public inbox for gentoo-commits@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-commits] gentoo commit in xml/htdocs/proj/en/hardened: hardenedfaq.xml
@ 2010-08-07 13:31 Angelo Arrifano (miknix)
  0 siblings, 0 replies; 10+ messages in thread
From: Angelo Arrifano (miknix) @ 2010-08-07 13:31 UTC (permalink / raw
  To: gentoo-commits

miknix      10/08/07 13:31:02

  Modified:             hardenedfaq.xml
  Log:
  Update code listing 2.3 to use eselect for chosing profile.

Revision  Changes    Path
1.23                 xml/htdocs/proj/en/hardened/hardenedfaq.xml

file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/hardenedfaq.xml?rev=1.23&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/hardenedfaq.xml?rev=1.23&content-type=text/plain
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/hardenedfaq.xml?r1=1.22&r2=1.23

Index: hardenedfaq.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/hardenedfaq.xml,v
retrieving revision 1.22
retrieving revision 1.23
diff -u -r1.22 -r1.23
--- hardenedfaq.xml	4 Feb 2007 16:42:56 -0000	1.22
+++ hardenedfaq.xml	7 Aug 2010 13:31:02 -0000	1.23
@@ -343,10 +343,24 @@
 <body>
 
 <pre caption="Set make.profile">
-# <i>cd /etc</i>
-# <i>rm make.profile</i>
-# <i>ln -s ../usr/portage/profiles/hardened/x86 make.profile</i> <comment>(For 2.4 kernels)</comment>
-# <i>ln -s ../usr/portage/profiles/hardened/x86/2.6 make.profile</i> <comment>(For 2.6 kernels)</comment>
+# <i>eselect profile list</i>
+[1]   default/linux/amd64/10.0
+[2]   default/linux/amd64/10.0/desktop
+[3]   default/linux/amd64/10.0/desktop/gnome *
+[4]   default/linux/amd64/10.0/desktop/kde
+[5]   default/linux/amd64/10.0/developer
+[6]   default/linux/amd64/10.0/no-multilib
+[7]   default/linux/amd64/10.0/server
+[8]   hardened/linux/amd64/10.0
+[9]   hardened/linux/amd64/10.0/no-multilib
+[10]  selinux/2007.0/amd64
+[11]  selinux/2007.0/amd64/hardened
+[12]  selinux/v2refpolicy/amd64
+[13]  selinux/v2refpolicy/amd64/desktop
+[14]  selinux/v2refpolicy/amd64/developer
+[15]  selinux/v2refpolicy/amd64/hardened
+[16]  selinux/v2refpolicy/amd64/server
+# <i>eselect profile set 8</i> <comment>(replace 8 with the desired hardened profile)</comment>
 </pre>
 
 <p>






^ permalink raw reply	[flat|nested] 10+ messages in thread

* [gentoo-commits] gentoo commit in xml/htdocs/proj/en/hardened: hardenedfaq.xml
@ 2010-08-17 22:35 Angelo Arrifano (miknix)
  0 siblings, 0 replies; 10+ messages in thread
From: Angelo Arrifano (miknix) @ 2010-08-17 22:35 UTC (permalink / raw
  To: gentoo-commits

miknix      10/08/17 22:35:06

  Modified:             hardenedfaq.xml
  Log:
  Debug PIEs with gdb: Update gdb version to 7.1, according to Zorry.

Revision  Changes    Path
1.24                 xml/htdocs/proj/en/hardened/hardenedfaq.xml

file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/hardenedfaq.xml?rev=1.24&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/hardenedfaq.xml?rev=1.24&content-type=text/plain
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/hardenedfaq.xml?r1=1.23&r2=1.24

Index: hardenedfaq.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/hardenedfaq.xml,v
retrieving revision 1.23
retrieving revision 1.24
diff -u -r1.23 -r1.24
--- hardenedfaq.xml	7 Aug 2010 13:31:02 -0000	1.23
+++ hardenedfaq.xml	17 Aug 2010 22:35:05 -0000	1.24
@@ -393,7 +393,7 @@
 Try adding <c>-nopie</c> to LDFLAGS if you're building with emerge.
 </p>
 <p>
-Another way of accomplishing this, it to emerge =sys-devel/gdb-6.3-r5, which contains
+Another way of accomplishing this, it to emerge >=sys-devel/gdb-7.1, which contains
 a special patch that makes it able to debug executeables linked with -pie.
 </p>
 <p>






^ permalink raw reply	[flat|nested] 10+ messages in thread

* [gentoo-commits] gentoo commit in xml/htdocs/proj/en/hardened: hardenedfaq.xml
@ 2011-01-25 23:07 Magnus Granberg (zorry)
  0 siblings, 0 replies; 10+ messages in thread
From: Magnus Granberg (zorry) @ 2011-01-25 23:07 UTC (permalink / raw
  To: gentoo-commits

zorry       11/01/25 23:07:38

  Modified:             hardenedfaq.xml
  Log:
  added the new hardenedfaq.xml for hardened proj

Revision  Changes    Path
1.25                 xml/htdocs/proj/en/hardened/hardenedfaq.xml

file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/hardenedfaq.xml?rev=1.25&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/hardenedfaq.xml?rev=1.25&content-type=text/plain
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/hardenedfaq.xml?r1=1.24&r2=1.25

Index: hardenedfaq.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/hardenedfaq.xml,v
retrieving revision 1.24
retrieving revision 1.25
diff -u -r1.24 -r1.25
--- hardenedfaq.xml	17 Aug 2010 22:35:05 -0000	1.24
+++ hardenedfaq.xml	25 Jan 2011 23:07:38 -0000	1.25
@@ -1,5 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/hardenedfaq.xml,v 1.25 2011/01/25 23:07:38 zorry Exp $ -->
 
 <guide link="/proj/en/hardened/hardenedfaq.xml" lang="en">
 <title>Gentoo Hardened Frequently Asked Questions</title>
@@ -15,148 +16,42 @@
 <author title="Contributor">
   <mail link="pageexec@freemail.hu">The PaX Team</mail>
 </author>
+<author title="Contributor">
+  <mail link="klondike@xiscosoft.es">klondike</mail>
+</author>
+<author title="Contributor">
+  <mail link="zorry@gentoo.org">Magnus Granberg</mail>
+</author>
+<author title="Contributor">
+  <mail link="blueness@gentoo.org">Anthony G. Basile</mail>
+</author>
 
 <abstract>
 Frequently Asked Questions that arise on the #gentoo-hardened IRC channel and
 the gentoo-hardened mailing list.
 </abstract>
 
-<version>1.9</version>
-<date>2006-02-18</date>
+<version>3.2</version>
+<date>2011-1-19</date>
 
-<chapter>
+<faqindex>
 <title>Questions</title>
 <section>
-<title>General</title>
-<body>
-
-<ul>
-  <li>
-    <uri link="#toolchain">What exactly is the "toolchain"?</uri>
-  </li>
-  <li>
-    <uri link="#whichisbetter">What should I use: grsecurity, RSBAC or
-    SELinux?</uri>
-  </li>
-  <li>
-    <uri link="#aclall">Is it possible to use grsecurity, RSBAC, SELinux and 
-    PaX all at the same time?</uri>
-  </li>
-  <li>
-    <uri link="#hardenedcflags">Do I need to pass any flags to LDFLAGS/CFLAGS in
-    order to turn on PIE/SSP building?</uri>
-  </li>
-  <li>
-    <uri link="#hardenedcflagsoff">How do I turn off PIE/SSP building?</uri>
-  </li>
-  <li>
-    <uri link="#fsexec">My kernel compilation fails with the error "error:
-    structure has no member named `curr_ip'", how do I fix that?</uri>
-  </li>
-  <li>
-    <uri link="#hardenedproject">I just found out about the hardened project; do
-    I have to install everything on the project page in order to install
-    Hardened Gentoo?</uri>
-  </li>
-  <li>
-    <uri link="#Othreessp">Why don't my programs work when I use CFLAGS="-O3"
-    and hardened gcc?</uri>
-  </li>
-  <li>
-    <uri link="#cascadebootstrap">What happened to bootstrap-cascade.sh?</uri>
-  </li>
-  <li>
-    <uri link="#hardenedprofile">How do I switch to the hardened profile?</uri>
-  </li>
-  <li>
-    <uri link="#hardeneddebug">How do I debug with gdb?</uri>
-  </li>
-</ul>
-
-</body>
-</section>
-
-<section>
-<title>PaX</title>
-<body>
-
-<ul>
-  <li>
-    <uri link="#paxinformation">What is the homepage for PaX?</uri>
-  </li>
-  <li>
-    <uri link="#paxgentoodoc">What Gentoo documentation exists about PaX?</uri>
-  </li>
-  <li>
-    <uri link="#paxnoelf">I keep getting the message: "error while loading
-    shared libraries: cannot make segment writable for relocation: Permission
-    denied."  What does this mean?  </uri>
-  </li>
-  <li>
-    <uri link="#paxjava">Ever since I started using PaX I can't get Java
-    working, why?</uri>
-  </li>
-</ul>
-
-</body>
-</section>
-
-<section>
-<title>grsecurity</title>
+<title>Introduction</title>
 <body>
 
-<ul>
-  <li>
-    <uri link="#grsecinformation">What is the homepage for grsecurity?</uri>
-  </li>
-  <li>
-    <uri link="#grsecgentoodoc">What Gentoo documentation exists about
-    grsecurity?</uri>
-  </li>
-  <li>
-    <uri link="#grsec2681">Can I use grsecurity with a 2.6.8, 2.6.8.1, or 2.6.9
-    kernel?</uri>
-  </li>
-</ul>
-
-</body>
-</section>
-
-<section>
-<title>RSBAC</title>
-<body>
-
-<ul>
-  <li>
-    <uri link="#rsbacinformation">What is the homepage for RSBAC?</uri>
-  </li>
-  <li>
-    <uri link="#rsbacgentoodoc">What Gentoo documentation exists about
-    RSBAC?</uri>
-  </li>
-  <li>
-    <uri link="#rsbacinitrd">How do I use an initial ramdisk with a RSBAC
-    enabled kernel?</uri>
-  </li>
-</ul>
-
-</body>
-</section>
-
-<section>
-<title>SELinux</title>
-<body>
-
-<ul>
-  <li>
-    <uri link="#selinuxfaq">Where can I find SELinux related frequently asked
-    questions?</uri>
-  </li>
-</ul>
+<p>
+The following is a collection of questions collected from #gentoo-hardened IRC
+channel and the gentoo-hardened mailing list. As such, is geared towards
+answering fast and concisely rather than providing a whole insight on the
+technologies behind Gentoo Hardened. It is advisable reading the rest of the
+documentation on the Gentoo Hardened Project page and that on  the projects'
+home pages in order to get a better insight.
+</p>
 
 </body>
 </section>
-</chapter>
+</faqindex>
 
 <chapter>
 <title>General Questions</title>
@@ -175,96 +70,125 @@
 </section>
 
 <section id="whichisbetter">
-<title>What should I use: grsecurity, RSBAC or SELinux?</title>
+<title>What should I use: Grsecurity's RBAC or SELinux?</title>
 <body>
 
 <p>
-The answer to this question is highly subjective, so the hardened Gentoo project
-simply tries to lay out each technology and leave the choice up to the user.
-This decision requires a lot of research that we have hopefully provided clearly
-in the hardened documentation.  However, if you have any specific questions
-about the security model that each provides, feel free to question the relevant
-developer in our IRC channel or on the mailing list.
+The answer to this question is highly subjective, and very dependent on your
+requisites so the hardened Gentoo project simply tries to lay out each
+technology and leave the choice up to the user. This decision requires a lot of
+research that we have hopefully provided clearly in the hardened documentation.
+However, if you have any specific questions about the security model that each
+provides, feel free to question the relevant developer in our IRC channel or on
+the mailing list.
 </p>
 
 </body>
 </section>
 
 <section id="aclall">
-<title>Is it possible to use grsecurity, RSBAC, SELinux and PaX all at the same
+<title>Is it possible to use Grsecurity, SELinux and PaX all at the same
 time?</title>
 <body>
 
 <p>
-Yes, this combination is quite possible as PaX works with grsecurity, RSBAC
-and SELinux.  The only conflict that arises is you can only use one access
-control system.
+Yes, this combination is quite possible as PaX and some of Grsecurity's features
+work with Grsecurity's RBAC and SELinux. The only conflict that arises is you
+can only use one access control system (be it RBAC or SELinux).
 </p>
 
 </body>
 </section>
 
 <section id="hardenedcflags">
-<title>Do I need to pass any flags to LDFLAGS/CFLAGS in order to turn on PIE/SSP
-building?</title>
+<title>Do I need to pass any flags to LDFLAGS/CFLAGS in order to turn on
+hardened building?</title>
 <body>
 
 <p>
 No, the current toolchain implements the equivalent of <c>CFLAGS="-fPIE
--fstack-protector-all" LDFLAGS="-Wl,-z,now -Wl,-z,relro"</c> automatically
-through GCC's specfile which is a more proper solution.  For older hardened-gcc
-users, add <c>USE="hardened pic"</c> to your <path>/etc/make.conf</path> and 
-then upgrade with the following commands:
+-fstack-protector-all -D_FORTIFY_SOURCE=2" LDFLAGS="-Wl,-z,now -Wl,-z,relro"</c>
+automatically through GCC's built-in spec and using the specfiles to disable
+them which is a more proper solution. For older hardened-gcc users the best
+approach is switch to the hardened profile and then upgrade following the steps
+on the <uri link="#hardenedprofile">How to switch to Gentoo Hardened question
+</uri>
 </p>
 
-<pre caption="Hardened Toolchain Installation">
-# <i>emerge --oneshot binutils gcc virtual/libc</i>
-# <i>emerge -e world</i>
-</pre>
+<note>
+Manually enabling the hardening flags it is not recommended at all.
+</note>
+
+<note>
+Sending a -fno... flag will disable the flag, also -fstack-protector-all and
+-fstack-protector may interfere when passed directly.
+</note>
 
 <note>
-Gentoo patches its GCCs to allow specfiles to be passed
-through an environment variable.  Currently several sets of specfiles are
-installed on Gentoo systems that allow users on supported architectures
-to easily switch the functionality off and on of the toolchain.
-To access the specs as the end user you can use the gcc-config utility.
+Gentoo patches its GCCs to allow specfiles to be passed through an environment
+variable.  Currently several sets of specfiles are installed on Gentoo systems
+that allow users on supported architectures to easily switch the functionality
+off and on of the toolchain. To access the specs as the end user you can use the
+<c>gcc-config</c> utility.
 </note>
 
 </body>
 </section>
 
 <section id="hardenedcflagsoff">
-<title>How do I turn off PIE/SSP building?</title>
+<title>How do I turn off hardened building?</title>
 <body>
 
 <p>
 You can use <c>gcc-config</c> to accomplish this:
 </p>
-
 <pre caption="Example gcc-config output">
-# gcc-config -l
- [1] i686-pc-linux-gnu-3.4.4 *
- [2] i686-pc-linux-gnu-3.4.4-hardenednopie
- [3] i686-pc-linux-gnu-3.4.4-hardenednopiessp
- [4] i686-pc-linux-gnu-3.4.4-hardenednossp
- [5] i686-pc-linux-gnu-3.4.4-vanilla
+# gcc-config -l 
+ [1] x86_64-pc-linux-gnu-4.4.4 *
+ [2] x86_64-pc-linux-gnu-4.4.4-hardenednopie
+ [3] x86_64-pc-linux-gnu-4.4.4-hardenednopiessp
+ [4] x86_64-pc-linux-gnu-4.4.4-hardenednossp
+ [5] x86_64-pc-linux-gnu-4.4.4-vanilla
  
+<comment>To turn off PIE building switch to the hardenednopie profile:</comment>
+# gcc-config x86_64-pc-linux-gnu-4.4.4-hardenednopie
 <comment>To turn off SSP building switch to the hardenednossp profile:</comment>
-# gcc-config i686-pc-linux-gnu-3.4.4-hardenednossp
+# gcc-config x86_64-pc-linux-gnu-4.4.4-hardenednossp
+<comment>To turn off SSP and PIE building switch to the hardenednopiessp profile:</comment>
+# gcc-config x86_64-pc-linux-gnu-4.4.4-hardenednopiessp
+<comment>To turn off all hardened building switch to the vanilla profile:</comment>
+# gcc-config x86_64-pc-linux-gnu-4.4.4-vanilla
 </pre>
 
+<note>
+The previous output will vary according to the gcc version and architecture you
+use, also the commands required to disable things will vary depending on the
+output of the first command.
+</note>
+
 <p>
 Alternatively you can achieve the same by changing your CFLAGS:
 </p>
 
+<impo>
+Disabling flags manually is not recommended by the team and thus an unsupported
+option, do this at your own risk.
+</impo>
+
+
 <p>
 To turn off default SSP building when using the hardened toolchain, append
-<c>-fno-stack-protector-all -fno-stack-protector</c> to your CFLAGS.
+<c>-fno-stack-protector</c> to your CFLAGS.
 </p>
+<note>
+On gcc 3.4 releases you need to use <c>-fno-stack-protector-all
+-fno-stack-protector</c>
+</note>
 
 <p>
 If you want to turn off default PIE building then append <c>-nopie</c> to your
-<c>CFLAGS</c>.
+<c>CFLAGS</c> and your <c>LDFLAGS</c> (as LDFLAGS is used with no CFLAGS when
+using gcc to link thre object files).
 </p>
 
 <impo>
@@ -273,25 +197,28 @@
 behavior which should be the intended result.
 </impo>
 
-<note>
-If you are interested in using per-package CFLAGS with Portage currently then
-you may be interested in reading about the script solar has developed to deal
-with this: <uri>http://article.gmane.org/gmane.linux.gentoo.hardened/1204</uri>
-</note>
-
-</body>
-</section>
-
-<section id="fsexec">
-<title>My kernel compilation fails with the error "error: structure has no
-member named `curr_ip'", how do I fix that?</title>
-<body>
+<p>
+If you want to turn off default now binding append <c>-z,lazy</c> to your
+<c>LDFLAGS</c>.
+</p>
 
 <p>
-In order to use PaX on hardened-sources, you must enable grsecurity as well in
-your kernel config.  This should be fixed in a future kernels.
+If you want to turn off default relro binding append <c>-z,norelro</c> to your
+<c>LDFLAGS</c>.
 </p>
 
+<note>
+Relro is default on binutils so be sure that you want to disable it before doing
+so.
+</note>
+
+<note>
+If you are interested in using per-package CFLAGS with Portage currently then
+you may be interested in reading about <uri
+link="http://article.gmane.org/gmane.linux.gentoo.hardened/1204">the script
+solar has developed to deal with this</uri>
+</note>
+
 </body>
 </section>
 
@@ -317,30 +244,27 @@
 
 <p>
 Using the gcc optimization flag <c>-O3</c> has been known to be problematic with
-stack-smashing protector (SSP) in some situations. This optimization flag is not
-officially supported and therefore discouraged by the hardened team. Compile
-issues where a user uses <c>CFLAGS="-O3"</c> will be closed as INVALID/CANTFIX
-and or ignored.
+stack-smashing protector (SSP) and on vanilla builds in some situations. This
+optimization flag is not officially supported and is, therefore, discouraged by
+the hardened team. Compile issues where a user uses <c>CFLAGS="-O3"</c> may be
+closed as INVALID/CANTFIX and/or ignored.
 </p>
 
 </body>
 </section>
 
-<section id="cascadebootstrap">
-<title>What happened to bootstrap-cascade.sh?</title>
+<section id="hardenedprofile">
+<title>How do I switch to the hardened profile?</title>
 <body>
-
 <p>
-Recently, the old bootstrap.sh and bootstrap-2.6.sh were deprecated.  In their
-place, bootstrap-cascade.sh has been renamed to bootstrap.sh.
+To change your profile use eselect to choose it.
 </p>
 
-</body>
-</section>
-
-<section id="hardenedprofile">
-<title>How do I switch to the hardened profile?</title>
-<body>
+<note>
+Reading part 1 chapter 6 "Installing the Gentoo BaseSystem" on the
+<uri link="/doc/en/handbook/">Gentoo Handbook</uri> is recommended for better
+instructions on how to change your profile.
+</note>
 
 <pre caption="Set make.profile">
 # <i>eselect profile list</i>
@@ -351,8 +275,8 @@
 [5]   default/linux/amd64/10.0/developer
 [6]   default/linux/amd64/10.0/no-multilib
 [7]   default/linux/amd64/10.0/server
-[8]   hardened/linux/amd64/10.0
-[9]   hardened/linux/amd64/10.0/no-multilib
+[8]   hardened/linux/amd64
+[9]   hardened/linux/amd64/no-multilib
 [10]  selinux/2007.0/amd64
 [11]  selinux/2007.0/amd64/hardened
 [12]  selinux/v2refpolicy/amd64
@@ -363,66 +287,124 @@
 # <i>eselect profile set 8</i> <comment>(replace 8 with the desired hardened profile)</comment>
 </pre>
 
+<note>
+The previous output will vary according to the architecture you use, also the
+commands required to choose the profile will vary depending on the output of the
+first command.
+</note>
+
 <p>
-After setting up your profile, you should recompile your system using a
-hardened toolchain so that you have a consistent base:
+After setting up your profile, you should recompile your system using a hardened
+toolchain so that you have a consistent base:
 </p>
 
 <pre caption="Switch to hardened toolchain">
 # <i>emerge --oneshot binutils gcc virtual/libc</i>
-# <i>emerge -e world</i>
+# <i>emerge -e --keep-going system</i>
+# <i>emerge -e --keep-going world</i>
 </pre>
 
+<p>
+The <c>--keep-going</c> option is added to ensure emerge won't stop in case any
+package fails to build. 
+</p>
+
 </body>
 </section>
 
 <section id="hardeneddebug">
 <title>How do I debug with gdb?</title>
 <body>
+
 <p>
-First gotcha is that GDB can't resolve symbols in PIEs; it doesn't realise that
-the addresses are relative in PIEs not absolute. This shows up when you try to
-get a backtrace for example, and see a stream of lines with '??' where the
-symbol should be.
+We have written a <uri link="/proj/en/hardened/hardened-debugging.xml">document
+on how to debug with Gentoo Hardened</uri>, so following the recommendations
+there should fix your problem.
 </p>
+
+</body>
+</section>
+
+<section id="jitflag">
+<title>Why is the jit flag disabled in the hardened profile?</title>
+<body>
+
 <p>
-To get around this, do the final link stage with <c>-nopie</c> - all the
-preceding object compilations can still be with <c>-fPIE</c> as normal (i.e. the
-default with the hardened compiler) so that your executable is as close as
-possible to the real thing, but the final link must create a regular executable.
-Try adding <c>-nopie</c> to LDFLAGS if you're building with emerge.
+JIT means Just In Time Compilation and consist on taking some code meant to be
+interpreted (like Java bytecode or JavaScript code) compile it into native
+binary code in memory and then executing the compiled code. This means that the
+program need a section of memory which has write and execution permissions to
+write and then execute the code which is denied by PaX, unless the mprotect flag
+is unset for the executable. As a result, we disabled the JIT use flag by
+default to avoid complaints and security problems.
 </p>
+
 <p>
-Another way of accomplishing this, it to emerge >=sys-devel/gdb-7.1, which contains
-a special patch that makes it able to debug executeables linked with -pie.
+You should bear in mind that having a section which is written and then executed
+can be a serious security  problem as the attacker needs to be able to exploit a
+bug between the write and execute stages to write in that section in order to
+execute any code it wants to.
 </p>
+</body>
+</section>
+
+<section id="enablejit">
+<title>How do I enable the jit flag?</title>
+<body>
+
 <p>
-The second gotcha is that PaX may prevent GDB from setting breakpoints,
-depending on how the kernel is configured. This includes the breakpoint at main
-which you need to get started. To stop PaX doing this, the executable being
-debugged needs the <c>m</c> and <c>x</c> flags. The <c>x</c> flag is set by
-default, so it is enough to do:
+If you need it, we recommend enabling the flag in a per package basis using
+<c>/etc/portage/package.use</c>
 </p>
-<pre caption="Relax PaX for debug">
-# <i>/sbin/paxctl -m foo</i>
+
+<pre caption="Example /etc/portage/package.use enabling JIT in some libraries">
+x11-libs/qt-core jit
+x11-libs/qt-script jit
+x11-libs/qt-webkit jit
 </pre>
+
 <p>
-At this point, you should be good to go! Fire up gdb in the usual way.  Good
-luck!
+Anyway, you can enable the use flag globally using <c>/etc/make.conf</c>
 </p>
+
+<pre caption="Example /etc/make.conf with JIT enabled">
+CFLAGS="-O2 -pipe -fomit-frame-pointer -march=native"
+CXXFLAGS="${CFLAGS}"
+# WARNING: Changing your CHOST is not something that should be done lightly.
+# Please consult http://www.gentoo.org/doc/en/change-chost.xml before changing.
+CHOST="x86_64-pc-linux-gnu"
+# These are the USE flags that were used in addition to what is provided by the
+# profile used for building.
+<comment>#If you have more uses adding jit to the end should suffice</comment>
+USE="jit"
+
+MAKEOPTS="-j2"
+
+GENTOO_MIRRORS="ftp://ftp.udc.es/gentoo/"
+
+SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
+</pre>
+
+<impo>
+Remember that if you enable JIT code on PaX you may need to disable mprotect on
+the binaries using such code, either by them selves or through libraries. Check
+the <uri link="#paxjavajit">PaX question on Java and JIT to see how to do this
+</uri>
+</impo>
+
 </body>
 </section>
-		
+
 </chapter>
 
 <chapter>
 <title>PaX Questions</title>
 <section id="paxinformation">
-<title>What is the homepage for PaX?</title>
+<title>Where is the homepage for PaX?</title>
 <body>
 
 <p>
-The homepage for PaX is located at <uri>http://pax.grsecurity.net</uri>.
+That is <uri link="http://pax.grsecurity.net">the homepage for PaX</uri>.
 </p>
 
 </body>
@@ -433,14 +415,45 @@
 <body>
 
 <p>
-Currently the only Gentoo documentation that exists about PaX is a PaX
-quickstart guide located at the
-<uri>http://www.gentoo.org/proj/en/hardened/pax-quickstart.xml</uri> website.
+Currently the only Gentoo documentation that exists about PaX is a <uri
+link="http://www.gentoo.org/proj/en/hardened/pax-quickstart.xml"> PaX quickstart
+guide</uri>.
 </p>
 
 </body>
 </section>
 
+<section id="paxmarkings">
+<title>How do PaX markings work?</title>
+<body>
+
+<p>
+PaX markings are a way to tell PaX which features should enable (or disable) for
+a certain binary.
+</p>
+
+<p>
+Features can either be enabled, disabled or not set. Enabling or disabling them
+will supersede the kernel action, so a binary with a feature enabled will
+always use the feature and one with a feature disabled won't ever used it.
+</p>
+
+<p>
+When the feature status is not set the kernel will choose whether to enable or
+disable it. By default, the hardened kernel will enable those features with only
+two exceptions, the feature is not supported by the architecture/kernel or PaX
+is running in Soft Mode. In those two cases, it will be disabled.
+</p>
+
+<note>
+In order to have Soft Mode, your kernel should have that feature enabled and
+you should enable it either passing <c>pax_softmode=1</c> in the kernel cmdline
+or setting to 1 the option in <c>/proc/sys/kernel/pax/softmode</c>.
+</note>
+
+</body>
+</section>
+
 <section id="paxnoelf">
 <title>I keep getting the message: "error while loading shared libraries: cannot
 make segment writable for relocation: Permission denied."  What does this
@@ -448,13 +461,29 @@
 <body>
 
 <p>
-This error occurs when you enable CONFIG_PAX_NOELFRELOCS as such:
+Text relocations are a way in which references in the executable code to
+addresses not known at link time are solved. Basically they just write the
+appropriate address at runtime marking the code segment writable in order to
+change the address then unmarking it. This can be a problem as an attacker could
+try to exploit a bug when the text relocation happens in order to be able to
+write arbitrary code in the text segment which would be executed. As this also
+means that code will be loaded on fixed addresses (not be position independent)
+this can also be exploited to pass over the randomization features provided by
+PaX.</p>
+
+<p>
+As this can be triggered for example by adding a library with text
+relocations to the ones loaded by the executable, PaX offers the option
+CONFIG_PAX_NOELFRELOCS in order to avoid them. This option is enabled like this:
 </p>
 
 <pre caption="Menuconfig Options">
-Non-executable page ->
-
- [*]   Disallow ELF text relocations
+-&gt; Security options
+  -&gt; PaX
+    -&gt; Enable various PaX features
+      -&gt; Non-executable pages
+        [*] Restrict mprotect()
+        [*]   Allow ELF text relocations
 </pre>
 
 <p>
@@ -490,87 +519,87 @@
 </body>
 </section>
 
-<section id="paxjava">
-<title>Ever since I started using PaX I can't get Java working, why?</title>
+<section id="paxjavajit">
+<title>Ever since I started using PaX I can't get Java/JIT code working,
+why?</title>
 <body>
 
 <p>
 As part of its design, the Java virtual machine creates a considerable amount of
-code at runtime which does not make PaX happy.  There are two ways to correct
-this problem:
+code at runtime which does not make PaX happy. Although, with current versions
+of portage and java, portage will mark the binaries automatically, you still
+need to enable PaX marking so PaX can do an exception with them and have paxctl
+installed so the markings can be applied to the binaries (an reemerge them so
+they are applied).
 </p>
 
-<pre caption="Install Chpax">
-# <i>emerge chpax</i>
-# <i>/etc/init.d/chpax start</i>
+<p>
+This of course can't be applied to all packages linking with libraries with JIT
+code, so if it doesn't, there are two ways to correct this problem:
+</p>
+
+<pre caption="Enable the marking on your kernel">
+-&gt; Security options
+  -&gt; PaX
+    -&gt; Enable various PaX features
+      -&gt; PaX Control
+        [*] Use ELF program header marking
+</pre>
+
+<pre caption="Install paxctl">
+# <i>emerge paxctl</i>
 </pre>
 
 <p>
-Or if you already have <c>chpax</c> emerged then you can do:
+When you already have <c>paxctl</c> emerged you can do:
 </p>
 
-<pre caption="Java Chpax Options">
-# <i>chpax -pemrxs /opt/*-jdk-*/{jre,}/bin/*</i>
+<pre caption="Disable PaX for the binary">
+# <i>paxctl -pemrxs /path/to/binary</i>
 </pre>
 
 <p>
-Both of these options will slightly modify the ELF eheader in order to correctly
+This option will slightly modify the ELF header in order to correctly
 set the PAX flags on the binaries.
 </p>
 
 <note>
 If you are running PaX in conjunction with an additional security implementation
-such as RSBAC, grsecurity, or SELinux you should manage PaX using the kernel
+such as Grsecurity's RBAC, or SELinux you should manage PaX using the kernel
 hooks provided for each implementation.
 </note>
 
 <p>
-On RSBAC, you can label all Java files with the following command.
+The other way is using your security implementation to do this using the kernel
+hooks.
 </p>
 
-<pre caption="Java PaX options with RSBAC">
-# <i>for i in $(ls /opt/*(jdk|sdk)*/{jre,}/bin/*);do attr_set_file_dir FILE $i pax_flags pmerxs;done</i>
-</pre>
-
 </body>
 </section>
-</chapter>
 
-<chapter>
-<title>grsecurity Questions</title>
-<section id="grsecinformation">
-<title>What is the homepage for grsecurity?</title>
+<section id="paxbootparams">
+<title>Can I disable PaX features at boot?</title>
 <body>
 
 <p>
-The homepage for grsecurity is located at <uri>http://www.grsecurity.net</uri>.
+Although this is not advised except when used to rescue the system or for
+debugging purposes, it is possible to change a few of PaX behaviours on boot via
+the kernel command line.
 </p>
 
-</body>
-</section>
-
-<section id="grsecgentoodoc">
-<title>What Gentoo documentation exists about grsecurity?</title>
-<body>
-
 <p>
-The most current documentation for grsecurity is a Grsecurity2 quickstart guide
-located at <uri>http://www.gentoo.org/proj/en/hardened/grsecurity.xml</uri>.
+Passing <c>pax_nouderef</c> in the kernel cmdline will disable uderef which can
+cause problems on certain virtualization environments and cause some bugs (at
+times) at the expense  leaving the kernel unprotected against unwanted userspace
+dereferences.
 </p>
 
-</body>
-</section>
-
-<section id="grsec2681">
-<title>Can I use grsecurity with a 2.6.8, 2.6.8.1, or 2.6.9 kernel?</title>
-<body>
-
 <p>
-Due to significant changes in the 2.6.8 kernel that broke PaX, neither a PaX nor
-a grsecurity patch are available for kernels 2.6.8, 2.6.8.1, or 2.6.9.  Although
-an experimental patch is available for 2.6.10, the official stance of the PaX
-Team regarding 2.6 kernels should be noted and taken into consideration before
-use: <uri> http://forums.grsecurity.net./viewtopic.php?t=968</uri>.
+Passing <c>pax_softmode=1</c> in the kernel cmdline will enable the softmode
+which can be useful when booting a not prepared system with a PaX kernel. In
+soft mode PaX will disable most features by default unless told otherwise via
+the markings. In a similar way, <c>pax_softmode=0</c> will disable the softmode
+if it was enabled in the config.
 </p>
 
 </body>
@@ -578,49 +607,43 @@
 </chapter>
 
 <chapter>
-<title>RSBAC Questions</title>
-<section id="rsbacinformation">
-<title>What is the homepage for RSBAC?</title>
+<title>Grsecurity Questions</title>
+<section id="grsecinformation">
+<title>Where is the homepage for Grsecurity?</title>
 <body>
 
 <p>
-The homepage for RSBAC is located at <uri>http://www.rsbac.org</uri>.
+That is the <uri link="http://www.grsecurity.net">homepage for Grsecurity</uri>.
 </p>
 
 </body>
 </section>
 
-<section id="rsbacgentoodoc">
-<title>What Gentoo documentation exists about RSBAC?</title>
+<section id="grsecgentoodoc">
+<title>What Gentoo documentation exists about Grsecurity?</title>
 <body>
 
 <p>
-All Gentoo RSBAC documentation is located at the RSBAC subproject page found at:
-<uri>http://www.gentoo.org/proj/en/hardened/rsbac/index.xml</uri>
-</p>
-
-<p>
-Moreover, non-Gentoo RSBAC documentation can be found in the RSBAC handbook,
-found at: <uri>http://www.rsbac.org/documentation/rsbac_handbook</uri>
+The most current documentation for Grsecurity is a <uri
+link="http://www.gentoo.org/proj/en/hardened/grsecurity.xml">Grsecurity2
+quickstart guide</uri>.
 </p>
 
 </body>
 </section>
 
-<section id="rsbacinitrd">
-<title>How do I use an initial ramdisk with a RSBAC enabled kernel?</title>
+<section id="grsecnew">
+<title>Can I use Grsecurity with a recent kernel not on the portage tree
+</title>
 <body>
 
 <p>
-To use an initial ramdisk with a RSBAC enabled kernel, a special kernel option
-must be enabled or else RSBAC will treat the initrd as the root device:
+Usually we release a new version of hardened sources not long after a new
+PaX/Grsecurity patch is released, so the best option is just waiting a bit for
+the kernel team to adapt the patches and then test them. Remind that we won't
+support kernel sources not coming from the portage tree.
 </p>
 
-<pre caption="Menuconfig Options">
-General RSBAC options  --->
-    [*] Delayed init for initial ramdisk
-</pre>
-
 </body>
 </section>
 </chapter>
@@ -632,8 +655,9 @@
 <body>
 
 <p>
-A SELinux specific FAQ can be found at <uri>
-http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=3&amp;chap=3</uri>.
+There is a <uri
+link="http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=3&amp;chap=3">
+SELinux specific FAQ</uri>.
 </p>
 
 </body>






^ permalink raw reply	[flat|nested] 10+ messages in thread

* [gentoo-commits] gentoo commit in xml/htdocs/proj/en/hardened: hardenedfaq.xml
@ 2011-01-29 15:17 JosA MarAa Alonso (nimiux)
  0 siblings, 0 replies; 10+ messages in thread
From: JosA MarAa Alonso (nimiux) @ 2011-01-29 15:17 UTC (permalink / raw
  To: gentoo-commits

nimiux      11/01/29 15:17:51

  Modified:             hardenedfaq.xml
  Log:
  Fixed two typos. No version bump.

Revision  Changes    Path
1.26                 xml/htdocs/proj/en/hardened/hardenedfaq.xml

file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/hardenedfaq.xml?rev=1.26&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/hardenedfaq.xml?rev=1.26&content-type=text/plain
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/hardenedfaq.xml?r1=1.25&r2=1.26

Index: hardenedfaq.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/hardenedfaq.xml,v
retrieving revision 1.25
retrieving revision 1.26
diff -u -r1.25 -r1.26
--- hardenedfaq.xml	25 Jan 2011 23:07:38 -0000	1.25
+++ hardenedfaq.xml	29 Jan 2011 15:17:51 -0000	1.26
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/hardenedfaq.xml,v 1.25 2011/01/25 23:07:38 zorry Exp $ -->
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/hardenedfaq.xml,v 1.26 2011/01/29 15:17:51 nimiux Exp $ -->
 
 <guide link="/proj/en/hardened/hardenedfaq.xml" lang="en">
 <title>Gentoo Hardened Frequently Asked Questions</title>
@@ -188,7 +188,7 @@
 <p>
 If you want to turn off default PIE building then append <c>-nopie</c> to your
 <c>CFLAGS</c> and your <c>LDFLAGS</c> (as LDFLAGS is used with no CFLAGS when
-using gcc to link thre object files).
+using gcc to link the object files).
 </p>
 
 <impo>
@@ -633,7 +633,7 @@
 </section>
 
 <section id="grsecnew">
-<title>Can I use Grsecurity with a recent kernel not on the portage tree
+<title>Can I use Grsecurity with a recent kernel not on the Gentoo main tree?
 </title>
 <body>
 






^ permalink raw reply	[flat|nested] 10+ messages in thread

* [gentoo-commits] gentoo commit in xml/htdocs/proj/en/hardened: hardenedfaq.xml
@ 2011-03-29  1:57 Magnus Granberg (zorry)
  0 siblings, 0 replies; 10+ messages in thread
From: Magnus Granberg (zorry) @ 2011-03-29  1:57 UTC (permalink / raw
  To: gentoo-commits

zorry       11/03/29 01:57:19

  Modified:             hardenedfaq.xml
  Log:
  fix a link error in hardendfaq

Revision  Changes    Path
1.28                 xml/htdocs/proj/en/hardened/hardenedfaq.xml

file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/hardenedfaq.xml?rev=1.28&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/hardenedfaq.xml?rev=1.28&content-type=text/plain
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/hardenedfaq.xml?r1=1.27&r2=1.28

Index: hardenedfaq.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/hardenedfaq.xml,v
retrieving revision 1.27
retrieving revision 1.28
diff -u -r1.27 -r1.28
--- hardenedfaq.xml	27 Mar 2011 00:16:50 -0000	1.27
+++ hardenedfaq.xml	29 Mar 2011 01:57:19 -0000	1.28
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/hardenedfaq.xml,v 1.27 2011/03/27 00:16:50 zorry Exp $ -->
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/hardenedfaq.xml,v 1.28 2011/03/29 01:57:19 zorry Exp $ -->
 
 <guide link="/proj/en/hardened/hardenedfaq.xml" lang="en">
 <title>Gentoo Hardened Frequently Asked Questions</title>
@@ -650,7 +650,7 @@
 <body>
 
 <p>
-We have written a <uri link="proj/en/hardened/grsec-tpe.xml">document with some
+We have written a <uri link="http://www.gentoo.org/proj/en/hardened/grsec-tpe.xml">document with some
 information on how TPE works in the different settings</uri>.
 </p>
 






^ permalink raw reply	[flat|nested] 10+ messages in thread

* [gentoo-commits] gentoo commit in xml/htdocs/proj/en/hardened: hardenedfaq.xml
@ 2012-12-31 19:06 Sven Vermeulen (swift)
  0 siblings, 0 replies; 10+ messages in thread
From: Sven Vermeulen (swift) @ 2012-12-31 19:06 UTC (permalink / raw
  To: gentoo-commits

swift       12/12/31 19:06:20

  Modified:             hardenedfaq.xml
  Log:
  Explain what to do with failed built packages

Revision  Changes    Path
1.31                 xml/htdocs/proj/en/hardened/hardenedfaq.xml

file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/hardenedfaq.xml?rev=1.31&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/hardenedfaq.xml?rev=1.31&content-type=text/plain
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/hardenedfaq.xml?r1=1.30&r2=1.31

Index: hardenedfaq.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/hardenedfaq.xml,v
retrieving revision 1.30
retrieving revision 1.31
diff -u -r1.30 -r1.31
--- hardenedfaq.xml	28 Oct 2012 15:21:06 -0000	1.30
+++ hardenedfaq.xml	31 Dec 2012 19:06:19 -0000	1.31
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/hardenedfaq.xml,v 1.30 2012/10/28 15:21:06 swift Exp $ -->
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/hardenedfaq.xml,v 1.31 2012/12/31 19:06:19 swift Exp $ -->
 
 <guide lang="en">
 <title>Gentoo Hardened Frequently Asked Questions</title>
@@ -31,8 +31,8 @@
 the gentoo-hardened mailing list.
 </abstract>
 
-<version>3.4</version>
-<date>2011-3-27</date>
+<version>4</version>
+<date>2012-12-31</date>
 
 <faqindex>
 <title>Questions</title>
@@ -319,7 +319,9 @@
 
 <p>
 The <c>--keep-going</c> option is added to ensure emerge won't stop in case any
-package fails to build. 
+package fails to build. If that occurs however, you need to make sure that the
+remainder of the packages is built. You can check the output of emerge at the
+end to find out which packages were not rebuilt.
 </p>
 
 </body>





^ permalink raw reply	[flat|nested] 10+ messages in thread

* [gentoo-commits] gentoo commit in xml/htdocs/proj/en/hardened: hardenedfaq.xml
@ 2013-01-12 12:44 Magnus Granberg (zorry)
  0 siblings, 0 replies; 10+ messages in thread
From: Magnus Granberg (zorry) @ 2013-01-12 12:44 UTC (permalink / raw
  To: gentoo-commits

zorry       13/01/12 12:44:45

  Modified:             hardenedfaq.xml
  Log:
  Updated the hardened faq with the orc use flag

Revision  Changes    Path
1.32                 xml/htdocs/proj/en/hardened/hardenedfaq.xml

file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/hardenedfaq.xml?rev=1.32&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/hardenedfaq.xml?rev=1.32&content-type=text/plain
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/hardenedfaq.xml?r1=1.31&r2=1.32

Index: hardenedfaq.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/hardenedfaq.xml,v
retrieving revision 1.31
retrieving revision 1.32
diff -u -r1.31 -r1.32
--- hardenedfaq.xml	31 Dec 2012 19:06:19 -0000	1.31
+++ hardenedfaq.xml	12 Jan 2013 12:44:45 -0000	1.32
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/hardenedfaq.xml,v 1.31 2012/12/31 19:06:19 swift Exp $ -->
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/hardenedfaq.xml,v 1.32 2013/01/12 12:44:45 zorry Exp $ -->
 
 <guide lang="en">
 <title>Gentoo Hardened Frequently Asked Questions</title>
@@ -341,7 +341,7 @@
 </section>
 
 <section id="jitflag">
-<title>Why is the jit flag disabled in the hardened profile?</title>
+<title>Why is the jit and orc flag disabled in the hardened profile?</title>
 <body>
 
 <p>
@@ -351,7 +351,8 @@
 program need a section of memory which has write and execution permissions to
 write and then execute the code which is denied by PaX, unless the mprotect flag
 is unset for the executable. As a result, we disabled the JIT use flag by
-default to avoid complaints and security problems.
+default to avoid complaints and security problems. ORC use Just In Time
+Compilation (jit).
 </p>
 
 <p>
@@ -364,7 +365,7 @@
 </section>
 
 <section id="enablejit">
-<title>How do I enable the jit flag?</title>
+<title>How do I enable the jit or orc flag?</title>
 <body>
 
 <p>
@@ -401,7 +402,7 @@
 </pre>
 
 <impo>
-Remember that if you enable JIT code on PaX you may need to disable mprotect on
+Remember that if you enable JIT or ORC code on PaX you may need to disable mprotect on
 the binaries using such code, either by them selves or through libraries. Check
 the <uri link="#paxjavajit">PaX question on Java and JIT to see how to do this
 </uri>





^ permalink raw reply	[flat|nested] 10+ messages in thread

* [gentoo-commits] gentoo commit in xml/htdocs/proj/en/hardened: hardenedfaq.xml
@ 2013-01-21 15:49 Francisco Blas Izquierdo Riera (klondike)
  0 siblings, 0 replies; 10+ messages in thread
From: Francisco Blas Izquierdo Riera (klondike) @ 2013-01-21 15:49 UTC (permalink / raw
  To: gentoo-commits

klondike    13/01/21 15:49:19

  Modified:             hardenedfaq.xml
  Log:
  Fix bug 384277

Revision  Changes    Path
1.33                 xml/htdocs/proj/en/hardened/hardenedfaq.xml

file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/hardenedfaq.xml?rev=1.33&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/hardenedfaq.xml?rev=1.33&content-type=text/plain
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/hardenedfaq.xml?r1=1.32&r2=1.33

Index: hardenedfaq.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/hardenedfaq.xml,v
retrieving revision 1.32
retrieving revision 1.33
diff -u -r1.32 -r1.33
--- hardenedfaq.xml	12 Jan 2013 12:44:45 -0000	1.32
+++ hardenedfaq.xml	21 Jan 2013 15:49:19 -0000	1.33
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/hardenedfaq.xml,v 1.32 2013/01/12 12:44:45 zorry Exp $ -->
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/hardenedfaq.xml,v 1.33 2013/01/21 15:49:19 klondike Exp $ -->
 
 <guide lang="en">
 <title>Gentoo Hardened Frequently Asked Questions</title>
@@ -121,7 +121,7 @@
 
 <note>
 Sending a -fno... flag will disable the flag, also -fstack-protector-all and
--fstack-protector may interfere when passed directly.
+-fstack-protector will interfere when passed directly breaking stuff like glibc.
 </note>
 
 <note>
@@ -135,6 +135,17 @@
 </body>
 </section>
 
+<section id="hardenedcflags">
+<title>Can I add -fstack-protector-all or -fstack-protector in the CFLAGS at 
+make.conf?</title>
+<body>
+<p>
+No, they will likely break the building of many packages, ampongst others glibc.
+It's better that you leave the profiles do its job.
+</p>
+</body>
+</section>
+
 <section id="hardenedcflagsoff">
 <title>How do I turn off hardened building?</title>
 <body>





^ permalink raw reply	[flat|nested] 10+ messages in thread

* [gentoo-commits] gentoo commit in xml/htdocs/proj/en/hardened: hardenedfaq.xml
@ 2013-01-21 15:50 Francisco Blas Izquierdo Riera (klondike)
  0 siblings, 0 replies; 10+ messages in thread
From: Francisco Blas Izquierdo Riera (klondike) @ 2013-01-21 15:50 UTC (permalink / raw
  To: gentoo-commits

klondike    13/01/21 15:50:54

  Modified:             hardenedfaq.xml
  Log:
  Fix section title

Revision  Changes    Path
1.34                 xml/htdocs/proj/en/hardened/hardenedfaq.xml

file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/hardenedfaq.xml?rev=1.34&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/hardenedfaq.xml?rev=1.34&content-type=text/plain
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/hardenedfaq.xml?r1=1.33&r2=1.34

Index: hardenedfaq.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/hardenedfaq.xml,v
retrieving revision 1.33
retrieving revision 1.34
diff -u -r1.33 -r1.34
--- hardenedfaq.xml	21 Jan 2013 15:49:19 -0000	1.33
+++ hardenedfaq.xml	21 Jan 2013 15:50:54 -0000	1.34
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/hardenedfaq.xml,v 1.33 2013/01/21 15:49:19 klondike Exp $ -->
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/hardenedfaq.xml,v 1.34 2013/01/21 15:50:54 klondike Exp $ -->
 
 <guide lang="en">
 <title>Gentoo Hardened Frequently Asked Questions</title>
@@ -135,7 +135,7 @@
 </body>
 </section>
 
-<section id="hardenedcflags">
+<section id="hardenedfstack">
 <title>Can I add -fstack-protector-all or -fstack-protector in the CFLAGS at 
 make.conf?</title>
 <body>





^ permalink raw reply	[flat|nested] 10+ messages in thread

* [gentoo-commits] gentoo commit in xml/htdocs/proj/en/hardened: hardenedfaq.xml
@ 2013-01-21 15:53 Francisco Blas Izquierdo Riera (klondike)
  0 siblings, 0 replies; 10+ messages in thread
From: Francisco Blas Izquierdo Riera (klondike) @ 2013-01-21 15:53 UTC (permalink / raw
  To: gentoo-commits

klondike    13/01/21 15:53:28

  Modified:             hardenedfaq.xml
  Log:
  Stupid me had forgotten to update version, somebody please kill me.

Revision  Changes    Path
1.35                 xml/htdocs/proj/en/hardened/hardenedfaq.xml

file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/hardenedfaq.xml?rev=1.35&view=markup
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/hardenedfaq.xml?rev=1.35&content-type=text/plain
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/hardenedfaq.xml?r1=1.34&r2=1.35

Index: hardenedfaq.xml
===================================================================
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/hardenedfaq.xml,v
retrieving revision 1.34
retrieving revision 1.35
diff -u -r1.34 -r1.35
--- hardenedfaq.xml	21 Jan 2013 15:50:54 -0000	1.34
+++ hardenedfaq.xml	21 Jan 2013 15:53:28 -0000	1.35
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
-<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/hardenedfaq.xml,v 1.34 2013/01/21 15:50:54 klondike Exp $ -->
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/hardenedfaq.xml,v 1.35 2013/01/21 15:53:28 klondike Exp $ -->
 
 <guide lang="en">
 <title>Gentoo Hardened Frequently Asked Questions</title>
@@ -31,8 +31,8 @@
 the gentoo-hardened mailing list.
 </abstract>
 
-<version>4</version>
-<date>2012-12-31</date>
+<version>5</version>
+<date>2014-1-21</date>
 
 <faqindex>
 <title>Questions</title>





^ permalink raw reply	[flat|nested] 10+ messages in thread

end of thread, other threads:[~2013-01-21 15:53 UTC | newest]

Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-01-25 23:07 [gentoo-commits] gentoo commit in xml/htdocs/proj/en/hardened: hardenedfaq.xml Magnus Granberg (zorry)
  -- strict thread matches above, loose matches on Subject: below --
2013-01-21 15:53 Francisco Blas Izquierdo Riera (klondike)
2013-01-21 15:50 Francisco Blas Izquierdo Riera (klondike)
2013-01-21 15:49 Francisco Blas Izquierdo Riera (klondike)
2013-01-12 12:44 Magnus Granberg (zorry)
2012-12-31 19:06 Sven Vermeulen (swift)
2011-03-29  1:57 Magnus Granberg (zorry)
2011-01-29 15:17 JosA MarAa Alonso (nimiux)
2010-08-17 22:35 Angelo Arrifano (miknix)
2010-08-07 13:31 Angelo Arrifano (miknix)

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox