View previous topic :: View next topic |
Author |
Message |
cord Guru
Joined: 28 Apr 2007 Posts: 344
|
Posted: Wed Nov 04, 2009 9:38 pm Post subject: |
|
|
On my hardened gentoo (see above)
* kde-base/nepomuk-4.3.1
was successfully compiled |
|
Back to top |
|
|
zorry Developer
Joined: 30 Mar 2008 Posts: 380 Location: Umeå The north part of scandinavia
|
|
Back to top |
|
|
anonybosh Guru
Joined: 20 Nov 2005 Posts: 324
|
Posted: Wed Nov 11, 2009 5:45 am Post subject: |
|
|
Is this overlay required to have a hardened GCC 4.x setup?
I ask because I am using the hardened/linux/x86/10.0 profile and GCC 4.3.4 is not masked. Can I switch to this (4.3.4 in the regular portage tree) from 3.4.6-r2 and still have all of the same hardened code requirements/benefits? Or must I use the overlay as of yet?
What sparked this is upgrading mysql from 5.0.70-r1 to 5.0.84-r1 throws errors about having a new enough GCC and such, and so I must consider rolling a newer GCC for my servers.
TIA! |
|
Back to top |
|
|
wyv3rn Apprentice
Joined: 18 Aug 2005 Posts: 154 Location: USA
|
Posted: Wed Nov 11, 2009 10:21 pm Post subject: |
|
|
anonybosh wrote: | Is this overlay required to have a hardened GCC 4.x setup?
I ask because I am using the hardened/linux/x86/10.0 profile and GCC 4.3.4 is not masked. Can I switch to this (4.3.4 in the regular portage tree) from 3.4.6-r2 and still have all of the same hardened code requirements/benefits? Or must I use the overlay as of yet?
What sparked this is upgrading mysql from 5.0.70-r1 to 5.0.84-r1 throws errors about having a new enough GCC and such, and so I must consider rolling a newer GCC for my servers. |
@anonybosh:
https://bugs.gentoo.org/284946
http://archives.gentoo.org/gentoo-hardened/msg_bc73e13380fcad0c682047dd5cb029e3.xml |
|
Back to top |
|
|
anonybosh Guru
Joined: 20 Nov 2005 Posts: 324
|
Posted: Thu Nov 12, 2009 5:20 am Post subject: |
|
|
Thanks! That is exactly what I was looking for! |
|
Back to top |
|
|
radegand n00b
Joined: 22 Aug 2008 Posts: 45 Location: Poland
|
Posted: Thu Nov 12, 2009 9:13 pm Post subject: |
|
|
Hi,
The bug is now marked as 'resolved'. Is glibc-2.11 ready for use on hardened profile? |
|
Back to top |
|
|
zorry Developer
Joined: 30 Mar 2008 Posts: 380 Location: Umeå The north part of scandinavia
|
Posted: Thu Nov 12, 2009 9:50 pm Post subject: |
|
|
radegand wrote: |
Hi,
The bug is now marked as 'resolved'. Is glibc-2.11 ready for use on hardened profile? |
Haven't test it on the tree yet. _________________ gcc version 6.1.0 (Gentoo Hardened 6.1.0 p1.1) |
|
Back to top |
|
|
wyv3rn Apprentice
Joined: 18 Aug 2005 Posts: 154 Location: USA
|
Posted: Thu Nov 12, 2009 9:51 pm Post subject: |
|
|
radegand wrote: |
Hi,
The bug is now marked as 'resolved'. Is glibc-2.11 ready for use on hardened profile? |
The bug is closed, the ebuild is marked ~ARCH (testing), not stable. So:
If by 'ready for use' you mean 'is it stable and ready for a wide-spread audience' then the answer is no.
If by 'ready for use' you mean 'is it ready for use in a testing environment, understanding that there are potential risks with packages not marked stable' then yes. |
|
Back to top |
|
|
TheMixa n00b
Joined: 31 May 2006 Posts: 30 Location: Russia
|
Posted: Sun Nov 15, 2009 5:32 am Post subject: busybox |
|
|
can't build busybox static (1.14 and 1.15), gcc-4.3/4.4 hardenned or vanilla from hardenned overlay, glibc-2.11, linux-headers-2.6.30-r1:
Code: | AR util-linux/lib.a
LINK busybox_unstripped
Trying libraries: crypt m
Library crypt is not needed, excluding it
Library m is needed, can't exclude it (yet)
Final link with: m
make -j4 CONFIG_STATIC=y busybox
LINK busybox_unstripped
Trying libraries: crypt m
Failed: -Wl,--start-group -lcrypt -lm -Wl,--end-group
Output of:
i686-pc-linux-gnu-gcc -O2 -march=i686 -pipe -Wall -Wshadow -Wwrite-strings -Wundef -Wstrict-prototypes -Wunused -Wunused-parameter -Wunused-function -Wunused-value -Wmissing-prototypes -Wmissing-declarations -Wdeclaration-after-statement -Wold-style-definition -fno-builtin-strlen -finline-limit=0 -ffunction-sections -fdata-sections -fno-guess-branch-probability -funsigned-char -static-libgcc -static -Wl,-O1 -Wl,--sort-common -Wl,--warn-once,--hash-style=gnu -o busybox_unstripped -Wl,--sort-common -Wl,--sort-section,alignment -Wl,--start-group applets/built-in.o archival/lib.a archival/libunarchive/lib.a console-tools/lib.a coreutils/lib.a coreutils/libcoreutils/lib.a debianutils/lib.a e2fsprogs/lib.a editors/lib.a findutils/lib.a init/lib.a libbb/lib.a libpwdgrp/lib.a loginutils/lib.a mailutils/lib.a miscutils/lib.a modutils/lib.a networking/lib.a networking/libiproute/lib.a networking/udhcp/lib.a printutils/lib.a procps/lib.a runit/lib.a selinux/lib.a shell/lib.a sysklogd/lib.a util-linux/lib.a util-linux/volume_id/lib.a archival/built-in.o archival/libunarchive/built-in.o console-tools/built-in.o coreutils/built-in.o coreutils/libcoreutils/built-in.o debianutils/built-in.o e2fsprogs/built-in.o editors/built-in.o findutils/built-in.o init/built-in.o libbb/built-in.o libpwdgrp/built-in.o loginutils/built-in.o mailutils/built-in.o miscutils/built-in.o modutils/built-in.o networking/built-in.o networking/libiproute/built-in.o networking/udhcp/built-in.o printutils/built-in.o procps/built-in.o runit/built-in.o selinux/built-in.o shell/built-in.o sysklogd/built-in.o util-linux/built-in.o util-linux/volume_id/built-in.o -Wl,--end-group -Wl,--start-group -lcrypt -lm -Wl,--end-group
==========
networking/lib.a(nslookup.o): In function `print_host':
nslookup.c:(.text.print_host+0x5b): warning: Using 'getaddrinfo' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
libbb/lib.a(inet_common.o): In function `INET_rresolve':
inet_common.c:(.text.INET_rresolve+0xfe): warning: Using 'gethostbyaddr' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
util-linux/lib.a(mount.o): In function `singlemount':
mount.c:(.text.singlemount+0x38c): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
libbb/lib.a(inet_common.o): In function `INET_rresolve':
inet_common.c:(.text.INET_rresolve+0x188): warning: Using 'getnetbyaddr' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
libbb/lib.a(inet_common.o): In function `INET_resolve':
inet_common.c:(.text.INET_resolve+0xa5): warning: Using 'getnetbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
libbb/lib.a(xconnect.o): In function `bb_lookup_port':
xconnect.c:(.text.bb_lookup_port+0x6f): warning: Using 'getservbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
networking/lib.a(netstat.o): In function `ip_port_str':
netstat.c:(.text.ip_port_str+0x5f): warning: Using 'getservbyport' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
/usr/lib/gcc/i686-pc-linux-gnu/4.4.2/../../../libc.a(____longjmp_chk.o): In function `____longjmp_chk':
(.text+0x66): undefined reference to `__GI___fortify_fail' |
|
|
Back to top |
|
|
TheMixa n00b
Joined: 31 May 2006 Posts: 30 Location: Russia
|
Posted: Sun Nov 15, 2009 2:52 pm Post subject: |
|
|
There is no this problem with glibc-2.10.1 and 2.9 |
|
Back to top |
|
|
zorry Developer
Joined: 30 Mar 2008 Posts: 380 Location: Umeå The north part of scandinavia
|
|
Back to top |
|
|
Dwokfur Tux's lil' helper
Joined: 15 Sep 2006 Posts: 86 Location: Budapest, Hungary, Europe
|
Posted: Thu Nov 26, 2009 5:23 pm Post subject: |
|
|
Dwokfur to the log:
I had to "paxctl -m" gnome-power-manager and mixer-applet2, otherwise gnome-power-manager and therefore gnome-settings-daemon kept on segfaulting. Apart from these gst-inspect still requires "paxctl -m" to run both on my server and laptop.
Regards,
Dw. |
|
Back to top |
|
|
Dwokfur Tux's lil' helper
Joined: 15 Sep 2006 Posts: 86 Location: Budapest, Hungary, Europe
|
|
Back to top |
|
|
costel78 Guru
Joined: 20 Apr 2007 Posts: 402
|
Posted: Wed Feb 10, 2010 8:15 pm Post subject: |
|
|
Hello!
gcc-4.4.3 is in the tree. Is there any plan to put this version on hardened-overlay, too ?
Impatient waiting to happen. Just kidding
Thank you very much.
Later: Compiled! Thank you! _________________ Sorry for my English. I'm still learning this language. |
|
Back to top |
|
|
Veovis n00b
Joined: 15 Aug 2007 Posts: 8
|
Posted: Mon Feb 22, 2010 5:49 pm Post subject: |
|
|
hi.
I have a question not related to gcc, only with the hardened-development layman.
I see there is hardened-sources-2.6.32-r4 in this repo but there is no mention of this kernel in the tuto, so I just wanted to know if this kernel is suitable for use (can we reasonably consider this enough stable like gcc-4.4 or testing like gcc-4.5) ?
@costel78 I have gcc-4.4.3-r1 on the overlay and my box seems to work fine (except openvpn, but maybe not related to the new compiler) |
|
Back to top |
|
|
kernelOfTruth Watchman
Joined: 20 Dec 2005 Posts: 6111 Location: Vienna, Austria; Germany; hello world :)
|
Posted: Mon Feb 22, 2010 6:34 pm Post subject: |
|
|
Veovis wrote: | hi.
I have a question not related to gcc, only with the hardened-development layman.
I see there is hardened-sources-2.6.32-r4 in this repo but there is no mention of this kernel in the tuto, so I just wanted to know if this kernel is suitable for use (can we reasonably consider this enough stable like gcc-4.4 or testing like gcc-4.5) ?
@costel78 I have gcc-4.4.3-r1 on the overlay and my box seems to work fine (except openvpn, but maybe not related to the new compiler) |
hardened-sources in fact is gentoo-sources with latest patch from http://www.grsecurity.net/
install it and enable pax, rsbac, etc. only if you really know what you are doing: Gentoo hardened
there's a stable grsecurity patch for 2.6.32 available so it should be rather safe to use _________________ https://github.com/kernelOfTruth/ZFS-for-SystemRescueCD/tree/ZFS-for-SysRescCD-4.9.0
https://github.com/kernelOfTruth/pulseaudio-equalizer-ladspa
Hardcore Gentoo Linux user since 2004 |
|
Back to top |
|
|
Veovis n00b
Joined: 15 Aug 2007 Posts: 8
|
Posted: Mon Feb 22, 2010 6:58 pm Post subject: |
|
|
Thanks for the reply.
It's a long time I have the same kernel (in fact the 2.6.28-hardened, the latest stable kernel from gentoo repo).
I thought there was more than just the grsec with gentoo-sources. |
|
Back to top |
|
|
kernelOfTruth Watchman
Joined: 20 Dec 2005 Posts: 6111 Location: Vienna, Austria; Germany; hello world :)
|
|
Back to top |
|
|
Genewb Apprentice
Joined: 09 Jan 2007 Posts: 165
|
Posted: Mon Mar 15, 2010 4:40 pm Post subject: |
|
|
Would ...
Code: |
--- 30_all_gcc44_espf.h.patch.old
+++ 30_all_gcc44_espf.h.patch
@@ -60,7 +60,7 @@
+ #if defined (TARGET_LIBC_PROVIDES_SSP) && !defined (__ia64)
+ #define ESPF_OPTIONS_SSP_SPEC \
+ "%{!D__KERNEL__:%{!nostdlib:%{!nodefaultlibs: %{!fno-stack-protector: \
-+ %{!fstack-protector:%{!fstack-protector-all:-fstack-protector-all}}}}}}"
++ %{!fstack-protector:%{!fstack-protector-all:-fstack-protector}}}}}}"
+ #else
+ #define ESPF_OPTIONS_SSP_SPEC ""
+ #endif
|
...be sufficient to replace use of stack-protector-all with stack-protector?
Also: aching to try out hardened 4.5. *cough* *cough* _________________ I don't give a darn about "experience", just functional copyleft software. |
|
Back to top |
|
|
zorry Developer
Joined: 30 Mar 2008 Posts: 380 Location: Umeå The north part of scandinavia
|
Posted: Fri Mar 19, 2010 2:51 pm Post subject: |
|
|
Genewb wrote: | Would ...
Code: |
--- 30_all_gcc44_espf.h.patch.old
+++ 30_all_gcc44_espf.h.patch
@@ -60,7 +60,7 @@
+ #if defined (TARGET_LIBC_PROVIDES_SSP) && !defined (__ia64)
+ #define ESPF_OPTIONS_SSP_SPEC \
+ "%{!D__KERNEL__:%{!nostdlib:%{!nodefaultlibs: %{!fno-stack-protector: \
-+ %{!fstack-protector:%{!fstack-protector-all:-fstack-protector-all}}}}}}"
++ %{!fstack-protector:%{!fstack-protector-all:-fstack-protector}}}}}}"
+ #else
+ #define ESPF_OPTIONS_SSP_SPEC ""
+ #endif
|
...be sufficient to replace use of stack-protector-all with stack-protector?
Also: aching to try out hardened 4.5. *cough* *cough* |
It would be sufficient to do that.
Gcc 4.5 will be in the overlay on later time. Have alot of work before even 4.4 can hit the tree. _________________ gcc version 6.1.0 (Gentoo Hardened 6.1.0 p1.1) |
|
Back to top |
|
|
Tom_ Guru
Joined: 20 May 2004 Posts: 444 Location: France
|
Posted: Thu Mar 25, 2010 2:10 pm Post subject: |
|
|
Tom_ wrote: |
So, i've to follow the following steps :
- retrieving the hardened overlay,
- globally enabling hardened use-flag,
- adding gcc and glibc to /etc/portage/profile/package.use.mask,
- recompiling the toolchain : gcc-config linux-headers glibc binutils gcc portage,
- and finally, recompiling the system and the world.
Am i right ? |
This is what I asked you a few months ago. Is this still the suitable way to process ?
Which hardened C(XX)FLAGS could be safely used ?
Thank you in advance. |
|
Back to top |
|
|
Tom_ Guru
Joined: 20 May 2004 Posts: 444 Location: France
|
Posted: Fri Mar 26, 2010 12:41 pm Post subject: |
|
|
Actually, i've more questions to ask!
Can i have an hardened toolchain without having an hardened profile ? Is that enough to globally enable hardened use-flag ?
According to what I understood, some hardened C(XX)FLAGS (-fstack-protector, -D_FORTIFY_SOURCE=2 ...) are defined in GCC specs. In the end, which CFLAGS are defined in these specs ? Does this mean that every ebuild installed with this GCC will be compiled with these C(XX)FLAGS? Or do i have to add these CFLAGS in my make.conf ?
Thank you in advance! |
|
Back to top |
|
|
Dwokfur Tux's lil' helper
Joined: 15 Sep 2006 Posts: 86 Location: Budapest, Hungary, Europe
|
Posted: Thu Apr 01, 2010 10:12 pm Post subject: |
|
|
I cannot installing sun-jdk-1.6.0.19:
Code: |
* Creating the Class Data Sharing archives
Loading classes to share ... done.
Rewriting and unlinking classes ... done.
Calculating hash values for String objects .. done.
Calculating fingerprints ... done.
Removing unshareable information ... done.
Moving pre-ordered read-only objects to shared space at 0x2a100000 ... done.
Moving read-only objects to shared space at 0x2a552768 ... done.
Moving common symbols to shared space at 0x2a5541d0 ... done.
Moving remaining symbols to shared space at 0x2a621f48 ... done.
Moving string char arrays to shared space at 0x2a6230f0 ... done.
Moving additional symbols to shared space at 0x2a6bd508 ... done.
Read-only space ends at 0x2a726298, 6447768 bytes.
Moving pre-ordered read-write objects to shared space at 0x2ab00000 ... done.
Moving read-write objects to shared space at 0x2b1b2248 ... done.
Moving String objects to shared space at 0x2b1f0ef0 ... done.
Read-write space ends at 0x2b236cb8, 7564472 bytes.
Updating references to shared objects ... done.
Error occurred during initialization of VM
Could not reserve enough space for object heap
Could not create the Java virtual machine.
* ERROR: dev-java/sun-jdk-1.6.0.19 failed:
* (no error message)
*
* Call stack:
* ebuild.sh, line 54: Called src_compile
* environment, line 2837: Called die
* The specific snippet of code:
* "${S}"/bin/java -server -Xshare:dump || die;
|
Code: |
emerge --info
Portage 2.1.7.17 (hardened/linux/x86/10.0, gcc-4.4.3, glibc-2.11-r1, 2.6.31-hardened-r11 i686)
=================================================================
System uname: Linux-2.6.31-hardened-r11-i686-Intel-R-_Pentium-R-_M_processor_1.80GHz-with-gentoo-1.12.13
Timestamp of tree: Thu, 01 Apr 2010 15:30:01 +0000
ccache version 2.4 [disabled]
app-shells/bash: 4.0_p37
dev-java/java-config: 1.3.7-r1, 2.1.10
dev-lang/python: 2.6.4-r1
dev-python/pycrypto: 2.1.0_beta1
dev-util/ccache: 2.4-r7
dev-util/cmake: 2.6.4-r3
sys-apps/baselayout: 1.12.13
sys-apps/sandbox: 1.6-r2
sys-devel/autoconf: 2.13, 2.63-r1
sys-devel/automake: 1.4_p6, 1.5-r1, 1.6.3, 1.7.9-r2, 1.8.5-r3, 1.9.6-r3, 1.10.3, 1.11.1
sys-devel/binutils: 2.20.1
sys-devel/gcc: 4.4.3-r1
sys-devel/gcc-config: 1.4.1
sys-devel/libtool: 2.2.6b
virtual/os-headers: 2.6.30-r1
ACCEPT_KEYWORDS="x86"
ACCEPT_LICENSE="*"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=i686 -mtune=pentium-m -pipe"
CHOST="i686-pc-linux-gnu"
|
My other problem is: openoffice-3.2.0. I still cannot install it, however openoffice-3.1.1 merges without errors and runs well.
Are there any other out there having the same problems?
Regards:
Dw. |
|
Back to top |
|
|
7v5w7go9ub0o n00b
Joined: 27 Mar 2008 Posts: 12
|
Posted: Thu Apr 01, 2010 11:18 pm Post subject: |
|
|
FWIW openoffice-bin-3.2.0 installs but crashes on my hardened, amd64 box; but version 3.1.1 runs fine. |
|
Back to top |
|
|
Dwokfur Tux's lil' helper
Joined: 15 Sep 2006 Posts: 86 Location: Budapest, Hungary, Europe
|
Posted: Fri Apr 02, 2010 4:56 pm Post subject: |
|
|
Dwokfur wrote: | I cannot installing sun-jdk-1.6.0.19:
Code: |
* Creating the Class Data Sharing archives
Loading classes to share ... done.
Rewriting and unlinking classes ... done.
Calculating hash values for String objects .. done.
Calculating fingerprints ... done.
Removing unshareable information ... done.
Moving pre-ordered read-only objects to shared space at 0x2a100000 ... done.
Moving read-only objects to shared space at 0x2a552768 ... done.
Moving common symbols to shared space at 0x2a5541d0 ... done.
Moving remaining symbols to shared space at 0x2a621f48 ... done.
Moving string char arrays to shared space at 0x2a6230f0 ... done.
Moving additional symbols to shared space at 0x2a6bd508 ... done.
Read-only space ends at 0x2a726298, 6447768 bytes.
Moving pre-ordered read-write objects to shared space at 0x2ab00000 ... done.
Moving read-write objects to shared space at 0x2b1b2248 ... done.
Moving String objects to shared space at 0x2b1f0ef0 ... done.
Read-write space ends at 0x2b236cb8, 7564472 bytes.
Updating references to shared objects ... done.
Error occurred during initialization of VM
Could not reserve enough space for object heap
Could not create the Java virtual machine.
* ERROR: dev-java/sun-jdk-1.6.0.19 failed:
* (no error message)
*
* Call stack:
* ebuild.sh, line 54: Called src_compile
* environment, line 2837: Called die
* The specific snippet of code:
* "${S}"/bin/java -server -Xshare:dump || die;
|
|
Message to the log:
I could successfully upgrade sun-jdk from 1.6.0.17 to 1.6.0.19 after I've upgraded the kernel version from 2.6.31-hardened-r11 to 2.6.33-hardened. I'm suspect this issue had something to do with PaX - but not sure. Previously I had problems using with 2.6.32-hardened: X crashed instantly. Now 2.6.33-hardened seems to be OK, so I can move on. 2.6.31-hardened-r11 seems to be the culprit factor. The strange thing is, that everything was running fine both on the laptop and the server apart from these failures...
The Easter holiday will be an excellent occasion to give openoffice-3.2.0 another spin with the new kernel.
Regards:
Dw. |
|
Back to top |
|
|
|