1 |
On Thu, 16 Mar 2006 23:02:19 -0600 |
2 |
Mikey <mikey@×××××××××××.com> wrote: |
3 |
|
4 |
> What I am curious about is the fact that I didn't really notice any |
5 |
> special CFLAGS being used while everything was compiling. Various |
6 |
> documents tell me it is transparent, that the settings are read from |
7 |
> the gcc spec file. Should I not be seeing cflags specific to hardened |
8 |
> settings while everything is compiling? |
9 |
|
10 |
No, you won't see anything in the compilation logs. The flags are |
11 |
switched on automatically by the hardened gcc specs. |
12 |
|
13 |
> So I guess my question is - how do I know everything is actually |
14 |
> being compiled with the hardened specific flags? A diff |
15 |
> on /usr/lib/gcc/i686-pc-linux-gnu/3.4.5/specs and hardened.specs |
16 |
> shows no differences, is it safe to assume the default specs file is |
17 |
> being used even though it is not being set anywhere in the |
18 |
> environment? |
19 |
|
20 |
The hardened gcc specs do four things: |
21 |
|
22 |
1) compiles with -fPIE, links with -fPIE -pie, to create position |
23 |
independent executables. 'readelf -h <executable>' will show the type |
24 |
as "DYN" instead of "EXEC". 'scanelf -pRE ET_EXEC' will find any |
25 |
non-PIEs on your path. There will be some. |
26 |
|
27 |
2) compiles with -fstack-protector-all (except in some situations where |
28 |
we know it causes trouble). Not so easy to check, but 'readelf -s |
29 |
<executable/library> | grep stack_smash_handler' should show references |
30 |
(will be stack_chk_fail if/when we move to gcc-4.1), 'scanelf -qplRS |
31 |
__stack_smash_handler' will list all the executables/libraries that use |
32 |
SSP (I don't know of a quick way to find anything that _doesn't_ |
33 |
reference a given symbol). Again, there will be some stuff that |
34 |
doesn't use SSP. |
35 |
|
36 |
3) links with -z relro and -z now. 'readelf -l <file>' will |
37 |
show a GNU_RELRO program header and 'readelf -d <file>' will show a tag |
38 |
type $FLAGS" with value "BIND_NOW". 'scanelf -plRb' will show you the |
39 |
whether each exec/library/object is BIND_NOW or BIND_LAZY. Everything |
40 |
should be RELRO, as it never causes problems; the only thing that |
41 |
doesn't like BIND_NOW is X (in particular the graphics drivers). |
42 |
|
43 |
If an ebuild switches any of this off (not everything is compatible |
44 |
with the things the hardened compiler does), you'll see it in the |
45 |
compilation logs; look for -fno-pie, -fno-PIE, -nopie, |
46 |
-fno-stack-protector, -nonow, -norelro. Of particular note; only "X" |
47 |
uses -nonow as far as I know, and nothing uses "-norelro". |
48 |
|
49 |
If you do 'gcc -v' it'll show you what specs files are being used |
50 |
(specs files are accumulative; later files modify/replace entries in |
51 |
earlier ones). Also: |
52 |
|
53 |
echo | gcc -dM -E - | grep -E 'SSP|PIC' |
54 |
|
55 |
will show: |
56 |
|
57 |
#define __SSP__ 1 |
58 |
#define __SSP_ALL__ 2 |
59 |
#define __PIC__ 1 |
60 |
|
61 |
if the compiler is hardened. |
62 |
|
63 |
-- |
64 |
Kevin F. Quinn |