I'd like to give it a try. I'd like to help by testing it.
I've found this:
http://www.gentoo.org/proj/en/hardened/toolchain-upgrade-guide.xml
It seems to be a bit outdated, since binutils and glibc versions are all
right now by default. Should I just unhardmask gcc-4* and go ahead?
What about this one: https://bugs.gentoo.org/show_bug.cgi?id=106690?
Provide me some hints, please!
(Solar? Kevin?)
I feel myself alone.
Thx,
Dw.
--
dr Tóth Attila, Radiológus Szakorvos jelölt, 06-20-825-8057, 06-30-5962-962
Attila Toth MD, Radiologist in Training, +36-20-825-8057, +36-30-5962-962
--
gentoo-hardened@lists.gentoo.org mailing list
01-17-2008, 06:30 PM
RB
Hardened gcc-4
I've had 4.x unmasked for some time now, which works fine but doesn't
apply PIE+SSP (or so it would seem). If you have apps that *need*
compilation with a vanilla 4.x, it'll work.
If you want to test an actual hardened 4.x GCC, look at Kevquinn's
pieworld overlay (http://overlays.gentoo.org/dev/kevquinn/wiki) - I
found that with about 2 minutes of bugzilla-foo.
RB
--
gentoo-hardened@lists.gentoo.org mailing list
01-17-2008, 06:57 PM
Ned Ludd
Hardened gcc-4
On Thu, 2008-01-17 at 20:03 +0100, atoth@atoth.sote.hu wrote:
> I'd like to give it a try. I'd like to help by testing it.
> I've found this:
> http://www.gentoo.org/proj/en/hardened/toolchain-upgrade-guide.xml
> It seems to be a bit outdated, since binutils and glibc versions are all
> right now by default. Should I just unhardmask gcc-4* and go ahead?
> What about this one: https://bugs.gentoo.org/show_bug.cgi?id=106690?
>
> Provide me some hints, please!
> (Solar? Kevin?)
Of course there is the KQ overlay. For those who simply want basic
hardening that have no desire to wait for it to hit the tree. I'd
suggest just unmasking gcc-4, build it and then injecting some gcc
specs to handle it auto building hardened alike bins.
homeless env # cat env.pie
# This file can be sourced in on packages to build them as ET_DYN
if [[ ${CFLAGS/-fPIC/} == $CFLAGS ]]; then
echo " * Exporting: old pic compiler flag in $EBUILD_PHASE"
CFLAGS="${CFLAGS} -fPIC"
CXXFLAGS="$CFLAGS"
fi
if [[ ${LDFLAGS/-pie/} == $LDFLAGS ]]; then
echo " * Exporting: old pie linker flag in $EBUILD_PHASE"
LDFLAGS="$LDFLAGS -pie"
fi
export CFLAGS CXXFLAGS LDFLAGS
Note: That both of the methods I have shown do not enable SSP in gcc-4.
> I feel myself alone.
What you do in private is your own business.
--
Ned Ludd <solar@gentoo.org>
Gentoo Linux
--
gentoo-hardened@lists.gentoo.org mailing list
01-17-2008, 08:55 PM
Peter Hjalmarsson
Hardened gcc-4
Hi!
Solars mail raised some questions for me.
On tor, 2008-01-17 at 11:57 -0800, Ned Ludd wrote:
> Of course there is the KQ overlay. For those who simply want basic
> hardening that have no desire to wait for it to hit the tree. I'd
> suggest just unmasking gcc-4, build it and then injecting some gcc
> specs to handle it auto building hardened alike bins.
>
As I understand this KQ's overlay is just basic hardening? How does this
differ (if it does) from solars first suggestion?
Is the stuff hitting portage base on KQ's or will it be based on
something diffrent (is KQ's worth toying with it or does it seem more
like the final implementation can be something breaking it)?
And is there any status of when it will hit portage (does not need to be
a timeframe, more like if there are mayor problems to overcome in the
implementation or if it is just a "minor" (maybe not that minor as the
problems that can arise from it are not that minor) thing like concerns
about breaking toolchain, or someone have not had the time to review it
well enough)?
01-18-2008, 02:46 AM
Hardened gcc-4
On Csü, Január 17, 2008 20:57, Ned Ludd wrote:
>
> On Thu, 2008-01-17 at 20:03 +0100, atoth@atoth.sote.hu wrote:
>> I'd like to give it a try. I'd like to help by testing it.
>> I've found this:
>> http://www.gentoo.org/proj/en/hardened/toolchain-upgrade-guide.xml
>> It seems to be a bit outdated, since binutils and glibc versions are all
>> right now by default. Should I just unhardmask gcc-4* and go ahead?
>> What about this one: https://bugs.gentoo.org/show_bug.cgi?id=106690?
>>
>> Provide me some hints, please!
>> (Solar? Kevin?)
>
> Of course there is the KQ overlay. For those who simply want basic
> hardening that have no desire to wait for it to hit the tree. I'd
> suggest just unmasking gcc-4, build it and then injecting some gcc
> specs to handle it auto building hardened alike bins.
>
> One of my setups looks like this.
>
> solar@hangover /etc/env.d/gcc $ gcc-config -l
> [1] x86_64-pc-linux-gnu-3.4.6
> [2] x86_64-pc-linux-gnu-3.4.6-hardenednopie
> [3] x86_64-pc-linux-gnu-3.4.6-hardenednopiessp
> [4] x86_64-pc-linux-gnu-3.4.6-hardenednossp
> [5] x86_64-pc-linux-gnu-3.4.6-vanilla
> [6] x86_64-pc-linux-gnu-4.1.2
> [7] x86_64-pc-linux-gnu-4.1.2-hardened *
>
> solar@hangover /etc/env.d/gcc $ cat x86_64-pc-linux-gnu-4.1.2-hardened
> PATH="/usr/x86_64-pc-linux-gnu/gcc-bin/4.1.2"
> ROOTPATH="/usr/x86_64-pc-linux-gnu/gcc-bin/4.1.2"
> GCC_PATH="/usr/x86_64-pc-linux-gnu/gcc-bin/4.1.2"
> LDPATH="/usr/lib/gcc/x86_64-pc-linux-gnu/4.1.2:/usr/lib/gcc/x86_64-pc-linux-gnu/4.1.2/32"
> MANPATH="/usr/share/gcc-data/x86_64-pc-linux-gnu/4.1.2/man"
> INFOPATH="/usr/share/gcc-data/x86_64-pc-linux-gnu/4.1.2/info"
> STDCXX_INCDIR="g++-v4"
> GCC_SPECS="/usr/lib/gcc/x86_64-pc-linux-gnu/4.1.2/hardened.specs"
>
>
> #
> The line that matters here is the one that defines GCC_SPECS=
>
> http://dev.gentoo.org/~solar/hardened/gcc-4.1.1-x86_64-hardenednossp.specs
> Or
> http://dev.gentoo.org/~solar/hardened/gcc-4.1.1-x86-hardenednossp.specs
>
>
> solar@hangover /etc/env.d/gcc $ wget -O - -q
> http://dev.gentoo.org/~solar/x86_64-pc-linux-gnu-4.1.2-hardened.tar.bz2
> | tar jtf -
> etc/env.d/gcc/x86_64-pc-linux-gnu-4.1.2-hardened
> usr/lib64/gcc/x86_64-pc-linux-gnu/4.1.2/hardened.specs
>
>
> On another box that is pure gcc-4 I also handle pie/pic/etc
> via /etc/portage/env/
>
> That setup looks like
>
> homeless env # find . -type l -ls
> 586387 0 lrwxrwxrwx 1 root root 10 Oct 21
> 16:06 ./net-misc/openssh -> ../env.pie
snip
> 586413 0 lrwxrwxrwx 1 root root 10 Oct 21
> 16:06 ./www-servers/apache -> ../env.pie
> 586424 0 lrwxrwxrwx 1 root root 10 Jan 7
> 21:08 ./www-servers/lighttpd -> ../env.pie
> 586419 0 lrwxrwxrwx 1 root root 10 Oct 21
> 16:06 ./dev-util/cvs -> ../env.pie
>
> homeless env # cat env.pie
> # This file can be sourced in on packages to build them as ET_DYN
>
> if [[ ${CFLAGS/-fPIC/} == $CFLAGS ]]; then
> echo " * Exporting: old pic compiler flag in $EBUILD_PHASE"
> CFLAGS="${CFLAGS} -fPIC"
> CXXFLAGS="$CFLAGS"
> fi
>
> if [[ ${LDFLAGS/-pie/} == $LDFLAGS ]]; then
> echo " * Exporting: old pie linker flag in $EBUILD_PHASE"
> LDFLAGS="$LDFLAGS -pie"
> fi
>
> export CFLAGS CXXFLAGS LDFLAGS
>
>
> Note: That both of the methods I have shown do not enable SSP in gcc-4.
>
Thanks for the suggestions.
BTW: why don't you enable SSP? If I would spend my time on separate specs,
I would surely go for SSP as well. Are there any known problems?
>
>> I feel myself alone.
>
> What you do in private is your own business.
>
Alone, not lonely.
Thx,
Dw.
>
> --
> Ned Ludd <solar@gentoo.org>
> Gentoo Linux
>
> --
> gentoo-hardened@lists.gentoo.org mailing list
>
--
gentoo-hardened@lists.gentoo.org mailing list
01-18-2008, 06:16 AM
Ned Ludd
Hardened gcc-4
On Fri, 2008-01-18 at 04:46 +0100, atoth@atoth.sote.hu wrote:
> On Csü, Január 17, 2008 20:57, Ned Ludd wrote:
> >
> > On Thu, 2008-01-17 at 20:03 +0100, atoth@atoth.sote.hu wrote:
[snip]
> > Note: That both of the methods I have shown do not enable SSP in gcc-4.
> >
>
> Thanks for the suggestions.
> BTW: why don't you enable SSP? If
> I would spend my time on separate specs, I would surely go for SSP as well.
You are more than welcome to edit the specs for yourself and add the
ssp rules as well. I'm not a big fan of moving forward with ssp myself
and pie/relro/now is cheap/easy suits most of my needs so why not take
advantage of it..
If you want add ssp to those specs you can probably more or less base
them easy enough off the gcc-3.x specs.
Should/Would look something nearly exactly like this
yes, but please don't ask me to document them for you.
--
gentoo-hardened@lists.gentoo.org mailing list
01-18-2008, 07:03 PM
Hardened gcc-4
Hi Solar!
Thank you for sharing all these valuable informations with us.
--
dr Tóth Attila, Radiológus Szakorvos jelölt, 06-20-825-8057, 06-30-5962-962
Attila Toth MD, Radiologist in Training, +36-20-825-8057, +36-30-5962-962
On Pén, Január 18, 2008 08:16, Ned Ludd wrote:
>
> On Fri, 2008-01-18 at 04:46 +0100, atoth@atoth.sote.hu wrote:
>> On Csü, Január 17, 2008 20:57, Ned Ludd wrote:
>> >
>> > On Thu, 2008-01-17 at 20:03 +0100, atoth@atoth.sote.hu wrote:
>
> [snip]
>
>> > Note: That both of the methods I have shown do not enable SSP in
>> gcc-4.
>> >
>>
>> Thanks for the suggestions.
>> BTW: why don't you enable SSP? If
>
>
>> I would spend my time on separate specs, I would surely go for SSP as
>> well.
>
> You are more than welcome to edit the specs for yourself and add the
> ssp rules as well. I'm not a big fan of moving forward with ssp myself
> and pie/relro/now is cheap/easy suits most of my needs so why not take
> advantage of it..
>
> If you want add ssp to those specs you can probably more or less base
> them easy enough off the gcc-3.x specs.
>
> Should/Would look something nearly exactly like this
[snip]
>
>> Are there any known problems?
>
> yes, but please don't ask me to document them for you.
>
I would never ever ask you for that...
I would rather avoid tampering with eclass functions (using KQ overlay).
As I can make it out: ssp is built into gcc version 4.1+ taken from the
regular portage tree. KQ's version discards two patches, but applies a pie
patch. KQ's glibc installs a handler and takes care of unsupported and
supported archs.
I'll follow your advice and create some specs for the system. I wonder if
the spec files from KQ's overlay could be used along with current portage
toolchain ebuilds (gcc-4.1.1-r3 or gcc-4.1.2 and glibc-2.6.1)? I'm worried
about the pie patch missing...
What is the reason you are not keen on ssp as a security-focused developer?
Again: thx for your efforts.
Regards,
Dw.
--
gentoo-hardened@lists.gentoo.org mailing list
01-18-2008, 07:50 PM
Ned Ludd
Hardened gcc-4
On Fri, 2008-01-18 at 21:03 +0100, atoth@atoth.sote.hu wrote:
> Hi Solar!
>
> Thank you for sharing all these valuable informations with us.
>
> --
> dr Tóth Attila, Radiológus Szakorvos jelölt, 06-20-825-8057, 06-30-5962-962
> Attila Toth MD, Radiologist in Training, +36-20-825-8057, +36-30-5962-962
>
> On Pén, Január 18, 2008 08:16, Ned Ludd wrote:
> >
> > On Fri, 2008-01-18 at 04:46 +0100, atoth@atoth.sote.hu wrote:
> >> On Csü, Január 17, 2008 20:57, Ned Ludd wrote:
> >> >
> >> > On Thu, 2008-01-17 at 20:03 +0100, atoth@atoth.sote.hu wrote:
> >
> > [snip]
> >
> >> > Note: That both of the methods I have shown do not enable SSP in
> >> gcc-4.
> >> >
> >>
> >> Thanks for the suggestions.
> >> BTW: why don't you enable SSP? If
> >
> >
> >> I would spend my time on separate specs, I would surely go for SSP as
> >> well.
> >
> > You are more than welcome to edit the specs for yourself and add the
> > ssp rules as well. I'm not a big fan of moving forward with ssp myself
> > and pie/relro/now is cheap/easy suits most of my needs so why not take
> > advantage of it..
> >
> > If you want add ssp to those specs you can probably more or less base
> > them easy enough off the gcc-3.x specs.
> >
> > Should/Would look something nearly exactly like this
> [snip]
> >
> >> Are there any known problems?
> >
> > yes, but please don't ask me to document them for you.
> >
>
> I would never ever ask you for that...
>
> I would rather avoid tampering with eclass functions (using KQ overlay).
> As I can make it out: ssp is built into gcc version 4.1+ taken from the
> regular portage tree. KQ's version discards two patches, but applies a pie
> patch. KQ's glibc installs a handler and takes care of unsupported and
> supported archs.
>
> I'll follow your advice and create some specs for the system. I wonder if
> the spec files from KQ's overlay could be used along with current portage
> toolchain ebuilds (gcc-4.1.1-r3 or gcc-4.1.2 and glibc-2.6.1)? I'm worried
> about the pie patch missing...
>
> What is the reason you are not keen on ssp as a security-focused developer?
Sorry I should of clarified. What I'm keen on, is not talking about
gcc-4.x at all. Really I posted the info here not just for you but for
others who might be looking/searching to do the same thing. More or less
so I would hopefully not have to be bugged about gcc-4.x again for
another 6months. I really don't like talking about it as it personally
frustrates me. You would have to search our archives here to see when I
let go of maintainer-ship of the hardened-toolchain for more details.
Good luck...
--
Ned Ludd <solar@gentoo.org>
Gentoo Linux
--
gentoo-hardened@lists.gentoo.org mailing list
02-15-2008, 02:33 AM
Ned Ludd
Hardened gcc-4
On Thu, 2008-01-17 at 11:57 -0800, Ned Ludd wrote:
> On Thu, 2008-01-17 at 20:03 +0100, atoth@atoth.sote.hu wrote:
> > I'd like to give it a try. I'd like to help by testing it.
> > I've found this:
> > http://www.gentoo.org/proj/en/hardened/toolchain-upgrade-guide.xml
> > It seems to be a bit outdated, since binutils and glibc versions are all
> > right now by default. Should I just unhardmask gcc-4* and go ahead?
> > What about this one: https://bugs.gentoo.org/show_bug.cgi?id=106690?
> >
> > Provide me some hints, please!
> > (Solar? Kevin?)
>
> Of course there is the KQ overlay. For those who simply want basic
> hardening that have no desire to wait for it to hit the tree. I'd
> suggest just unmasking gcc-4, build it and then injecting some gcc
> specs to handle it auto building hardened alike bins.
>
> One of my setups looks like this.
>
> solar@hangover /etc/env.d/gcc $ gcc-config -l
> [1] x86_64-pc-linux-gnu-3.4.6
> [2] x86_64-pc-linux-gnu-3.4.6-hardenednopie
> [3] x86_64-pc-linux-gnu-3.4.6-hardenednopiessp
> [4] x86_64-pc-linux-gnu-3.4.6-hardenednossp
> [5] x86_64-pc-linux-gnu-3.4.6-vanilla
> [6] x86_64-pc-linux-gnu-4.1.2
> [7] x86_64-pc-linux-gnu-4.1.2-hardened *
>
> solar@hangover /etc/env.d/gcc $ cat x86_64-pc-linux-gnu-4.1.2-hardened
> PATH="/usr/x86_64-pc-linux-gnu/gcc-bin/4.1.2"
> ROOTPATH="/usr/x86_64-pc-linux-gnu/gcc-bin/4.1.2"
> GCC_PATH="/usr/x86_64-pc-linux-gnu/gcc-bin/4.1.2"
> LDPATH="/usr/lib/gcc/x86_64-pc-linux-gnu/4.1.2:/usr/lib/gcc/x86_64-pc-linux-gnu/4.1.2/32"
> MANPATH="/usr/share/gcc-data/x86_64-pc-linux-gnu/4.1.2/man"
> INFOPATH="/usr/share/gcc-data/x86_64-pc-linux-gnu/4.1.2/info"
> STDCXX_INCDIR="g++-v4"
> GCC_SPECS="/usr/lib/gcc/x86_64-pc-linux-gnu/4.1.2/hardened.specs"
>
>
> #
> The line that matters here is the one that defines GCC_SPECS=
>
> http://dev.gentoo.org/~solar/hardened/gcc-4.1.1-x86_64-hardenednossp.specs
> Or
> http://dev.gentoo.org/~solar/hardened/gcc-4.1.1-x86-hardenednossp.specs
>
>
> solar@hangover /etc/env.d/gcc $ wget -O - -q
> http://dev.gentoo.org/~solar/x86_64-pc-linux-gnu-4.1.2-hardened.tar.bz2
> | tar jtf -
> etc/env.d/gcc/x86_64-pc-linux-gnu-4.1.2-hardened
> usr/lib64/gcc/x86_64-pc-linux-gnu/4.1.2/hardened.specs
>
Just noticed I did not have 4.1.2 specs for x86 anywhere online.. So
here are some with pie/now/relro/ssp...
>
> Just noticed I did not have 4.1.2 specs for x86 anywhere online.. So
> here are some with pie/now/relro/ssp...
>
http://tinderbox.dev.gentoo.org/portage/local/misc/i686-pc-linux-gnu-4.1.2-hardened.tar.bz2
>
Thx, Solar. That will be very handy for my early transition!
Hardened gcc-4
