| Main Archive Page > Month Archives > gentoo-hardened archives |
Re: [gentoo-hardened] Hardened gcc-4
From: <atoth_at_nospam>Date: Fri Jan 18 2008 - 03:46:31 GMT
To: gentoo-hardened@lists.gentoo.org
On Csü, Január 17, 2008 20:57, Ned Ludd wrote:
>
> On Thu, 2008-01-17 at 20:03 +0100, atoth@atoth.sote.hu wrote:
>> I'd like to give it a try. I'd like to help by testing it.
>> I've found this:
>> http://www.gentoo.org/proj/en/hardened/toolchain-upgrade-guide.xml
>> It seems to be a bit outdated, since binutils and glibc versions are all
>> right now by default. Should I just unhardmask gcc-4* and go ahead?
>> What about this one: https://bugs.gentoo.org/show_bug.cgi?id=106690?
>>
>> Provide me some hints, please!
>> (Solar? Kevin?)
>
> Of course there is the KQ overlay. For those who simply want basic
> hardening that have no desire to wait for it to hit the tree. I'd
> suggest just unmasking gcc-4, build it and then injecting some gcc
> specs to handle it auto building hardened alike bins.
>
> One of my setups looks like this.
>
> solar@hangover /etc/env.d/gcc $ gcc-config -l
> [1] x86_64-pc-linux-gnu-3.4.6
> [2] x86_64-pc-linux-gnu-3.4.6-hardenednopie
> [3] x86_64-pc-linux-gnu-3.4.6-hardenednopiessp
> [4] x86_64-pc-linux-gnu-3.4.6-hardenednossp
> [5] x86_64-pc-linux-gnu-3.4.6-vanilla
> [6] x86_64-pc-linux-gnu-4.1.2
> [7] x86_64-pc-linux-gnu-4.1.2-hardened *
>
> solar@hangover /etc/env.d/gcc $ cat x86_64-pc-linux-gnu-4.1.2-hardened
> PATH="/usr/x86_64-pc-linux-gnu/gcc-bin/4.1.2"
> ROOTPATH="/usr/x86_64-pc-linux-gnu/gcc-bin/4.1.2"
> GCC_PATH="/usr/x86_64-pc-linux-gnu/gcc-bin/4.1.2"
> LDPATH="/usr/lib/gcc/x86_64-pc-linux-gnu/4.1.2:/usr/lib/gcc/x86_64-pc-linux-gnu/4.1.2/32"
> MANPATH="/usr/share/gcc-data/x86_64-pc-linux-gnu/4.1.2/man"
> INFOPATH="/usr/share/gcc-data/x86_64-pc-linux-gnu/4.1.2/info"
> STDCXX_INCDIR="g++-v4"
> GCC_SPECS="/usr/lib/gcc/x86_64-pc-linux-gnu/4.1.2/hardened.specs"
>
>
> #
> The line that matters here is the one that defines GCC_SPECS=
>
> http://dev.gentoo.org/~solar/hardened/gcc-4.1.1-x86_64-hardenednossp.specs
> Or
> http://dev.gentoo.org/~solar/hardened/gcc-4.1.1-x86-hardenednossp.specs
>
>
> solar@hangover /etc/env.d/gcc $ wget -O - -q
> http://dev.gentoo.org/~solar/x86_64-pc-linux-gnu-4.1.2-hardened.tar.bz2
> | tar jtf -
> etc/env.d/gcc/x86_64-pc-linux-gnu-4.1.2-hardened
> usr/lib64/gcc/x86_64-pc-linux-gnu/4.1.2/hardened.specs
>
>
> On another box that is pure gcc-4 I also handle pie/pic/etc
> via /etc/portage/env/
>
> That setup looks like
>
> homeless env # find . -type l -ls
> 586387 0 lrwxrwxrwx 1 root root 10 Oct 21
> 16:06 ./net-misc/openssh -> ../env.pie
snip
> 586413 0 lrwxrwxrwx 1 root root 10 Oct 21
> 16:06 ./www-servers/apache -> ../env.pie
> 586424 0 lrwxrwxrwx 1 root root 10 Jan 7
> 21:08 ./www-servers/lighttpd -> ../env.pie
> 586419 0 lrwxrwxrwx 1 root root 10 Oct 21
> 16:06 ./dev-util/cvs -> ../env.pie
>
> homeless env # cat env.pie
> # This file can be sourced in on packages to build them as ET_DYN
>
> if [[ ${CFLAGS/-fPIC/} == $CFLAGS ]]; then
> echo " * Exporting: old pic compiler flag in $EBUILD_PHASE"
> CFLAGS="${CFLAGS} -fPIC"
> CXXFLAGS="$CFLAGS"
> fi
>
> if [[ ${LDFLAGS/-pie/} == $LDFLAGS ]]; then
> echo " * Exporting: old pie linker flag in $EBUILD_PHASE"
> LDFLAGS="$LDFLAGS -pie"
> fi
>
> export CFLAGS CXXFLAGS LDFLAGS
>
>
> Note: That both of the methods I have shown do not enable SSP in gcc-4.
>
Thanks for the suggestions.
BTW: why don't you enable SSP? If I would spend my time on separate specs,
I would surely go for SSP as well. Are there any known problems?
>
>> I feel myself alone.
>
> What you do in private is your own business.
>
Alone, not lonely.
Thx,
Dw.
>
> --
> Ned Ludd <solar@gentoo.org>
> Gentoo Linux
>
> --
> gentoo-hardened@lists.gentoo.org mailing list
>
--
gentoo-hardened@lists.gentoo.org mailing list