| View previous topic :: View next topic |
| Author |
Message |
casualx
n00b
Joined: 06 Feb 2012
Posts: 47
Location: rohrbach,switzerland
|
 Posted: Wed Mar 21, 2012 7:47 pm Post subject: building the system with gcc-fstack-protector |
 |
|
hi there
im not sure wether I need to recompile my sytem or not. I want to use the gcc-fstack-protection support and I have enabled it in both of my kernel.I use both hardened and gentoo sources.
as I read the make menuconfig description I thought when enabled this would be automatically done.
| Code: | CONFIG_CC_STACKPROTECTOR:
│
│ This option turns on the -fstack-protector GCC feature. This
│ feature puts, at the beginning of functions, a canary value on
│ the stack just before the return address, and validates
│ the value just before actually returning. Stack based buffer
│ overflows (that need to overwrite this return address) now also
│ overwrite the canary, which gets detected and the attack is then
│ neutralized via a kernel panic.
│
│ This feature requires gcc version 4.2 or above, or a distribution
│ gcc with the feature backported. Older versions are automatically
│ detected and for those versions, this configuration option is
│ ignored. (and a warning is printed during bootup)
│
│ Symbol: CC_STACKPROTECTOR [=y] |
gcc-config -l output is | Code: | | [1] x86_64-pc-linux-gnu-4.5.3 * |
I have seen that this should be the right profile following the gentoo hardened faq
http://www.gentoo.org/proj/en/hardened/hardenedfaq.xml#hardenedcflags
so it should be activated and not depend on the eselect profile?
im asking cause Im using the system as a Desktop and therefore Ive enabled eselect profile | Code: | | [4] default/linux/amd64/10.0/desktop/gnome |
but I want it with the fstack protector feature enabled. is this working?
is this true to enable the fstack protector you just need to enable it on the kernel and use a gcc version which has the implementation and nis above 4.2? |
|
| Back to top |
|
 |
Veldrin
Veteran
Joined: 27 Jul 2004
Posts: 1931
Location: Zurich, Switzerland
|
| Posted: Wed Mar 21, 2012 8:54 pm Post subject: |
|
|
ProPolice (predecessor of SSP, stack-smash-protector) got merged into gcc somewhere around 4.2.
So basically any gcc version newer that 4.2 is able to understand and build binaries according to the -fstack-protector flag.
before you could also use SSP, but you would have had to patch gcc to enable it.
whether you use a hardened profile or not does not really matter. the hardened profile just automatically sets -fstack-protector (or -fstack-protector-all) amongst other flags, and therefore causing less work for the end-user.
so you have to decide, if you want to stick with you current profile, and explicitly enable -fstack-protector, or if you want to go with the hardened profile, which does that automatically for you. If you chose the latter, review all useflags, as IIRC the hardened profile has less flags enabled.
be careful about the gcc profile shown by eselect. if you are running on a standard (i.e non-hardened) profile, the default will not enable any funny stuff, as when you are using a hardened profile, the default profile will enable -fstack-protector as well as -fpie and -fpic. the vanilla profile turn them off (at least -fpic and -fpie)
I hope that helps answering you question.
V.
_________________
read the portage output!
If my answer is too short, just ask for an explanation. |
|
| Back to top |
|
|
Hu
Watchman
Joined: 06 Mar 2007
Posts: 7627
|
| Posted: Wed Mar 21, 2012 10:36 pm Post subject: Re: building the system with gcc-fstack-protector |
|
|
| casualx wrote: | | is this true to enable the fstack protector you just need to enable it on the kernel and use a gcc version which has the implementation and nis above 4.2? |
No. Veldrin explained the details of how to enable it for user programs, but I want to clarify on your question. For the kernel, you must set CC_STACKPROTECTOR=y and use >=sys-devel/gcc-4.2. For user programs, follow the instructions from Veldrin. It is possible to run a kernel with SSP and user programs without SSP or to run a kernel without SSP and user programs with SSP. For best protection, you should have SSP in the kernel to protect the kernel functions and SSP in user programs to protect user programs. Setting CC_STACKPROTECTOR=y in your kernel does not enable SSP for user programs. Setting a hardened compiler for user programs does not automatically enable SSP in the kernel. |
|
| Back to top |
|
|
casualx
n00b
Joined: 06 Feb 2012
Posts: 47
Location: rohrbach,switzerland
|
| Posted: Thu Mar 22, 2012 12:26 am Post subject: |
|
|
thx a lot guys.this really helps me.
| Quote: | be careful about the gcc profile shown by eselect. if you are running on a standard (i.e non-hardened) profile, the default will not enable any funny stuff, as when you are using a hardened profile, the default profile will enable -fstack-protector as well as -fpie and -fpic. the vanilla profile turn them off (at least -fpic and -fpie)
|
what you mean with funny things?
so this means that I have allready build my system whit the SSP protection?Im just ask cause im not 100% sure what you mean..my english is still poor...LOL
I just want to be 100% sure what do to cause when I chose to recompile the system with the hardened profile on my machine this will take 36 hours or more
so im gonna take a long long nap.
so im gonna follow the faq for the applications if I need to do...whats the best way for the kernel?
unmerge actuall gcc and replace it or use multiple version as described here
http://forums.gentoo.org/viewtopic-t-859408-start-0.html
how about nvidia-drivers???
I know theyre not working with hardened kernel but not about fstack protection.
Last edited by casualx on Thu Mar 22, 2012 2:53 am; edited 1 time in total |
|
| Back to top |
|
|
Hu
Watchman
Joined: 06 Mar 2007
Posts: 7627
|
| Posted: Thu Mar 22, 2012 2:43 am Post subject: |
|
|
| casualx wrote: | so im gonna follow the faq for the applications...hows the best way for the kernel?
unmerge actuall gcc and replace with 4.2 and then recompile the kernel?does somebody know a guide for this? |
No. Both Veldrin and I stated that you need >=sys-devel/gcc-4.2. Any gcc that is at least 4.2 should be usable. Gentoo has had sufficiently new versions of gcc available for quite a while, so if your system is otherwise current, then you can use your system default compiler.
| casualx wrote: | how about nvidia-drivers???
I know theyre not working with hardened kernel but not about fstack protection. |
Do you need the binary drivers at all? It seems a bit counterproductive to load a very large closed blob with a history of weird bugs into a system that you are actively, if only slightly, trying to secure. Assuming you want to use them anyway, they should work fine. Stack protection is implemented on a per-function basis, so the nVidia drivers will not be protected from stack overruns, but using -fstack-protector elsewhere should not cause the nVidia drivers to misbehave. |
|
| Back to top |
|
|
casualx
n00b
Joined: 06 Feb 2012
Posts: 47
Location: rohrbach,switzerland
|
| Posted: Thu Mar 22, 2012 2:55 am Post subject: |
|
|
thx Hu.
at the same time when you wrote your answer I prescised my previous post some more.
| Quote: |
be careful about the gcc profile shown by eselect. if you are running on a standard (i.e non-hardened) profile, the default will not enable any funny stuff, as when you are using a hardened profile, the default profile will enable -fstack-protector as well as -fpie and -fpic. the vanilla profile turn them off (at least -fpic and -fpie)
|
what you mean with funny things?
so this means that I have allready build my system whit the SSP protection?Im just ask cause im not 100% sure what you mean..my english is still poor...LOL
I just want to be 100% sure what do to cause when I chose to recompile the system with the hardened profile on my machine this will take 36 hours or more
so im gonna take a long long nap.
| Quote: | | Do you need the binary drivers at all? |
not on both machines that I use with gentoo but on the one I play my 3d games I need the official nvidia-drivers I think |
|
| Back to top |
|
|
Veldrin
Veteran
Joined: 27 Jul 2004
Posts: 1931
Location: Zurich, Switzerland
|
| Posted: Thu Mar 22, 2012 8:04 am Post subject: |
|
|
I am not in detail sure, what the hardened profile enables in gcc profile (think hidden knobs).
there are at least the -fstack-protector/-fstack-protector-all, -fpic and -fpie cflags/cxxflags that get enabled. there might also be -D_FORTITY_SOURCE=2
you would have to read through the gcc spec file to get a complete picture.
for other packages, hardened useflag enables some addtional patches (glibc), changes dependencies (wine) or uses different config files (syslog-ng).
V.
_________________
read the portage output!
If my answer is too short, just ask for an explanation. |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Installing Gentoo
