Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Support for GCC 4.x on hardened systems
View unanswered posts
View posts from last 24 hours

Goto page 1, 2, 3, 4, 5  Next  
Reply to topic    Gentoo Forums Forum Index Unsupported Software
View previous topic :: View next topic  
Author Message
timeBandit
Bodhisattva
Bodhisattva


Joined: 31 Dec 2004
Posts: 2719
Location: here, there or in transit

PostPosted: Sat Aug 29, 2009 2:48 pm    Post subject: Support for GCC 4.x on hardened systems Reply with quote

Continued and relocated from a long-running discussion that evolved into a support thread.

Are you running a hardened profile?
Are you using GCC 4.x and following The Hardened GCC4 Toolchain Overlay Guide?
Has something broken?

Post your questions here.
_________________
Plants are pithy, brooks tend to babble--I'm content to lie between them.
Super-short f.g.o checklist: Search first, strip comments, mark solved, help others.
Back to top
View user's profile Send private message
zorry
Developer
Developer


Joined: 30 Mar 2008
Posts: 380
Location: Umeå The north part of scandinavia

PostPosted: Sat Aug 29, 2009 4:38 pm    Post subject: Reply with quote

Overlay
Hardened Development
git://git.overlays.gentoo.org/proj/hardened-dev.git
layman -a hardened-development

Links
Trac and Wiki for the overlay
Commit summary on the overlay

Bugs
Bugs that have with the overlay and are hardened bugs should go to the trac and don't forget to add emerge --info.
_________________
gcc version 6.1.0 (Gentoo Hardened 6.1.0 p1.1)


Last edited by zorry on Fri Sep 18, 2009 2:41 pm; edited 3 times in total
Back to top
View user's profile Send private message
Dwokfur
Tux's lil' helper
Tux's lil' helper


Joined: 15 Sep 2006
Posts: 86
Location: Budapest, Hungary, Europe

PostPosted: Mon Aug 31, 2009 8:53 am    Post subject: Python2.6 update uncovered some problems Reply with quote

System-wide upgrade was delayed, until I found out, that I had introduced env variables for a previous oOO python-UNO bridge problems. After correcting this I went on and run into some difficulties. These were triggered by the new toolchain, but not hardened-related.

Please find the issues listed here:
- gnome-games: getline glibc conflict - 271224
- bittorrent: python-2.6 incompatible use of ".as" - 265784
- snack, which can be solved by keywording the package (roundf redefinition) - 270839, 282987

Regards:
Dw.

My vacation eventually comes to an end... :(
Back to top
View user's profile Send private message
petlab
Apprentice
Apprentice


Joined: 03 May 2004
Posts: 290
Location: Armpit, Oregon

PostPosted: Mon Aug 31, 2009 9:27 pm    Post subject: Reply with quote

I have installed following [HOWTO] The Hardened GCC4 Toolchain Overlay Guide. I've emerged gcc-4.4.1-r2 and glibc-2.10.1, with multilib. My question - is multilib workable or did I waste compile time?

I started from the 4.3.3 stage3, and followed as well as I could until I am able to emerge "glibc linux-headers binutils gcc." However, now I "cannot run C compiled programs. while emerging my first package." Did I break it, or can we freshen up the Overlay Guide? I'll help if I can.

My goal is to get to gcc-4.4.1-r2 hardened, with the graphite framework as well. Thanks for any and all help!
_________________
Get Serious - Get JAWA CZ
Back to top
View user's profile Send private message
Veldrin
Veteran
Veteran


Joined: 27 Jul 2004
Posts: 1945
Location: Zurich, Switzerland

PostPosted: Tue Sep 01, 2009 7:18 pm    Post subject: Reply with quote

This is usually a problem with binutils.

Code:
# binutils-config 1

should fix it
Back to top
View user's profile Send private message
petlab
Apprentice
Apprentice


Joined: 03 May 2004
Posts: 290
Location: Armpit, Oregon

PostPosted: Tue Sep 01, 2009 8:13 pm    Post subject: Reply with quote

Thank you for the help. binutils-config did not work. I am not sure I actually have a working toolchain at this point. Let's start again. I'm not sure whether I should follow the [HOWTO] thread on the forums here, or the Install page over at the trac. They outline similar steps, but there are inconsistencies both pages, imho. Which one is the correct route? Simply emerge packages from the overlay, or make a chroot and get the stage3? Thanks again, all.
_________________
Get Serious - Get JAWA CZ
Back to top
View user's profile Send private message
zorry
Developer
Developer


Joined: 30 Mar 2008
Posts: 380
Location: Umeå The north part of scandinavia

PostPosted: Tue Sep 01, 2009 9:48 pm    Post subject: Reply with quote

petlab wrote:
Thank you for the help. binutils-config did not work. I am not sure I actually have a working toolchain at this point. Let's start again. I'm not sure whether I should follow the [HOWTO] thread on the forums here, or the Install page over at the trac. They outline similar steps, but there are inconsistencies both pages, imho. Which one is the correct route? Simply emerge packages from the overlay, or make a chroot and get the stage3? Thanks again, all.

Use the HOWTO the one on the trac is outdated and removed.
_________________
gcc version 6.1.0 (Gentoo Hardened 6.1.0 p1.1)
Back to top
View user's profile Send private message
zorry
Developer
Developer


Joined: 30 Mar 2008
Posts: 380
Location: Umeå The north part of scandinavia

PostPosted: Sat Sep 05, 2009 4:34 pm    Post subject: Reply with quote

New ebuild (grub-0.97-r11) for grub-0.97 is in the overlay for testing the porting of the Grub2 -fPIE check.
Savannah CVS Surfing - project grub - Revision 2564
_________________
gcc version 6.1.0 (Gentoo Hardened 6.1.0 p1.1)
Back to top
View user's profile Send private message
cord
Guru
Guru


Joined: 28 Apr 2007
Posts: 344

PostPosted: Mon Sep 07, 2009 6:55 pm    Post subject: Reply with quote

Code:
LDFLAGS="-Wl,-O1 -Wl,--sort-common -Wl,--warn-once"

Are these flags safe for subj?
Back to top
View user's profile Send private message
zorry
Developer
Developer


Joined: 30 Mar 2008
Posts: 380
Location: Umeå The north part of scandinavia

PostPosted: Fri Sep 11, 2009 11:15 am    Post subject: Reply with quote

cord wrote:
Code:
LDFLAGS="-Wl,-O1 -Wl,--sort-common -Wl,--warn-once"

Are these flags safe for subj?

Looks safe.
Code:

--sort-common               Sort common symbols by size
--warn-once                 Warn only once per undefined symbol

_________________
gcc version 6.1.0 (Gentoo Hardened 6.1.0 p1.1)
Back to top
View user's profile Send private message
kernelOfTruth
Watchman
Watchman


Joined: 20 Dec 2005
Posts: 6111
Location: Vienna, Austria; Germany; hello world :)

PostPosted: Fri Sep 11, 2009 10:30 pm    Post subject: Reply with quote

*subscribes*
_________________
https://github.com/kernelOfTruth/ZFS-for-SystemRescueCD/tree/ZFS-for-SysRescCD-4.9.0
https://github.com/kernelOfTruth/pulseaudio-equalizer-ladspa

Hardcore Gentoo Linux user since 2004 :D
Back to top
View user's profile Send private message
zorry
Developer
Developer


Joined: 30 Mar 2008
Posts: 380
Location: Umeå The north part of scandinavia

PostPosted: Fri Sep 18, 2009 1:50 pm    Post subject: Reply with quote

We have rename the overlay from hardened-development.git to hardened-dev.git and no change for layman
_________________
gcc version 6.1.0 (Gentoo Hardened 6.1.0 p1.1)


Last edited by zorry on Fri Sep 18, 2009 2:39 pm; edited 1 time in total
Back to top
View user's profile Send private message
cord
Guru
Guru


Joined: 28 Apr 2007
Posts: 344

PostPosted: Fri Sep 18, 2009 2:15 pm    Post subject: Reply with quote

Did you?
Code:

# layman -L
...
* hardened-development      [Git]    (git://git.overlays.gentoo.org/proj/hardened-dev.git)
...
#

Overlay name is still 'hardened-development'
Back to top
View user's profile Send private message
zorry
Developer
Developer


Joined: 30 Mar 2008
Posts: 380
Location: Umeå The north part of scandinavia

PostPosted: Fri Sep 18, 2009 2:41 pm    Post subject: Reply with quote

cord wrote:
Did you?
Code:

# layman -L
...
* hardened-development      [Git]    (git://git.overlays.gentoo.org/proj/hardened-dev.git)
...
#

Overlay name is still 'hardened-development'

Yes but for git users it have change.
Thanks for the note.
_________________
gcc version 6.1.0 (Gentoo Hardened 6.1.0 p1.1)
Back to top
View user's profile Send private message
Xake
Guru
Guru


Joined: 11 Feb 2004
Posts: 588
Location: Göteborg, the rainy part of scandinavia

PostPosted: Sat Sep 19, 2009 5:27 pm    Post subject: Reply with quote

Yes, we did.

cord wrote:
Code:

# layman -L
...
* hardened-development      [Git]    (git://git.overlays.gentoo.org/proj/[b]hardened-dev[/b].git)
...
#


was: hardened-development.git

If you get problem with layman -S, then just remove and readd the overlay.
_________________
If I edit a post without commenting it mostly is spelling-errors.
And if I sounds rude I am sorry, that is just my personality speaking and has most of the time nothing to do with you personally.
Back to top
View user's profile Send private message
radegand
n00b
n00b


Joined: 22 Aug 2008
Posts: 45
Location: Poland

PostPosted: Tue Sep 22, 2009 5:32 pm    Post subject: Reply with quote

Hi,
Why was the ebuild for glibc-2.10.1 removed from the overlay? As a user of these I'm a bit concerned... :lol: Was there some major flaw with these? Let me know if any testing of it is needed...I've checked the 'testing' branch but nothing was there either :?
Cheers
Back to top
View user's profile Send private message
Veldrin
Veteran
Veteran


Joined: 27 Jul 2004
Posts: 1945
Location: Zurich, Switzerland

PostPosted: Tue Sep 22, 2009 6:04 pm    Post subject: Reply with quote

radegand wrote:
Hi,
Why was the ebuild for glibc-2.10.1 removed from the overlay? As a user of these I'm a bit concerned... :lol: Was there some major flaw with these? Let me know if any testing of it is needed...I've checked the 'testing' branch but nothing was there either :?
Cheers
just an educated guess - because it has been move to the main tree.
Back to top
View user's profile Send private message
radegand
n00b
n00b


Joined: 22 Aug 2008
Posts: 45
Location: Poland

PostPosted: Tue Sep 22, 2009 6:29 pm    Post subject: Reply with quote

Veldrin wrote:
just an educated guess - because it has been move to the main tree.


I have to admit - such an obvious idea hasn't even cross my mind! Was it really the case? The one from portage doesn't compile and bails out with somehow interesting error:
Code:
x86_64-pc-linux-gnu-gcc: -pie and -static|pg|p|profile are incompatible
Back to top
View user's profile Send private message
Xake
Guru
Guru


Joined: 11 Feb 2004
Posts: 588
Location: Göteborg, the rainy part of scandinavia

PostPosted: Tue Sep 22, 2009 6:29 pm    Post subject: Reply with quote

radegand wrote:
Hi,
Why was the ebuild for glibc-2.10.1 removed from the overlay? As a user of these I'm a bit concerned... :lol: Was there some major flaw with these? Let me know if any testing of it is needed...I've checked the 'testing' branch but nothing was there either :?
Cheers


In portage.
_________________
If I edit a post without commenting it mostly is spelling-errors.
And if I sounds rude I am sorry, that is just my personality speaking and has most of the time nothing to do with you personally.
Back to top
View user's profile Send private message
radegand
n00b
n00b


Joined: 22 Aug 2008
Posts: 45
Location: Poland

PostPosted: Tue Sep 22, 2009 9:59 pm    Post subject: Reply with quote

Xake wrote:


In portage.


Ok, thanks. So I think I got a new bug then :)
Back to top
View user's profile Send private message
zorry
Developer
Developer


Joined: 30 Mar 2008
Posts: 380
Location: Umeå The north part of scandinavia

PostPosted: Wed Sep 23, 2009 11:00 am    Post subject: Reply with quote

radegand wrote:
Xake wrote:


In portage.


Ok, thanks. So I think I got a new bug then :)

It is a error in the specs for the crtbeginTS.o in GCC espf-0.3.4 and will be fixed in espf-0.3.5.
So no error in GLIBC 2.10.1 in the tree.
_________________
gcc version 6.1.0 (Gentoo Hardened 6.1.0 p1.1)
Back to top
View user's profile Send private message
Tom_
Guru
Guru


Joined: 20 May 2004
Posts: 444
Location: France

PostPosted: Wed Sep 23, 2009 11:43 am    Post subject: Reply with quote

Hello,

According to this howto, it seems possible to upgrade a standalone Gentoo system to make it have an hardened toolchain. Could someone confirm this please? In other words, i have a perfectly-running Gentoo system, and I would like to use an hardened toolchain : is that possible without breaking my system ? :lol:

I've got another question : if i want to go back to a normal toolchain, is that also possible ?

Thank you in advance! ;)
Back to top
View user's profile Send private message
kernelOfTruth
Watchman
Watchman


Joined: 20 Dec 2005
Posts: 6111
Location: Vienna, Austria; Germany; hello world :)

PostPosted: Wed Sep 23, 2009 12:02 pm    Post subject: Reply with quote

Tom_ wrote:
Hello,

According to this howto, it seems possible to upgrade a standalone Gentoo system to make it have an hardened toolchain. Could someone confirm this please? In other words, i have a perfectly-running Gentoo system, and I would like to use an hardened toolchain : is that possible without breaking my system ? :lol:

I've got another question : if i want to go back to a normal toolchain, is that also possible ?

Thank you in advance! ;)


confirmed ! :D

Quote:
cat /etc/portage/profile/package.use.mask
sys-devel/gcc -hardened
sys-libs/glibc -hardened


don't forget to enable hardened USE-flag globally !
_________________
https://github.com/kernelOfTruth/ZFS-for-SystemRescueCD/tree/ZFS-for-SysRescCD-4.9.0
https://github.com/kernelOfTruth/pulseaudio-equalizer-ladspa

Hardcore Gentoo Linux user since 2004 :D
Back to top
View user's profile Send private message
zorry
Developer
Developer


Joined: 30 Mar 2008
Posts: 380
Location: Umeå The north part of scandinavia

PostPosted: Wed Sep 23, 2009 6:39 pm    Post subject: Reply with quote

radegand wrote:
Xake wrote:


In portage.


Ok, thanks. So I think I got a new bug then :)

Disable the profile use flag and recompile to see if that fix it.
Code:

x86_64-pc-linux-gnu-gcc libc-tls.c -c -std=gnu99 -fgnu89-inline -O2 -Wall -Winline -Wwrite-strings -fmerge-all-constants -fno-stack-protector -fno-strict-aliasing -pipe -Wstrict-prototypes -pg -I../include -I/var/tmp/portage/sys-libs/glibc-2.10.1/work/build-amd64-x86_64-pc-linux-gnu-nptl/csu

-pg is added to the command line and the check that is added to espf-0.3.4 check for that.
For -pg -p -profile will disable hardened specs for the start and end files.
_________________
gcc version 6.1.0 (Gentoo Hardened 6.1.0 p1.1)
Back to top
View user's profile Send private message
radegand
n00b
n00b


Joined: 22 Aug 2008
Posts: 45
Location: Poland

PostPosted: Wed Sep 23, 2009 7:19 pm    Post subject: Reply with quote

zorry wrote:

Disable the profile use flag and recompile to see if that fix it.


Yep, it compiled fine, thanks! :)

Also just for the record - radeon (R300) is working fine on hardened 4.4.1 with KMS and direct rendering enabled with latest mesa from the X11 overlay :) Shiny KDE 4.3.1 with all the hardened goodies! 8) More info how to set it up is available here.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Unsupported Software All times are GMT
Goto page 1, 2, 3, 4, 5  Next
Page 1 of 5

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum