Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
How long until hardened and toolchain will produce a hardene
View unanswered posts
View posts from last 24 hours

Goto page 1, 2, 3 ... 28, 29, 30  Next  
This topic is locked: you cannot edit posts or make replies.    Gentoo Forums Forum Index Gentoo Chat
View previous topic :: View next topic  

How long until hardened and toolchain will produce a hardened gcc4?
1 year
23%
 23%  [ 40 ]
5 years
20%
 20%  [ 35 ]
10 years
7%
 7%  [ 13 ]
lifetime
4%
 4%  [ 8 ]
eternity
44%
 44%  [ 76 ]
Total Votes : 172

Author Message
Xake
Guru
Guru


Joined: 11 Feb 2004
Posts: 588
Location: Göteborg, the rainy part of scandinavia

PostPosted: Fri Feb 29, 2008 11:32 am    Post subject: How long until hardened and toolchain will produce a hardene Reply with quote

So here is 'the' question for many users of gentoo hardened:

When will Hardened and Toolchain stop calling each other names and actually try to figure out how to deliver a hardened gcc4 that both parties can accept and does not eat babies, all at the same time?

For all of you who do not know anything about this subject please see https://bugs.gentoo.org and search for bug that has something with stack-protector to do, read the hardened-ml and/or go into the #hardened channel and ask something about GCC4 and maybe even you - as many users before you - will get a name of your own.


A sidequestion maybe also could be when Gentoo (like many other distros) will start supporting stack-protector by default...
Back to top
View user's profile Send private message
phajdan.jr
Retired Dev
Retired Dev


Joined: 23 Mar 2006
Posts: 1777
Location: Poland

PostPosted: Fri Feb 29, 2008 12:55 pm    Post subject: Re: How long until hardened and toolchain will produce a har Reply with quote

Xake wrote:
So here is 'the' question for many users of gentoo hardened


If you use hardened you do it probably for other reasons than GCC 4... note that I use hardened on some systems.
Back to top
View user's profile Send private message
Xake
Guru
Guru


Joined: 11 Feb 2004
Posts: 588
Location: Göteborg, the rainy part of scandinavia

PostPosted: Fri Feb 29, 2008 1:20 pm    Post subject: Re: How long until hardened and toolchain will produce a har Reply with quote

_ph wrote:
Xake wrote:
So here is 'the' question for many users of gentoo hardened


If you use hardened you do it probably for other reasons than GCC 4... note that I use hardened on some systems.


I will not start the discussion why you should consider hardened even on you laptop.

The problem is NOT what version of gcc my system is compiled with, the problem is if packages even will compile with <gcc-4 (the stable version of xf86-video-sis did for a long time not work with gcc-4 without a patch). If you want more reasons then take a look inside hardeneds package.mask and you will find maskings done becouse of not having gcc-4...
Back to top
View user's profile Send private message
AllenJB
Veteran
Veteran


Joined: 02 Sep 2005
Posts: 1285

PostPosted: Fri Feb 29, 2008 1:30 pm    Post subject: Reply with quote

What have YOU done to progress the state of gcc4 on hardened this month? (And this thread doesn't count)
Back to top
View user's profile Send private message
Xake
Guru
Guru


Joined: 11 Feb 2004
Posts: 588
Location: Göteborg, the rainy part of scandinavia

PostPosted: Fri Feb 29, 2008 2:29 pm    Post subject: Reply with quote

AllenJB wrote:
What have YOU done to progress the state of gcc4 on hardened this month? (And this thread doesn't count)


That is the problem. I do not know what I can do to progress the state of gcc4 on hardened. Who should I ask? And please do not say the hardened herd. Last time I asked over @ #hardened I was told to go fuck myself. Questions at the mailinglist are either ignored or gives workarounds by devs who do not want to touch toolchains stuff for a long time to come.

Maybe ask toolchain? But does they even care about hardened gcc4 currently?
Back to top
View user's profile Send private message
nwmcsween
n00b
n00b


Joined: 25 May 2007
Posts: 41

PostPosted: Fri Feb 29, 2008 9:31 pm    Post subject: Reply with quote

GCC 4 does work you just need the ebuild for it search for gcc 4.2.3 *bugfix* it has the ebuild in it. As for stack protection I really don't want that enabled it has a performance hit simply selinux and PIE/PIC and GRSecurity is fine with me. Im planning on creating a "stage 4" just barebones with gcc 4.2.3 hardened selinux and GRSecurity.
_________________
Vanilla kernel without PITA
Back to top
View user's profile Send private message
Xake
Guru
Guru


Joined: 11 Feb 2004
Posts: 588
Location: Göteborg, the rainy part of scandinavia

PostPosted: Sun Mar 02, 2008 10:37 am    Post subject: Reply with quote

nwmcsween wrote:
GCC 4 does work you just need the ebuild for it search for gcc 4.2.3 *bugfix* it has the ebuild in it. As for stack protection I really don't want that enabled it has a performance hit simply selinux and PIE/PIC and GRSecurity is fine with me. Im planning on creating a "stage 4" just barebones with gcc 4.2.3 hardened selinux and GRSecurity.


The ebuild you are talking about is a versionbump of kevquinns work (exists over at overlays.g.o). The problem is that that overlay has not had a update in a long time. That means you either have to use a version from another overlay (usually namebumps), use the hacks from hardened-ml or just versionbump the ebuild.

When gcc-4.3 hits us (and I does not mean as ~arch but as stable) we will not have an update piepatch.
SELinux and GRSecurity can only so far make up for stuff like -fstack-protector and -DFORTIFY_SOURCE...

Either way you're still out in the cold if you encounter a compile-problem since you are running an unsupported version of GCC.

(Yes I have used kevquinns overlay. I had to use gcc4 to compile some stuff on my laptop.)
Back to top
View user's profile Send private message
alistair
Retired Dev
Retired Dev


Joined: 15 Jul 2005
Posts: 869

PostPosted: Mon Mar 03, 2008 2:24 am    Post subject: Reply with quote

Xake, why don't you make your own ebuild?

Start by asking what other distro's are doing to make hardened gcc-4's. Find their patch's, use them, etc, etc, etc.
_________________
______________
Help the gentoo-java project. Visit Gentoo Java Project

what good are admin powers if you don't abuse them for personal gain - mark_alec
Back to top
View user's profile Send private message
steveL
Watchman
Watchman


Joined: 13 Sep 2006
Posts: 5153
Location: The Peanut Gallery

PostPosted: Mon Mar 03, 2008 6:49 am    Post subject: Reply with quote

alistair wrote:
Xake, why don't you make your own ebuild?

++ We'll help in #friendly-coders if you like. My understanding is that solar doesn't want to maintain gcc/hardened as a dev anymore, which is fair enough.
_________________
creaker wrote:
systemd. It is a really ass pain

update - "a most excellent portage wrapper"

#friendly-coders -- We're still here for you™ ;)
Back to top
View user's profile Send private message
Xake
Guru
Guru


Joined: 11 Feb 2004
Posts: 588
Location: Göteborg, the rainy part of scandinavia

PostPosted: Mon Mar 03, 2008 10:22 am    Post subject: Reply with quote

alistair wrote:
Xake, why don't you make your own ebuild?

Start by asking what other distro's are doing to make hardened gcc-4's. Find their patch's, use them, etc, etc, etc.


It is not that easy as the most distros seems to have their own way of doing this.
For instance Gentoo-Hardened did embedd the symbols for SSP inside of glibc, while others seemes to have used a libssp aproach.
And for example Fedora/Red Hat & afaik also ubuntu has things compiled with SSP and -DFORTIFY_SOURCES by default (a approach I think Gentoo should support, i.e. the possibility to use -fstack-protector and -DFORTIFY_SOURCES even without hardened).
And from where gentoo has gotten the piepatches I have no clue and I have no clue if/how any other distor uses them.
Back to top
View user's profile Send private message
Xake
Guru
Guru


Joined: 11 Feb 2004
Posts: 588
Location: Göteborg, the rainy part of scandinavia

PostPosted: Mon Mar 03, 2008 10:36 am    Post subject: Reply with quote

steveL wrote:
alistair wrote:
Xake, why don't you make your own ebuild?

++ We'll help in #friendly-coders if you like. My understanding is that solar doesn't want to maintain gcc/hardened as a dev anymore, which is fair enough.


Yes, it seems like it was some kind of fallout between Hardened and toolchain leaving solar in a state where he does not want to touch toochain (probably ever again), having pappy calling people asking things over at #gentoo-hardened names and having vapier telling pappy to stop bullshitting over at b.g.o so...

Not a friendly atmosphere...
...which makes me a bit 'fraid that we can consider hardened-toolchain dead.


And why I do hope still for a Gentoo-supported solution is that if not the bugs I find will keep being silently ignored over at b.g.o or close due to unsupported toolchain.
Back to top
View user's profile Send private message
steveL
Watchman
Watchman


Joined: 13 Sep 2006
Posts: 5153
Location: The Peanut Gallery

PostPosted: Mon Mar 03, 2008 2:55 pm    Post subject: Reply with quote

Xake wrote:
Not a friendly atmosphere...
...which makes me a bit 'fraid that we can consider hardened-toolchain dead.

Yeah, well I have to admit from the outside, I wonder why anyone would want to work in such a fractious team, but then again i think a lot of this stuff gets blown up simply because everything is done in the open. Software is a creative thing as well, and let's face it, creatives are known for their erratic temperaments. Plus people really care; if not about their users or their reputations, then at least their egos ;P As my code collaborator says "We're all organix, after all." My take on it tends to be "fsck 'em if they can't take a joke" ;p
Quote:
And why I do hope still for a Gentoo-supported solution is that if not the bugs I find will keep being silently ignored over at b.g.o or close due to unsupported toolchain.

Well let's see what some of us users can do to work on the software we want; after all that's how any of this stuff ever gets done (or started, ofc.) My net connection's lagging out but I am online (and tend to be at all sorts of hours; ahh the joys and pain of working on software ;) so /join #friendly-coders whenever you have some time to talk rubbish vaguely related to code ;p (Don't tell RobbieAB I said that, he gets dead uptight about the /topic.. ;)
Back to top
View user's profile Send private message
XioXouS
n00b
n00b


Joined: 01 Apr 2005
Posts: 59

PostPosted: Mon Mar 10, 2008 3:49 am    Post subject: Reply with quote

Quote:
A sidequestion maybe also could be when Gentoo (like many other distros) will start supporting stack-protector by default...


I would also like to see Gentoo default to SSP like Ubuntu, Fedora, RedHat, (possibly others) have done. I think if everyone used it then everyone would support it and it would alleviate a lot of the stress from the hardened team. Really, I don't think there's too much to be done. The specs that were recently discussed in the ml and irc seem to work and most of the packages that have problems have already been identified and their ebuilds strip the fstack-protector flags or add fno-stack-protector accordingly. Plus, it just seems like a good idea. PIE might be another thing though. Anyone know would the gentoo-council be the place to bring this up, or has that already been tried and shot down?
Back to top
View user's profile Send private message
Xake
Guru
Guru


Joined: 11 Feb 2004
Posts: 588
Location: Göteborg, the rainy part of scandinavia

PostPosted: Mon Mar 10, 2008 8:35 am    Post subject: Reply with quote

XioXouS wrote:
Quote:
A sidequestion maybe also could be when Gentoo (like many other distros) will start supporting stack-protector by default...


I would also like to see Gentoo default to SSP like Ubuntu, Fedora, RedHat, (possibly others) have done. I think if everyone used it then everyone would support it and it would alleviate a lot of the stress from the hardened team. Really, I don't think there's too much to be done. The specs that were recently discussed in the ml and irc seem to work and most of the packages that have problems have already been identified and their ebuilds strip the fstack-protector flags or add fno-stack-protector accordingly. Plus, it just seems like a good idea. PIE might be another thing though. Anyone know would the gentoo-council be the place to bring this up, or has that already been tried and shot down?


If the releaseteam asks for features to add for 2008.1, maybe this should be something to push for into the official profile, then?

When it comes to Ubuntu afaik they use both -fPIE and -fstack-protector by default, and RedHat uses -Dfortify_source too.
I do not believe -fPIE to be such a problem either. The things that seems to have problem with that flag is mainly packages like glibc , gcc, grub, busybox and so on. Applications questinable of how/if they will benifit by -fPIE.
-fstack-protector fights mostly with asm and the alike (at least on x86).

Have anyone experience with just adding -fPIE and -fstack-protector-all to CFLAGS and how it behaves? Does it resolvs its symbols or do you have to fiddle with gcc (i.e. adding libssp-support) or glibc (i.e. "the gentoo way" of adding the symbols to glibc)?
Back to top
View user's profile Send private message
steveL
Watchman
Watchman


Joined: 13 Sep 2006
Posts: 5153
Location: The Peanut Gallery

PostPosted: Mon Mar 10, 2008 8:40 am    Post subject: Reply with quote

XioXouS wrote:
I would also like to see Gentoo default to SSP like Ubuntu, Fedora, RedHat, (possibly others) have done. I think if everyone used it then everyone would support it and it would alleviate a lot of the stress from the hardened team. Really, I don't think there's too much to be done. The specs that were recently discussed in the ml and irc seem to work and most of the packages that have problems have already been identified and their ebuilds strip the fstack-protector flags or add fno-stack-protector accordingly. Plus, it just seems like a good idea. PIE might be another thing though. Anyone know would the gentoo-council be the place to bring this up, or has that already been tried and shot down?

There's nothing for the Council to vote on afaict: the project isn't moving as it's too much stress for the devs concerned. If you could show several systems in "the wild", ie not just your own, running the setup and working smoothly (including upgrades) you'd have more grounds to say: "Here's gcc-4 building Gentoo hardened/ssp fine." By that time you'd pretty much be maintaining it in an overlay in any case, and it would be easier to feed into the main tree (sunrise, masked, then unstable afaict.)

It still wouldn't be a Council issue, unless there were some technical issue that needed to be decided, and other avenues to resolve it had been exhausted. Anything else comes under the purview of the Trustees, but this is simply due to a lack of coordinated, effective labour. It's a development issue, but it's on the fuzzier side imo, since it's also about recruitment etc as well as skill. Thing is: who here is actually willing to commit some time to making it happen?


And will you actually follow through?
Back to top
View user's profile Send private message
Xake
Guru
Guru


Joined: 11 Feb 2004
Posts: 588
Location: Göteborg, the rainy part of scandinavia

PostPosted: Mon Mar 10, 2008 10:59 am    Post subject: Reply with quote

steveL wrote:
XioXouS wrote:
I would also like to see Gentoo default to SSP like Ubuntu, Fedora, RedHat, (possibly others) have done. I think if everyone used it then everyone would support it and it would alleviate a lot of the stress from the hardened team. Really, I don't think there's too much to be done. The specs that were recently discussed in the ml and irc seem to work and most of the packages that have problems have already been identified and their ebuilds strip the fstack-protector flags or add fno-stack-protector accordingly. Plus, it just seems like a good idea. PIE might be another thing though. Anyone know would the gentoo-council be the place to bring this up, or has that already been tried and shot down?

There's nothing for the Council to vote on afaict: the project isn't moving as it's too much stress for the devs concerned. If you could show several systems in "the wild", ie not just your own, running the setup and working smoothly (including upgrades) you'd have more grounds to say: "Here's gcc-4 building Gentoo hardened/ssp fine." By that time you'd pretty much be maintaining it in an overlay in any case, and it would be easier to feed into the main tree (sunrise, masked, then unstable afaict.)

It still wouldn't be a Council issue, unless there were some technical issue that needed to be decided, and other avenues to resolve it had been exhausted. Anything else comes under the purview of the Trustees, but this is simply due to a lack of coordinated, effective labour. It's a development issue, but it's on the fuzzier side imo, since it's also about recruitment etc as well as skill. Thing is: who here is actually willing to commit some time to making it happen?


And will you actually follow through?


Was not kevquinns overlay supposed to be something like that testing ground to run out in the wild? Whatever happened to that and why was it not mainstreamed and/or announced out for broader testing (if testing is the only thing missing)?

If it would be something for the council to vote for it would be to vote for which solution to go for if hardened and toolchain ever becomes unfriendly over which way to go in the future... or am I missing something?


Last edited by Xake on Mon Mar 10, 2008 1:00 pm; edited 1 time in total
Back to top
View user's profile Send private message
XioXouS
n00b
n00b


Joined: 01 Apr 2005
Posts: 59

PostPosted: Mon Mar 10, 2008 12:30 pm    Post subject: Reply with quote

I guess my thought was that if some Gentoo overlords (which ever group that happened to be) decided that every toolchain it supported was hardened (with the ability to switch to vanilla if you desired, which is like it is now), then there wouldn't be such a disconnect between the toolchain team, the hardened team, and miscellaneous other devs and bug wranglers that tend to leave hardened out in the cold because they're different. It would also be more in keeping with the direction that other distros are headed, not that that's reason enough to do it. Someone on IRC mentioned that this is kind of a form of security by PR. From my point of view it was more of an organizational choice, but I see what you're saying: One would require proof that it's technically feasible before the politically feasible could be considered.

What exactly did you mean by "out in the wild?" Just publicly available? Or running bleeding edge kinds of stuff (~arch)? If either or both of those are the case, then I might have some resources I could put towards both of those if someone (other than me) was interested.
Back to top
View user's profile Send private message
steveL
Watchman
Watchman


Joined: 13 Sep 2006
Posts: 5153
Location: The Peanut Gallery

PostPosted: Mon Mar 10, 2008 5:43 pm    Post subject: Reply with quote

XioXouS wrote:
I guess my thought was that if some Gentoo overlords (which ever group that happened to be) decided that every toolchain it supported was hardened (with the ability to switch to vanilla if you desired, which is like it is now), then there wouldn't be such a disconnect between the toolchain team, the hardened team, and miscellaneous other devs and bug wranglers that tend to leave hardened out in the cold because they're different. It would also be more in keeping with the direction that other distros are headed, not that that's reason enough to do it. Someone on IRC mentioned that this is kind of a form of security by PR. From my point of view it was more of an organizational choice, but I see what you're saying: One would require proof that it's technically feasible before the politically feasible could be considered.

Exactly; I'm sure if you had a Gentoo box building the whole tree consistently with gcc-4, ssp, grsec, selinux, w/e else, it'd be welcomed.

FWIW there are no overlords afaict; just a bunch of folks. As with any group, some you like, some you detest. Definitely there are people closer to the centre, or doing more, but they don't control what anyone else does (occasionally they stop others contributing which is a shame; there's plenty of other code though.) Consensus (when it can be reached) is used to decide most stuff; I'm quite impressed that the Council turns stuff down when there is no clear consensus on a technical direction; if it hasn't made sense to most of the devs, it won't happen, if it's something that affects a large part of the tree. Don't get me wrong: I'm sure people play power-games and so on; it's just not that important, at least not when you think about it: no-one can really dominate Gentoo; it's a collective effort.
Quote:
What exactly did you mean by "out in the wild?" Just publicly available? Or running bleeding edge kinds of stuff (~arch)? If either or both of those are the case, then I might have some resources I could put towards both of those if someone (other than me) was interested.

Both; the more users/testers the better imo. I know what you mean; it's way too much work for one or two people.
Back to top
View user's profile Send private message
XioXouS
n00b
n00b


Joined: 01 Apr 2005
Posts: 59

PostPosted: Mon Mar 10, 2008 6:42 pm    Post subject: Reply with quote

Quote:
FWIW there are no overlords afaict; just a bunch of folks.


You're absolutely correct. I apologize to anyone I offended. Just a poor choice of words.

I'll see what I can do about that box. I was originally thinking just a vm, but I have an old server (P4) sitting around that I can put on a different vlan that would work for this. I'll chime back in probably tomorrow about this.
Back to top
View user's profile Send private message
kernelOfTruth
Watchman
Watchman


Joined: 20 Dec 2005
Posts: 6111
Location: Vienna, Austria; Germany; hello world :)

PostPosted: Mon Mar 10, 2008 7:13 pm    Post subject: Reply with quote

Quote:
-fstack-protector
won't work due to the lack of libssp compiled in (how to enable that, btw ?)

-D_FORTIFY_SOURCE=2 works fine here on almost everything (only a few apps don't want to compile with it anymore, it's getting less and less ...)

my "testing" c & cxxflags:

Quote:
CFLAGS="-O2 -march=native -pipe -mfpmath=sse,387 -ffast-math -fforce-addr -combine -funroll-loops -fsplit-ivs-in-unroller -fvariable-expansion-in-unroller -fpeel-loops -funswitch-loops -falign-functions=0 -falign-jumps=0 -falign-labels=0 -falign-loops=0 -fearly-inlining -ffunction-cse -fgcse-after-reload -fgcse-sm -fgcse-las -fmerge-constants -fno-ident -fomit-frame-pointer -fprefetch-loop-arrays -mmmx -msse -msse2 -msse3 -s -Wno-error -fivopts -fmodulo-sched -freschedule-modulo-scheduled-loops -ftree-loop-im -ftree-loop-ivcanon -D_FORTIFY_SOURCE=2 -ftree-vectorize"


there are still some apps breaking with ffast-math & -combine but else everything is fine

almost everything is compiled with those flags :wink:

gcc:

Quote:
gcc -v
Using built-in specs.
Target: x86_64-pc-linux-gnu
Configured with: /var/tmp/portage/sys-devel/gcc-4.2.3-r1/work/gcc-4.2.3/configure --prefix=/usr --bindir=/usr/x86_64-pc-linux-gnu/gcc-bin/4.2.3 --includedir=/usr/lib/gcc/x86_64-pc-linux-gnu/4.2.3/include --datadir=/usr/share/gcc-data/x86_64-pc-linux-gnu/4.2.3 --mandir=/usr/share/gcc-data/x86_64-pc-linux-gnu/4.2.3/man --infodir=/usr/share/gcc-data/x86_64-pc-linux-gnu/4.2.3/info --with-gxx-include-dir=/usr/lib/gcc/x86_64-pc-linux-gnu/4.2.3/include/g++-v4 --host=x86_64-pc-linux-gnu --build=x86_64-pc-linux-gnu --disable-altivec --enable-nls --without-included-gettext --with-system-zlib --disable-checking --disable-werror --enable-secureplt --disable-libunwind-exceptions --enable-multilib --enable-libmudflap --disable-libssp --enable-java-awt=gtk --enable-languages=c,c++,java,treelang --enable-shared --enable-threads=posix --enable-__cxa_atexit --enable-clocale=gnu
Thread model: posix
gcc version 4.2.3 (Gentoo Hardened 4.2.3-r1, pie-9.0.7)


mark the:
Quote:
--disable-libssp

<-- it would be great being able to enable it, then my chain of system (security) hardening would be (almost) complete [I'm surely not the only one who'd appreciate that]

paxtest-out on non-hardened profile with hardened glibc & gcc:

paxtest blackhat

Quote:
Mode: blackhat
Linux lexa 2.6.24-zen4_pax-mega #1 SMP PREEMPT Fri Mar 7 23:18:24 CET 2008 x86_64 Intel(R) Core(TM)2 CPU 6600 @ 2.40GHz GenuineIntel GNU/Linux

Executable anonymous mapping : Killed
Executable bss : Killed
Executable data : Killed
Executable heap : Killed
Executable stack : Killed
Executable anonymous mapping (mprotect) : Killed
Executable bss (mprotect) : Killed
Executable data (mprotect) : Killed
Executable heap (mprotect) : Killed
Executable stack (mprotect) : Killed
Executable shared library bss (mprotect) : Killed
Executable shared library data (mprotect): Killed
Writable text segments : Killed
Anonymous mapping randomisation test : 33 bits (guessed)
Heap randomisation test (ET_EXEC) : 40 bits (guessed)
Heap randomisation test (ET_DYN) : 40 bits (guessed)
Main executable randomisation (ET_EXEC) : 33 bits (guessed)
Main executable randomisation (ET_DYN) : 33 bits (guessed)
Shared library randomisation test : 33 bits (guessed)
Stack randomisation test (SEGMEXEC) : No randomisation
Stack randomisation test (PAGEEXEC) : 40 bits (guessed)
Return to function (strcpy) : Killed
Return to function (memcpy) : Killed
Return to function (strcpy, RANDEXEC) : Killed
Return to function (memcpy, RANDEXEC) : Killed
Executable shared library bss : Killed
Executable shared library data : Killed




Quote:
Exactly; I'm sure if you had a Gentoo box building the whole tree consistently with gcc-4, ssp, grsec, selinux, w/e else, it'd be welcomed.


++

definitely !
the only addition we would need besides kevquinn's approach is support for ssp && of course going portage-tree

see / reference:
http://wiki.debian.org/Hardening
_________________
https://github.com/kernelOfTruth/ZFS-for-SystemRescueCD/tree/ZFS-for-SysRescCD-4.9.0
https://github.com/kernelOfTruth/pulseaudio-equalizer-ladspa

Hardcore Gentoo Linux user since 2004 :D
Back to top
View user's profile Send private message
XioXouS
n00b
n00b


Joined: 01 Apr 2005
Posts: 59

PostPosted: Mon Mar 10, 2008 7:40 pm    Post subject: Reply with quote

I think --disable-libssp means "don't make a library out of it, just build fstack-protector directly into gcc." The reason for this, as I understand it, is so that people/distros that want to specify -fstack-protector by default don't have to edit their software's source to include libssp. As an example from a non-hardened profile I have:

Code:

$ cat test.c
#include<stdio.h>
#include<stdlib.h>

void buffer_overflow() {
   long int val = 0;
   char str[29];
   for (val = 0; val < 50; val++) {
      str[val] = 'a';
   }
   printf("%s\n", str);
}

int main ()
{
   buffer_overflow();
   exit (0);
}

Code:

$ gcc -fstack-protector -o test test.c

$ ./test
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaapUq
*** stack smashing detected ***: ./test terminated
Aborted


Code:

gcc -v
Using built-in specs.
Target: x86_64-pc-linux-gnu
Configured with: /var/tmp/portage/sys-devel/gcc-4.1.2/work/gcc-4.1.2/configure --prefix=/usr --bindir=/usr/x86_64-pc-linux-gnu/gcc-bin/4.1.2 --includedir=/usr/lib/gcc/x86_64-pc-linux-gnu/4.1.2/include --datadir=/usr/share/gcc-data/x86_64-pc-linux-gnu/4.1.2 --mandir=/usr/share/gcc-data/x86_64-pc-linux-gnu/4.1.2/man --infodir=/usr/share/gcc-data/x86_64-pc-linux-gnu/4.1.2/info --with-gxx-include-dir=/usr/lib/gcc/x86_64-pc-linux-gnu/4.1.2/include/g++-v4 --host=x86_64-pc-linux-gnu --build=x86_64-pc-linux-gnu --disable-altivec --enable-nls --without-included-gettext --with-system-zlib --disable-checking --disable-werror --enable-secureplt --disable-libunwind-exceptions --enable-multilib --enable-libmudflap --disable-libssp --disable-libgcj --enable-languages=c,c++,treelang,fortran --enable-shared --enable-threads=posix --enable-__cxa_atexit --enable-clocale=gnu
Thread model: posix
gcc version 4.1.2 (Gentoo 4.1.2 p1.0.2)


Last edited by XioXouS on Mon Mar 10, 2008 10:02 pm; edited 1 time in total
Back to top
View user's profile Send private message
Xake
Guru
Guru


Joined: 11 Feb 2004
Posts: 588
Location: Göteborg, the rainy part of scandinavia

PostPosted: Mon Mar 10, 2008 7:44 pm    Post subject: Reply with quote

XioXouS wrote:
I'll see what I can do about that box. I was originally thinking just a vm, but I have an old server (P4) sitting around that I can put on a different vlan that would work for this. I'll chime back in probably tomorrow about this.


I think there are some computers (I have at least two P4s) that can just crunch stuff, either as a whole installation or as chroots/VMs.... I do not think testing is the biggest problem.
And here comes the problem when information does not enter 'the wild' as it may should. kevquinn created a overlay, but if it was something internal between toolchain and hardened about a probable implementation, or if it was meant to be tested 'in the wild' is hard to tell.
If it is only a matter of keeping that overlay updated (i.e. resync eclasses and so on against mainline) and test it massivly for a future inclusion into the mainline tree, then there might not be that much work that needs to be done. But if it needs to be reworked partly/as whole, that seems to be information that may be hard to obtain.
Back to top
View user's profile Send private message
XioXouS
n00b
n00b


Joined: 01 Apr 2005
Posts: 59

PostPosted: Tue Mar 11, 2008 7:06 pm    Post subject: Reply with quote

After more research, I agree, computers and testing are not what's required. There's been lots of both. A knowledgeable and willing developer to maintain it is what's required. I don't have the first part, otherwise I'd volunteer. I think at this point my efforts are better spent tackling bugs than providing a box for hardened gcc-4.x.
Back to top
View user's profile Send private message
steveL
Watchman
Watchman


Joined: 13 Sep 2006
Posts: 5153
Location: The Peanut Gallery

PostPosted: Wed Mar 12, 2008 10:28 am    Post subject: Reply with quote

XioXouS wrote:
After more research, I agree, computers and testing are not what's required. There's been lots of both. A knowledgeable and willing developer to maintain it is what's required. I don't have the first part, otherwise I'd volunteer. I think at this point my efforts are better spent tackling bugs than providing a box for hardened gcc-4.x.

Hmm I don't run hardened, but from my understanding there's no support for gcc-4. If you know it can be made to work, surely providing an overlay with working ebuilds (at least on your arch) is the way to demonstrate that?

This bug would be the one to sort out (the last couple are RAM shortage.)[/bug]
Back to top
View user's profile Send private message
XioXouS
n00b
n00b


Joined: 01 Apr 2005
Posts: 59

PostPosted: Wed Mar 12, 2008 11:24 am    Post subject: Reply with quote

There already is an overlay: http://overlays.gentoo.org/dev/kevquinn/browser/hardened/toolchain/branches/pieworld
The issue is that no one is willing _and_ capable of maintaining it for portage. To be honest it's not that big of a deal, most every works with hardened gcc-3. My thought was simply that there was this disconnect that may not need to be there.

I'm currently working on bug #197521. I'll take a look at that other one later.
Back to top
View user's profile Send private message
Display posts from previous:   
This topic is locked: you cannot edit posts or make replies.    Gentoo Forums Forum Index Gentoo Chat All times are GMT
Goto page 1, 2, 3 ... 28, 29, 30  Next
Page 1 of 30

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum