| 1 |
On Thu, 16 Mar 2006 23:02:19 -0600 |
| 2 |
Mikey <mikey@×××××××××××.com> wrote: |
| 3 |
|
| 4 |
> What I am curious about is the fact that I didn't really notice any |
| 5 |
> special CFLAGS being used while everything was compiling. Various |
| 6 |
> documents tell me it is transparent, that the settings are read from |
| 7 |
> the gcc spec file. Should I not be seeing cflags specific to hardened |
| 8 |
> settings while everything is compiling? |
| 9 |
|
| 10 |
No, you won't see anything in the compilation logs. The flags are |
| 11 |
switched on automatically by the hardened gcc specs. |
| 12 |
|
| 13 |
> So I guess my question is - how do I know everything is actually |
| 14 |
> being compiled with the hardened specific flags? A diff |
| 15 |
> on /usr/lib/gcc/i686-pc-linux-gnu/3.4.5/specs and hardened.specs |
| 16 |
> shows no differences, is it safe to assume the default specs file is |
| 17 |
> being used even though it is not being set anywhere in the |
| 18 |
> environment? |
| 19 |
|
| 20 |
The hardened gcc specs do four things: |
| 21 |
|
| 22 |
1) compiles with -fPIE, links with -fPIE -pie, to create position |
| 23 |
independent executables. 'readelf -h <executable>' will show the type |
| 24 |
as "DYN" instead of "EXEC". 'scanelf -pRE ET_EXEC' will find any |
| 25 |
non-PIEs on your path. There will be some. |
| 26 |
|
| 27 |
2) compiles with -fstack-protector-all (except in some situations where |
| 28 |
we know it causes trouble). Not so easy to check, but 'readelf -s |
| 29 |
<executable/library> | grep stack_smash_handler' should show references |
| 30 |
(will be stack_chk_fail if/when we move to gcc-4.1), 'scanelf -qplRS |
| 31 |
__stack_smash_handler' will list all the executables/libraries that use |
| 32 |
SSP (I don't know of a quick way to find anything that _doesn't_ |
| 33 |
reference a given symbol). Again, there will be some stuff that |
| 34 |
doesn't use SSP. |
| 35 |
|
| 36 |
3) links with -z relro and -z now. 'readelf -l <file>' will |
| 37 |
show a GNU_RELRO program header and 'readelf -d <file>' will show a tag |
| 38 |
type $FLAGS" with value "BIND_NOW". 'scanelf -plRb' will show you the |
| 39 |
whether each exec/library/object is BIND_NOW or BIND_LAZY. Everything |
| 40 |
should be RELRO, as it never causes problems; the only thing that |
| 41 |
doesn't like BIND_NOW is X (in particular the graphics drivers). |
| 42 |
|
| 43 |
If an ebuild switches any of this off (not everything is compatible |
| 44 |
with the things the hardened compiler does), you'll see it in the |
| 45 |
compilation logs; look for -fno-pie, -fno-PIE, -nopie, |
| 46 |
-fno-stack-protector, -nonow, -norelro. Of particular note; only "X" |
| 47 |
uses -nonow as far as I know, and nothing uses "-norelro". |
| 48 |
|
| 49 |
If you do 'gcc -v' it'll show you what specs files are being used |
| 50 |
(specs files are accumulative; later files modify/replace entries in |
| 51 |
earlier ones). Also: |
| 52 |
|
| 53 |
echo | gcc -dM -E - | grep -E 'SSP|PIC' |
| 54 |
|
| 55 |
will show: |
| 56 |
|
| 57 |
#define __SSP__ 1 |
| 58 |
#define __SSP_ALL__ 2 |
| 59 |
#define __PIC__ 1 |
| 60 |
|
| 61 |
if the compiler is hardened. |
| 62 |
|
| 63 |
-- |
| 64 |
Kevin F. Quinn |
Archives