From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id E83DE1386CC for ; Tue, 8 Sep 2015 01:15:24 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id EAFEF14283; Tue, 8 Sep 2015 01:15:16 +0000 (UTC) Received: from plane.gmane.org (plane.gmane.org [80.91.229.3]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id DFF7D14243 for ; Tue, 8 Sep 2015 01:15:15 +0000 (UTC) Received: from list by plane.gmane.org with local (Exim 4.69) (envelope-from ) id 1ZZ7V9-0001QO-7G for gentoo-user@lists.gentoo.org; Tue, 08 Sep 2015 03:15:11 +0200 Received: from 206.125.41.75 ([206.125.41.75]) by main.gmane.org with esmtp (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 08 Sep 2015 03:15:11 +0200 Received: from w41ter by 206.125.41.75 with local (Gmexim 0.1 (Debian)) id 1AlnuQ-0007hv-00 for ; Tue, 08 Sep 2015 03:15:11 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: gentoo-user@lists.gentoo.org From: walt Subject: [gentoo-user] Re: Anyone running a hardened profile? Date: Mon, 7 Sep 2015 18:15:06 -0700 Message-ID: <20150907181506.6565ff2a@a6> References: <20150906131517.52e8d6a0@a6> <55ECB8D3.1080501@gentoo.org> <20150907191004.19395757@hal9000.localdomain> <55EDD71A.1060707@gentoo.org> Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-user@lists.gentoo.org Reply-to: gentoo-user@lists.gentoo.org Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Complaints-To: usenet@ger.gmane.org X-Gmane-NNTP-Posting-Host: 206.125.41.75 X-Archives-Salt: f3aaaef7-fe90-44de-b961-5ecbc0f244ae X-Archives-Hash: 3a02abd7452fbeecf035d0ec993c4c91 On Mon, 7 Sep 2015 14:27:38 -0400 Michael Orlitzky wrote: > On 09/07/2015 01:10 PM, wabenbau@gmail.com wrote: > > Michael Orlitzky wrote: > > > > I don't think so (but maybe I'm wrong). You have to compile your > > entire system with a hardened toolchain to get full hardened > > support (SSP and maybe some other things). I think, to go back to a > > "normal state", you have to recompile everything again with a non > > hardened toolchain. > > GCC 4.8 already defaults to -fstack-protector, but you do need to > recompile to get -fstack-protector-all and you're right that you would > need to recompile again to make it go away. The full SSP is considered > safe though, and only slows things down a bit. Full SSP is something I want and I'll gladly suffer the speed penalty to get it. Can I just add -fstack-protector-all to my CFLAGS in make.conf? Or is it more complicated than that? Hmm. Quoting from the gcc man page: -fstack-protector-strong Like -fstack-protector but includes additional functions to be protected --- those that have local array definitions, or have references to local frame addresses. NOTE: In Gentoo GCC 4.9.0 and later versions this option is enabled by default for C, C++, ObjC, ObjC++, if neither -fno-stack-protector, -nostdlib, -ffreestanding, -fstack-protector, -fstack-protector-strong or -fstack-protector-all are found. <===== are found *where*? English is my native tongue and I confess I can't make any sense of that advice. The words 'enabled' and 'are found' don't tell me what I need to *do* to wind up with full/strong SSP in my compiled code. Does gcc add the appropriate SSP flags without my intervention when building my sources, or do I need to invoke those flags myself, e.g. by adding them to CFLAGS as I asked above? Communicating is hard to do: https://en.wikipedia.org/wiki/Breaking_Up_Is_Hard_to_Do