Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Hardened missing features
View unanswered posts
View posts from last 24 hours

Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message

Joined: 17 Jul 2015
Posts: 163

PostPosted: Sat Oct 08, 2016 9:47 pm    Post subject: Hardened missing features Reply with quote


I decided to run $ hardening-check (app-admin/hardening-check) and discovered that wget did not have read-only relocations. To my already quite crazy CFLAGS which are not supported (that's fine, this isn't about that) I added these:
SECOPT="-Wformat -Wformat-security -Werror=format-security --param ssp-buffer-size=4"
LDFLAGS="${LDFLAGS} -Wl,-z,now -Wl,-z,relro"

CFLAGS called in SECOPT, voila, all happy days.

Few questions.

Question 1: What is the pre-defined ssp-buffer-size in Gentoo Hardened with SSP? Grepping for "ssp-buffer-size" showed no results in /usr/portage/profiles/hardened.

Question 2: This section of this page right here I believe is incorrect:
No, the current toolchain implements the equivalent of CFLAGS="-fPIE -fstack-protector-all -D_FORTIFY_SOURCE=2" LDFLAGS="-Wl,-z,now -Wl,-z,relro"

If that's true, then wget would already have had read-only relocations, I had to recompile with my new options set. On a lot of binaries, all is well. Hardening-check on X however returns this:
 Position Independent Executable: yes
 Stack protected: yes
 Fortify Source functions: yes
 Read-only relocations: no, not found!
 Immediate binding: no, not found!

mkdir, rm, file, find, make, curl, socat, pv, less, most, gcc, ranlib, ld, gimp, blender, etc etc do not have read-only relocations. Firefox does though!

Some more binaries I found, caja-sendto and canberra-gtk-play do not have their functions fortified, nor have read-only relocations.
Manually enabling the hardening flags it is not recommended.

Whelp, they're not on. :lol:

Question 3: Are we sure that Gentoo Hardened does in fact enable -fstack-protector-all? When you compile programs, that flag never shows up for me whenever I build a package, doesn't matter what it is. Say I wanted to change the magic -fstack-protector-all (if present) to -fstack-protector-strong? How do I go about this and remove what Gentoo has (if it even exists?) If both are specified, does one take priority or what? To avoid that problem (just in case it is one) I'd like to just have -fstack-protector-strong set instead of -fstack-protector-all (again, if its set somewhere hidden)

Last question, -D_FORTIFY_SOURCE=2 doesn't show up at all /usr/portage/profiles either (unless I'm missing something?) so how do we know that's being enabled too? That one also doesn't show up at compile time with the rest of the CFLAGS, and if it is actually applied, but not showing up in the console (fancy stripping?) then how come the warnings below don't show up at compile time? Hidden magic in Gentoo? When I manually specify -D_FORTIFY_SOURCE=2 in make.conf I get a bunch of warnings like these:
<command-line>:0:0: warning: "_FORTIFY_SOURCE" redefined
<built-in>: note: this is the location of the previous definition

Thanks, I'm surprised nobody has asked any of my questions before..

Edit: I made new discovery! I've been messing around here:

Decided to try some things out for myself to see what's going on. I selected the x86_64-pc-linux-gnu-5.4.0-vanilla GCC profile, ran gcc --verbose:

Using built-in specs.
Reading specs from /usr/lib/gcc/x86_64-pc-linux-gnu/5.4.0/vanilla.specs
Reading specs from /usr/lib/gcc/x86_64-pc-linux-gnu/5.4.0/hardenednossp.specs
Reading specs from /usr/lib/gcc/x86_64-pc-linux-gnu/5.4.0/hardenednopie.specs

Why is vanilla GCC still reading specs from other profiles? Those should be disabled, no? Anyways, so I compiled trivial.c several times, with several compilers, stock, hardenednopiessp, and vanilla. Same results on all of them, regardless of CFLAGS when building trivial.c,

source here:

I modified the Makefile a bit:


all: trivial

   rm -f trivial

Running the following:
make clean && make && ./trivial $(perl -e 'print "A"x100')

Regardless of GCC profile, it will detect a buffer overflow at any optimization level >=1. Stock hardened GCC profile will detect stack smashing at -O0 with no additional flags. Vanilla GCC profile will seg fault. Clearly there are hardened options that are being enabled specifically by the hardened compiler, but why some of the LDFLAGS change on the fly, per package and remove -z,now -z,relro?

-fstack-protector (whether it's all, strong or just standalone) is in fact being enabled by the compiler by default, flags of which we cannot see.
All that shows up for us when we run "make" is cc -O0 trivial.c -o trivial.

stack protection aside, as that part seems to be consistent (at least in this case) "-Wl,-z,now -Wl,-z,relro" are flakey, as well as -D_FORTIFY_SOURCE=2.

What is going on??? Thanks guys, the support here has been really helpful, I highly appreciate it!

Last edited by NTU on Sat Oct 08, 2016 11:08 pm; edited 1 time in total
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum