From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1RpZMi-0000t4-LI for garchives@archives.gentoo.org; Tue, 24 Jan 2012 05:56:20 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id E49D5E0DA1; Tue, 24 Jan 2012 05:56:01 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 81CA8E0D13 for ; Tue, 24 Jan 2012 05:55:38 +0000 (UTC) Received: from vapier.localnet (localhost [127.0.0.1]) by smtp.gentoo.org (Postfix) with ESMTP id 2337A1B402D for ; Tue, 24 Jan 2012 05:55:36 +0000 (UTC) From: Mike Frysinger Organization: wh0rd.org To: gentoo-dev@lists.gentoo.org Subject: Re: [gentoo-dev] Re: Can we get PIE on all SUID binaries by default, por favor? Date: Tue, 24 Jan 2012 00:56:08 -0500 User-Agent: KMail/1.13.7 (Linux/3.2.0; KDE/4.6.5; x86_64; ; ) References: In-Reply-To: Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-dev@lists.gentoo.org Reply-to: gentoo-dev@lists.gentoo.org MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart2685312.79aQWBQeB1"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <201201240056.08945.vapier@gentoo.org> X-Archives-Salt: 05186789-db7f-4a98-b44d-ef505ecabddd X-Archives-Hash: 5646fc9415d76f642a8144d80f3498a6 --nextPart2685312.79aQWBQeB1 Content-Type: Text/Plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable On Monday 23 January 2012 15:12:47 Francesco Riosa wrote: > 2012/1/23 Mike Gilbert: > > On Mon, Jan 23, 2012 at 2:57 PM, Jason A. Donenfeld wrote: > >> To check for PIE, > >>=20 > >> readelf -h /bin/su | grep Type > >>=20 > >> If it says EXEC, no PIE. If it says DYN, yes PIE. > >=20 > > I'm asking "how does one enable PIE/ASLR", not how to check if it is > > enabled already. >=20 > - PIE should be -fPIC also for the executable, not only for the .so > (has a performance impact) not entirely sure what you're saying here. i'll clarify in general: - build all code going into shared libraries with -fPIC (regardless of hardening, this is Gentoo policy today) - build code going into executables with -fPIE (this is what hardened does, not default Gentoo systems) you could build all code (including executables) with -fPIC, but that has=20 useless overhead compared to -fPIE. it's small but not insignificant. > - ASLR you need "hardened" use for gcc, and the toolchain, pax kernel help > too the hardened toolchain "helps", but it is not required. ASLR is in the=20 mainline Linux kernel and iirc, enabled by default. it is already operatin= g=20 on all shared libraries because those are PIC. =2Dmike --nextPart2685312.79aQWBQeB1 Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (GNU/Linux) iQIcBAABAgAGBQJPHkf4AAoJEEFjO5/oN/WBjdoP/1gBbxdWQPwjiPuUSTD5+uIH 8ffd4Wax/Ht1ZLQ3MfExskJa9n7WFgXsXR3epssJa00aFWIKDsfsQXSRXN2dVGtx 323HPSm2aRAYVcTyB+SraAln2lvHtou2HtFfJ/+q+ACXkrTBYrfRCe9RqbGYl9Lb H+zRKeGVDdSX2F9wBXE4fCYw/vlAYXMxqDMBvw08VW1bF0t8UlLXyisUIlM3C/gW qHf35btMMHLml+QP+0qZkz1gBuUweYH1Jittbz+EIMK4WvdwahZZUZr9CjxoHln8 lklTmFpxU7bnLYMQ+Uawcg9igrVs1Vn2gsHb2LgZ8F79H+CsZqRlirPR4yGb8ckc xZxyV3T/1WdLkcnFiRJl+UuvioGGE3Uzp73n7gIB98i0lVZ/gCrixhxuvBC6aeLU urfWQNip23IYKumJyLjdr9B72w0mUa7xnFXhFomuQd/25uhsEsIkDWTBKz4KreBy fwuRGYDr1t6kMFj+08miBy8bcJKq92BEfwG/HEEFzZijox2iqIX7XY6Lplxtkhzw NKf41M5EphmOO5nwV5piOUrjaequCiAAi/OerulpuC+OQ9Qg6mBfSP+58Tq+ASDX BtZ8dRvHww7omlYLMuNbuDfeQFd+oTiOMjcSrfXXx48wtidImIo2UgtCMwVntyAW +VMCdtJwi/BFfnjQVR0s =oSGy -----END PGP SIGNATURE----- --nextPart2685312.79aQWBQeB1--