Securing Gentoo with cflags and ldflags

[kernelOfTruth]

Hi there,

since gcc 4.0 and 4.1 (still) don't support profiles,

I am trying to secure my system without hardened use-flag (I had troubles with hardened gentoo) but with some other use-flags, cflags and ldflags:

I use the following flags and have some questions:

CFLAGS="${CFLAGS} -D_FORTIFY_SOURCE=1"
==> would it do much harm to the system to change the setting to "2" (modifying all apps ?!) ?

LDFLAGS="-Wl,-z,relro -Wl,-z,combreloc"

USEFLAGS="pic" (and more, I've made bad experience with pie, some applications such as xorg-server/xorg-x11 didn't run)

I've found the following cflag on the net:
"-DG_DISABLE_ASSERT" what does it actually do?

Thanks in advance for your input

[lnxz]

AFAIK the main downside of FORTIFY_SOURCE is a minor decrease in performance because of the extra run time checks. Also, I believe some broken applications might refuse to work/compile, but I'm not certain, as I've never used it.

-Wl,-z,combreloc is enabled by default, I think, but you might be interested in looking into -Wl,-z,now.

-DG_DISABLE_ASSERT is a pre processor option that, judging by the name, omits assert calls in the code.
assert is used to catch conditions which should not occur, and is mainly used for debugging. Granted that the developers tested the code prior to releasing it, doing a lot of assertions is utterly useless for the end user, since they should never fail in any case.

[kernelOfTruth]

Thanks !

Ok, now I rebuilt my system with D_FORTIFY_SOURCE=2 and the only ebuild which failed was python, I hope that there soon will be a fix for this

-Wl,-z,now looks interesting , I think I will use it with the hardened toolchain:
by using cheater conrads gcc-overlay from his conrad installation 3.0.1 http://forums.gentoo.org/viewtopic-t-48 ... onrad.html
I was able to build gcc-4.1.1 with profiles

do ati-drivers and nvidia-drivers / nvidia-kernel now work with hardened gentoo?

I've read on a earlier FAQ that it was / is necessary to build the kernel, xorg-x11/-server and ati-drivers with vanilla-gcc, is that still correct?

Are there many packages known to fail with hardened toolchain ?

Thanks for your input ...

[allotment]

USEFLAGS="pic" (and more, I've made bad experience with pie, some applications such as xorg-server/xorg-x11 didn't run)

Going to do my first gentoo install soon.
From the doc I understand Xorg must be compilled statically (same for xorg-server? are we taling about different things here)

Code Listing 2.1: Install Staticly Linked Xorg (to avoid elfloader problem)
echo "x11-base/xorg-x11 static" >> /etc/portage/package.use
emerge x11-base/xorg-x11

do ati-drivers and nvidia-drivers / nvidia-kernel now work with hardened gentoo?

I understand PaX does not, but you can disable PaX on a given application

All these is theoritical knowledge, hope it helps

[kernelOfTruth]

@allotment:
Thanks !

I have this working here on a laptop & workstation (with proprietary nvidia & ati-drivers)

I think the only difference is to the conventional way is, that I'm not using hardened profile, but hardened toolchain (gcc, glibc, hardened useflag, d_fortify_source=2)

xorg-x11 / xorg-server should work fine now with hardened, since dlloader is now standard and elfloader deprecated ...

I have parts of PaX & grsecurity activated, too & had no problems so far ... (running 2.6.17-emission8)