FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo User

 
 
LinkBack Thread Tools
 
Old 02-01-2008, 08:32 PM
Eric Martin
 
Default Switching to hardened

Dan Farrell wrote:

You might consider building packages but not installing them -- I think
could use --buildpkgonly (aka -B) to achieve this end. If the world
emerge with a -B flag finishes successfully, I think that means all
packages were built and you are ready to emerge world with --usepkgonly
(-K) without having to worry about build-time issues that could cause
conflicting packages on the system.



But what does everyone else think?



I like it. The only problem is it might not work in some situations
where you need program A to compile program B (kde4 requires qt4). I've
never gone from a non-hardened system -> hardened though so take my
comments with a grain of salt. This could also work on other tricky
upgrades.

--
gentoo-user@lists.gentoo.org mailing list
 
Old 02-11-2008, 09:24 PM
Alex Schuster
 
Default Switching to hardened

Eric Martin writes:

> Dan Farrell wrote:
> > You might consider building packages but not installing them -- I think
> > could use --buildpkgonly (aka -B) to achieve this end. If the world
> > emerge with a -B flag finishes successfully, I think that means all
> > packages were built and you are ready to emerge world with --usepkgonly
> > (-K) without having to worry about build-time issues that could cause
> > conflicting packages on the system.
> >
> > But what does everyone else think?
>
> I like it. The only problem is it might not work in some situations
> where you need program A to compile program B (kde4 requires qt4). I've
> never gone from a non-hardened system -> hardened though so take my
> comments with a grain of salt. This could also work on other tricky
> upgrades.

Nice idea. Maybe next time... I already had started the migration.

And screwed up. I forgot about distcc being active, so some other boxes
helped in compiling, but they do not have the hardened profile, and thus no
hardened gcc. So, in fact nothing was compiled on the local machine.

I emerged -e again, this time without distcc and ccache. All compiled fine,
except for media-video/mplayer-1.0_rc2_p24929-r1 (vf_decimate.c:26: error:
can't find a register in class `BREG' while reloading `asm') and
net-nntp/pan-0.132-r1, which claims to need about 300 more megabytes of
memory to compile.

I did not reboot yet as I am not near the machine, but so far things work
well. Mplayer is not needed on that machine anyway.


I then decided to harden my desktop PC, too. I want to get some experience
with the hardened setup, and I want that machine to be able to act as a
distcc server for another hardened machine which will be set up soon.

Here, also mplayer and some more packages failed.

x11-misc/xaos-3.2:
i386.c: In function `_control87':
i386.c:31: error: PIC register `bx' clobbered in `asm'
Solved by using the vanilla gcc.

x11-misc/xscreensaver-5.04:
lockward.c:59: error: syntax error before "uint8_t"

app-emulation/dosemu-1.3.3:
vga.c: In function `pcivga_init':
vga.c:493: error: `PCI_CLASS_DISPLAY_VGA' undeclared (first use in this
function)

mplayer: compiles with vanilla gcc.

But most annoying is that the nvidia drivers do not seem to work. First,
they refused to compile telling me that this would do more harm than good
with a hardened setup. I put them into packages.unmask, now they compile
and the nvidia module loads, but still X has no GLX, xorg.0.log
says "Failed to initialize GLX extension (NVIDIA X driver not found)",
glxinfo segfaults. I guess I will try to re-compile all X stuff with the
vanilla gcc.

Would it be possible to make these changes permanent, that is, can I tell
portage to compile specific packages with a specific
compiler? /etc/portage/package.compilerflavor or something?

If this makes things complicated, I think I will go back to a normal setup
at least for my desktop machine. Thre hardened gcc will stay for distcc
purposes (I will run two distccs on different ports, one for the hardened,
one for the vanilla gcc), but I prefer to have a system which will run
OpenGL.

Wonko
--
gentoo-user@lists.gentoo.org mailing list
 
Old 02-12-2008, 01:38 PM
Willie Wong
 
Default Switching to hardened

On Mon, Feb 11, 2008 at 11:24:49PM +0100, Penguin Lover Alex Schuster squawked:
> I emerged -e again, this time without distcc and ccache. All compiled fine,
> except for media-video/mplayer-1.0_rc2_p24929-r1 (vf_decimate.c:26: error:
> can't find a register in class `BREG' while reloading `asm') and

http://bugs.gentoo.org/show_bug.cgi?id=175627

Like you found below, it can be avoided using vanilla GCC.
That is why I still only have mplayer-1.0_rc1-r2, that one compiled
okay.

> I then decided to harden my desktop PC, too. I want to get some experience
> with the hardened setup, and I want that machine to be able to act as a
> distcc server for another hardened machine which will be set up soon.

> x11-misc/xscreensaver-5.04:
> lockward.c:59: error: syntax error before "uint8_t"

Not a problem with hardened.
http://bugs.gentoo.org/show_bug.cgi?id=208731
Meanwhile, downgrade to 5.03, that one works.

> But most annoying is that the nvidia drivers do not seem to work. First,

what card and which drivers?
I have an old card that is not supported by drivers >= 1.0.9700, so
... scratch that, I didn't notice that the versioning scheme changed.

http://www.gentoo.org/doc/en/nvidia-guide.xml

> they refused to compile telling me that this would do more harm than good
> with a hardened setup. I put them into packages.unmask, now they compile
> and the nvidia module loads, but still X has no GLX, xorg.0.log
> says "Failed to initialize GLX extension (NVIDIA X driver not found)",

This really does not sound like a hardened issue... I need to upgrade
my drivers to the 96.* to see if I can reproduce your problem, but
with 1.0.8776 (from two years ago) I definitely do not have your
problem.

> glxinfo segfaults. I guess I will try to re-compile all X stuff with the
> vanilla gcc.

glxinfo segfaulting is expected. Do you have chpax/paxctl installed? There
are a metric shitload of stuff that will run afoul of pax on hardened.
A quick list from my /etc/conf.d/chpax has (admittedly, this is info
that is two years old, since chpax is obsolete and hasn't been
updated)

java, wine, xorg, xine, openoffice, mplayer, mozilla, firefox,
glxinfo, glxgears, ut2004, skype

glxinfo has problem with mprotect. Check your system log, there should
be something to that effect when your hardened system shuts glxinfo
down.

I have my entire system on the
hardened profile (including X and nvidia [yes, despite the warnings of
the hardened team about nvidia]) and no problems. My guess is that
your problem with GLX lies somewhere else.

> Would it be possible to make these changes permanent, that is, can I tell
> portage to compile specific packages with a specific
> compiler? /etc/portage/package.compilerflavor or something?

Don't know. On the wiki there is a way to switch CFLAGS, don't know if
something like that can be used to strip SSP and/or PIC flags from the
hardened.

W
--
"Somebody has suggested that as a solution to global warming we just change the
earth's orbit a little bit. Personally, I'm not too keen to carry out this
experiment quite yet."
~DeathMech, S. Sondhi. P-town PHY 205
Sortir en Pantoufles: up 431 days, 12:37
--
gentoo-user@lists.gentoo.org mailing list
 
Old 02-14-2008, 12:33 PM
Alex Schuster
 
Default Switching to hardened

Willie Wong wrote Wonko:

> On Mon, Feb 11, 2008 at 11:24:49PM +0100, Penguin Lover Alex Schuster
> squawked:
> > I emerged -e again, this time without distcc and ccache. All compiled
> > fine, except for media-video/mplayer-1.0_rc2_p24929-r1
> > (vf_decimate.c:26: error: can't find a register in class `BREG' while
> > reloading `asm') and
>
> http://bugs.gentoo.org/show_bug.cgi?id=175627
>
> Like you found below, it can be avoided using vanilla GCC.
> That is why I still only have mplayer-1.0_rc1-r2, that one compiled
> okay.

Isn't that the version with those many security holes? But then, looking at
<http://www.mplayerhq.hu/design7/news.html>, it seems that all versions pre
r25824 have some.


> > x11-misc/xscreensaver-5.04:
> > lockward.c:59: error: syntax error before "uint8_t"
>
> Not a problem with hardened.
> http://bugs.gentoo.org/show_bug.cgi?id=208731
> Meanwhile, downgrade to 5.03, that one works.

Thanks!

> > But most annoying is that the nvidia drivers do not seem to work.
> > First,
>
> what card and which drivers?

01:00.0 VGA compatible controller: nVidia Corporation NV15 [GeForce2
GTS/Pro] (rev a4)

I have nvidia drivers version 71.86.01 running now. I also re-compiled
xorg-server, with vanilla gcc, GLX is running fine again, and I am happy.

> I have an old card that is not supported by drivers >= 1.0.9700, so
> ... scratch that, I didn't notice that the versioning scheme changed.
>
> http://www.gentoo.org/doc/en/nvidia-guide.xml
>
> > they refused to compile telling me that this would do more harm than
> > good with a hardened setup. I put them into packages.unmask, now they
> > compile and the nvidia module loads, but still X has no GLX, xorg.0.log
> > says "Failed to initialize GLX extension (NVIDIA X driver not found)",
>
> This really does not sound like a hardened issue... I need to upgrade
> my drivers to the 96.* to see if I can reproduce your problem, but
> with 1.0.8776 (from two years ago) I definitely do not have your
> problem.

Maybe I'll try again with hardened then. My experience with nvidia is that
that it makes LOTS of trouble. This, and VMware, often made kerned updates
a real pain for me. I often got those errors before, with the desktop
profile, on different machines.


> > glxinfo segfaults. I guess I will try to re-compile all X stuff with
> > the vanilla gcc.
>
> glxinfo segfaulting is expected. Do you have chpax/paxctl installed?

No, not yet. I must admit I do not know much about hardened yet, but I want
to play around with it and get some experience, so I started with preparing
the setup by setting the hardened profile and switching to a hardened
kernel.


> I have my entire system on the
> hardened profile (including X and nvidia [yes, despite the warnings of
> the hardened team about nvidia]) and no problems. My guess is that
> your problem with GLX lies somewhere else.

That's good to hear! So I will stick with hardened.

> > Would it be possible to make these changes permanent, that is, can I
> > tell portage to compile specific packages with a specific
> > compiler? /etc/portage/package.compilerflavor or something?
>
> Don't know. On the wiki there is a way to switch CFLAGS, don't know if
> something like that can be used to strip SSP and/or PIC flags from the
> hardened.

I don't find this information there, I guess I did not look hard enough. But
there is /etc/portage/bashrc, I can put a little script in there, stripping
those flags for the given packages. No problem.

Thanks again,

Wonko
--
gentoo-user@lists.gentoo.org mailing list
 

Thread Tools




All times are GMT. The time now is 06:09 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org