On another box that is pure gcc-4 I also handle pie/pic/etc |
| 55 |
via /etc/portage/env/ |
| 56 |
|
| 57 |
That setup looks like |
| 58 |
|
| 59 |
homeless env # find . -type l -ls |
| 60 |
586387 0 lrwxrwxrwx 1 root root 10 Oct 21 |
| 61 |
16:06 ./net-misc/openssh -> ../env.pie |
| 62 |
586389 0 lrwxrwxrwx 1 root root 10 Oct 21 |
| 63 |
16:06 ./net-misc/proftpd -> ../env.pie |
| 64 |
586390 0 lrwxrwxrwx 1 root root 10 Oct 21 |
| 65 |
16:06 ./net-misc/rsync -> ../env.pie |
| 66 |
586370 0 lrwxrwxrwx 1 root root 10 Oct 21 |
| 67 |
16:06 ./net-misc/oidentd -> ../env.pie |
| 68 |
586404 0 lrwxrwxrwx 1 root root 10 Oct 21 |
| 69 |
16:06 ./net-misc/ntp -> ../env.pie |
| 70 |
586406 0 lrwxrwxrwx 1 root root 10 Oct 21 |
| 71 |
16:06 ./net-irc/bitchx -> ../env.pie |
| 72 |
586402 0 lrwxrwxrwx 1 root root 10 Oct 21 |
| 73 |
16:06 ./net-irc/epic4 -> ../env.pie |
| 74 |
896065 0 lrwxrwxrwx 1 root root 10 Oct 21 |
| 75 |
16:06 ./net-dns/bind -> ../env.pie |
| 76 |
895896 0 lrwxrwxrwx 1 root root 10 Oct 21 |
| 77 |
16:06 ./net-ftp/proftpd -> ../env.pie |
| 78 |
895898 0 lrwxrwxrwx 1 root root 10 Oct 21 |
| 79 |
16:06 ./sys-apps/xinetd -> ../env.pie |
| 80 |
895900 0 lrwxrwxrwx 1 root root 10 Oct 21 |
| 81 |
16:06 ./app-admin/syslog-ng -> ../env.pie |
| 82 |
586408 0 lrwxrwxrwx 1 root root 10 Oct 21 |
| 83 |
16:06 ./net-mail/courier-imap -> ../env.pie |
| 84 |
586410 0 lrwxrwxrwx 1 root root 10 Oct 21 |
| 85 |
16:06 ./app-antivirus/clamav -> ../env.pie |
| 86 |
586415 0 lrwxrwxrwx 1 root root 10 Oct 21 |
| 87 |
16:06 ./dev-db/mysql -> ../env.pie |
| 88 |
586417 0 lrwxrwxrwx 1 root root 10 Oct 21 |
| 89 |
16:06 ./mail-mta/postfix -> ../env.pie |
| 90 |
586413 0 lrwxrwxrwx 1 root root 10 Oct 21 |
| 91 |
16:06 ./www-servers/apache -> ../env.pie |
| 92 |
586424 0 lrwxrwxrwx 1 root root 10 Jan 7 |
| 93 |
21:08 ./www-servers/lighttpd -> ../env.pie |
| 94 |
586419 0 lrwxrwxrwx 1 root root 10 Oct 21 |
| 95 |
16:06 ./dev-util/cvs -> ../env.pie |
| 96 |
|
| 97 |
homeless env # cat env.pie |
| 98 |
# This file can be sourced in on packages to build them as ET_DYN |
| 99 |
|
| 100 |
if [[ ${CFLAGS/-fPIC/} == $CFLAGS ]]; then |
| 101 |
echo " * Exporting: old pic compiler flag in $EBUILD_PHASE" |
| 102 |
CFLAGS="${CFLAGS} -fPIC" |
| 103 |
CXXFLAGS="$CFLAGS" |
| 104 |
fi |
| 105 |
|
| 106 |
if [[ ${LDFLAGS/-pie/} == $LDFLAGS ]]; then |
| 107 |
echo " * Exporting: old pie linker flag in $EBUILD_PHASE" |
| 108 |
LDFLAGS="$LDFLAGS -pie" |
| 109 |
fi |
| 110 |
|
| 111 |
export CFLAGS CXXFLAGS LDFLAGS |
| 112 |
|
| 113 |
|
| 114 |
Note: That both of the methods I have shown do not enable SSP in gcc-4. |
| 115 |
|
| 116 |
|
| 117 |
> I feel myself alone. |
| 118 |
|
| 119 |
What you do in private is your own business. |
| 120 |
|
| 121 |
|
| 122 |
-- |
| 123 |
Ned Ludd <solar@g.o> |
| 124 |
Gentoo Linux |
| 125 |
|
| 126 |
-- |
| 127 |
gentoo-hardened@l.g.o mailing list |
Archives