* [gentoo-hardened] Stupid Hardened Questions
@ 2006-03-17 5:02 Mikey
2006-03-17 7:34 ` Kevin F. Quinn (Gentoo)
2006-03-18 5:16 ` Mike Frysinger
0 siblings, 2 replies; 3+ messages in thread
From: Mikey @ 2006-03-17 5:02 UTC (permalink / raw
To: gentoo-hardened
[-- Attachment #1: Type: text/plain, Size: 2393 bytes --]
I have decided to take the hardened profile for a spin on a couple of my
edge servers. I grabbed stage1-x86-hardened-2.6-2006.0.tar.bz2, verified
the profile was set to profiles/hardened/x86/2.6/, did my bootstrap and
emerge -e system. Everything looks to have gone ok.
What I am curious about is the fact that I didn't really notice any special
CFLAGS being used while everything was compiling. Various documents tell
me it is transparent, that the settings are read from the gcc spec file.
Should I not be seeing cflags specific to hardened settings while
everything is compiling?
gcc-config -l shows:
[1] i686-pc-linux-gnu-3.4.5 *
[2] i686-pc-linux-gnu-3.4.5-hardenednopie
[3] i686-pc-linux-gnu-3.4.5-hardenednopiessp
[4] i686-pc-linux-gnu-3.4.5-hardenednossp
[5] i686-pc-linux-gnu-3.4.5-vanilla
When I look in /etc/env.d/05gcc, nothing is set for GCC_SPECS:
PATH="/usr/i686-pc-linux-gnu/gcc-bin/3.4.5"
ROOTPATH="/usr/i686-pc-linux-gnu/gcc-bin/3.4.5"
MANPATH="/usr/share/gcc-data/i686-pc-linux-gnu/3.4.5/man"
INFOPATH="/usr/share/gcc-data/i686-pc-linux-gnu/3.4.5/info"
LDPATH="/usr/lib/gcc/i686-pc-linux-gnu/3.4.5"
GCC_SPECS=""
/etc/env.d/gcc/config points to i686-pc-linux-gnu-3.4.5, which contains:
PATH="/usr/i686-pc-linux-gnu/gcc-bin/3.4.5"
ROOTPATH="/usr/i686-pc-linux-gnu/gcc-bin/3.4.5"
LDPATH="/usr/lib/gcc/i686-pc-linux-gnu/3.4.5"
GCCBITS="32"
MANPATH="/usr/share/gcc-data/i686-pc-linux-gnu/3.4.5/man"
INFOPATH="/usr/share/gcc-data/i686-pc-linux-gnu/3.4.5/info"
STDCXX_INCDIR="g++-v3"
When I look at some of the other config files such as
i686-pc-linux-gnu-3.4.5-hardenednopie, it defines a GCC_SPECS file:
PATH="/usr/i686-pc-linux-gnu/gcc-bin/3.4.5"
ROOTPATH="/usr/i686-pc-linux-gnu/gcc-bin/3.4.5"
LDPATH="/usr/lib/gcc/i686-pc-linux-gnu/3.4.5"
GCCBITS="32"
MANPATH="/usr/share/gcc-data/i686-pc-linux-gnu/3.4.5/man"
INFOPATH="/usr/share/gcc-data/i686-pc-linux-gnu/3.4.5/info"
STDCXX_INCDIR="g++-v3"
GCC_SPECS="/usr/lib/gcc/i686-pc-linux-gnu/3.4.5/hardenednopie.specs"
So I guess my question is - how do I know everything is actually being
compiled with the hardened specific flags? A diff
on /usr/lib/gcc/i686-pc-linux-gnu/3.4.5/specs and hardened.specs shows no
differences, is it safe to assume the default specs file is being used even
though it is not being set anywhere in the environment?
[-- Attachment #2: Type: application/pgp-signature, Size: 191 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [gentoo-hardened] Stupid Hardened Questions
2006-03-17 5:02 [gentoo-hardened] Stupid Hardened Questions Mikey
@ 2006-03-17 7:34 ` Kevin F. Quinn (Gentoo)
2006-03-18 5:16 ` Mike Frysinger
1 sibling, 0 replies; 3+ messages in thread
From: Kevin F. Quinn (Gentoo) @ 2006-03-17 7:34 UTC (permalink / raw
To: gentoo-hardened
[-- Attachment #1: Type: text/plain, Size: 2759 bytes --]
On Thu, 16 Mar 2006 23:02:19 -0600
Mikey <mikey@badpenguins.com> wrote:
> What I am curious about is the fact that I didn't really notice any
> special CFLAGS being used while everything was compiling. Various
> documents tell me it is transparent, that the settings are read from
> the gcc spec file. Should I not be seeing cflags specific to hardened
> settings while everything is compiling?
No, you won't see anything in the compilation logs. The flags are
switched on automatically by the hardened gcc specs.
> So I guess my question is - how do I know everything is actually
> being compiled with the hardened specific flags? A diff
> on /usr/lib/gcc/i686-pc-linux-gnu/3.4.5/specs and hardened.specs
> shows no differences, is it safe to assume the default specs file is
> being used even though it is not being set anywhere in the
> environment?
The hardened gcc specs do four things:
1) compiles with -fPIE, links with -fPIE -pie, to create position
independent executables. 'readelf -h <executable>' will show the type
as "DYN" instead of "EXEC". 'scanelf -pRE ET_EXEC' will find any
non-PIEs on your path. There will be some.
2) compiles with -fstack-protector-all (except in some situations where
we know it causes trouble). Not so easy to check, but 'readelf -s
<executable/library> | grep stack_smash_handler' should show references
(will be stack_chk_fail if/when we move to gcc-4.1), 'scanelf -qplRS
__stack_smash_handler' will list all the executables/libraries that use
SSP (I don't know of a quick way to find anything that _doesn't_
reference a given symbol). Again, there will be some stuff that
doesn't use SSP.
3) links with -z relro and -z now. 'readelf -l <file>' will
show a GNU_RELRO program header and 'readelf -d <file>' will show a tag
type $FLAGS" with value "BIND_NOW". 'scanelf -plRb' will show you the
whether each exec/library/object is BIND_NOW or BIND_LAZY. Everything
should be RELRO, as it never causes problems; the only thing that
doesn't like BIND_NOW is X (in particular the graphics drivers).
If an ebuild switches any of this off (not everything is compatible
with the things the hardened compiler does), you'll see it in the
compilation logs; look for -fno-pie, -fno-PIE, -nopie,
-fno-stack-protector, -nonow, -norelro. Of particular note; only "X"
uses -nonow as far as I know, and nothing uses "-norelro".
If you do 'gcc -v' it'll show you what specs files are being used
(specs files are accumulative; later files modify/replace entries in
earlier ones). Also:
echo | gcc -dM -E - | grep -E 'SSP|PIC'
will show:
#define __SSP__ 1
#define __SSP_ALL__ 2
#define __PIC__ 1
if the compiler is hardened.
--
Kevin F. Quinn
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 191 bytes --]
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [gentoo-hardened] Stupid Hardened Questions
2006-03-17 5:02 [gentoo-hardened] Stupid Hardened Questions Mikey
2006-03-17 7:34 ` Kevin F. Quinn (Gentoo)
@ 2006-03-18 5:16 ` Mike Frysinger
1 sibling, 0 replies; 3+ messages in thread
From: Mike Frysinger @ 2006-03-18 5:16 UTC (permalink / raw
To: gentoo-hardened; +Cc: Mikey
On Friday 17 March 2006 00:02, Mikey wrote:
> When I look in /etc/env.d/05gcc, nothing is set for GCC_SPECS:
that's because hardened profiles have the default specs swapped from the
default specs in a non-hardened profile ...
hardened profile specs: default vanilla
non-hardened profile specs: hardened default
basically, while building gcc, we do something like:
if use hardened ; then
cp hardened.specs specs
else
cp vanilla.specs specs
fi
where "specs" represents the default compiler settings
so the `gcc-config -l` output on a hardened system lists "vanilla" as an
option while on a non-hardened system you get the option "hardened"
> So I guess my question is - how do I know everything is actually being
> compiled with the hardened specific flags? A diff
> on /usr/lib/gcc/i686-pc-linux-gnu/3.4.5/specs and hardened.specs shows no
> differences, is it safe to assume the default specs file is being used even
> though it is not being set anywhere in the environment?
see above as to why your diff showed no differences
-mike
--
gentoo-hardened@gentoo.org mailing list
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2006-03-18 5:18 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2006-03-17 5:02 [gentoo-hardened] Stupid Hardened Questions Mikey
2006-03-17 7:34 ` Kevin F. Quinn (Gentoo)
2006-03-18 5:16 ` Mike Frysinger
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox