From: "Anthony G. Basile" <blueness@gentoo.org>
To: gentoo-dev@lists.gentoo.org
Subject: Re: [gentoo-dev] [PATCH] To enable ssp default in Gcc the toolchain.eclass need some changes.
Date: Thu, 09 Jan 2014 18:09:34 -0500 [thread overview]
Message-ID: <52CF2C2E.20402@gentoo.org> (raw)
In-Reply-To: <52CF22C6.6030907@gentoo.org>
On 01/09/2014 05:29 PM, Rick "Zero_Chaos" Farina wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 01/09/2014 05:21 PM, Michał Górny wrote:
>> Dnia 2014-01-09, o godz. 17:06:52
>> "Anthony G. Basile" <blueness@gentoo.org> napisał(a):
>>
>>> On 01/09/2014 04:57 PM, Pacho Ramos wrote:
>>>> What are the advantages of disabling SSP to deserve that "special"
>>>> handling via USE flag or easily disabling it appending the flag?
>>> There are some cases where ssp could break things. I know of once case
>>> right now, but its somewhat exotic. Also, sometimes we *want* to break
>>> things for testing. I'm thinking here of instance where we want to test
>>> a pax hardened kernel to see if it catches abuses of memory which would
>>> otherwise be caught by executables emitted from a hardened toolchain.
>>> Take a look at the app-admin/paxtest suite.
>> Just to be clear, are we talking about potential system-wide breakage
>> or single, specific packages being broken by SSP? In other words, are
>> there cases when people will really want to disable SSP completely?
>>
>> Unless I'm misunderstanding something, your examples sound like you
>> just want -fno-stack-protector per-package. I don't really think you
>> actually want to rebuild whole gcc just to do some testing on a single
>> package...
>>
> Or just as easily set -fno-stack-protector in CFLAGS in make.conf.
>
I just reread this and we'd better be clear here. With ssp on by
default in gcc, if you put CFLAGS="... -fno-stack-protector" in
make.conf you will build your *entire* system with no ssp. You probably
don't want this. You'll probably only want ssp off on a per package
basis, in which case, add a line to package.env and set the CFLAGS for
only that package.
--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail : blueness@gentoo.org
GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA
GnuPG ID : F52D4BBA
next prev parent reply other threads:[~2014-01-09 23:09 UTC|newest]
Thread overview: 34+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-01-09 20:58 [gentoo-dev] [PATCH] To enable ssp default in Gcc the toolchain.eclass need some changes Magnus Granberg
2014-01-09 21:11 ` Rick "Zero_Chaos" Farina
2014-01-09 22:19 ` William Hubbs
2014-01-09 23:26 ` [gentoo-dev] " Ryan Hill
2014-01-09 23:30 ` Andreas K. Huettel
2014-01-09 23:41 ` William Hubbs
2014-01-10 0:12 ` Ryan Hill
2014-01-10 6:35 ` Rick "Zero_Chaos" Farina
2014-01-10 15:50 ` Ryan Hill
2014-01-10 18:37 ` Rick "Zero_Chaos" Farina
2014-01-10 20:08 ` Anthony G. Basile
2014-01-10 21:56 ` Ryan Hill
2014-01-09 21:57 ` [gentoo-dev] " Pacho Ramos
2014-01-09 22:06 ` Anthony G. Basile
2014-01-09 22:16 ` Pacho Ramos
2014-01-09 22:21 ` Michał Górny
2014-01-09 22:29 ` Rick "Zero_Chaos" Farina
2014-01-09 23:03 ` Anthony G. Basile
2014-01-09 23:09 ` Anthony G. Basile [this message]
2014-01-09 23:19 ` Rick "Zero_Chaos" Farina
2014-01-09 23:30 ` [gentoo-dev] " Ryan Hill
2014-01-10 0:17 ` Ryan Hill
2014-01-10 6:39 ` Rick "Zero_Chaos" Farina
2014-01-09 23:59 ` [gentoo-dev] " Rich Freeman
2014-01-10 4:50 ` Michał Górny
2014-01-09 23:01 ` Anthony G. Basile
2014-01-09 23:13 ` Rick "Zero_Chaos" Farina
2014-01-09 23:28 ` Anthony G. Basile
2014-01-09 22:07 ` Magnus Granberg
2014-01-09 23:56 ` [gentoo-dev] " Ryan Hill
2014-01-10 15:45 ` Magnus Granberg
2014-01-10 5:18 ` Ryan Hill
2014-01-10 15:24 ` Magnus Granberg
2014-01-10 16:30 ` Ryan Hill
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=52CF2C2E.20402@gentoo.org \
--to=blueness@gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox