Re: [gentoo-user] Switching to hardened
Willie Wong wrote Wonko: On Mon, Feb 11, 2008 at 11:24:49PM +0100, Penguin Lover Alex Schuster squawked: I emerged -e again, this time without distcc and ccache. All compiled fine, except for media-video/mplayer-1.0_rc2_p24929-r1 (vf_decimate.c:26: error: can't find a register in class `BREG' while reloading `asm') and http://bugs.gentoo.org/show_bug.cgi?id=175627 Like you found below, it can be avoided using vanilla GCC. That is why I still only have mplayer-1.0_rc1-r2, that one compiled okay. Isn't that the version with those many security holes? But then, looking at http://www.mplayerhq.hu/design7/news.html, it seems that all versions pre r25824 have some. x11-misc/xscreensaver-5.04: lockward.c:59: error: syntax error before uint8_t Not a problem with hardened. http://bugs.gentoo.org/show_bug.cgi?id=208731 Meanwhile, downgrade to 5.03, that one works. Thanks! But most annoying is that the nvidia drivers do not seem to work. First, what card and which drivers? 01:00.0 VGA compatible controller: nVidia Corporation NV15 [GeForce2 GTS/Pro] (rev a4) I have nvidia drivers version 71.86.01 running now. I also re-compiled xorg-server, with vanilla gcc, GLX is running fine again, and I am happy. I have an old card that is not supported by drivers = 1.0.9700, so ... scratch that, I didn't notice that the versioning scheme changed. http://www.gentoo.org/doc/en/nvidia-guide.xml they refused to compile telling me that this would do more harm than good with a hardened setup. I put them into packages.unmask, now they compile and the nvidia module loads, but still X has no GLX, xorg.0.log says Failed to initialize GLX extension (NVIDIA X driver not found), This really does not sound like a hardened issue... I need to upgrade my drivers to the 96.* to see if I can reproduce your problem, but with 1.0.8776 (from two years ago) I definitely do not have your problem. Maybe I'll try again with hardened then. My experience with nvidia is that that it makes LOTS of trouble. This, and VMware, often made kerned updates a real pain for me. I often got those errors before, with the desktop profile, on different machines. glxinfo segfaults. I guess I will try to re-compile all X stuff with the vanilla gcc. glxinfo segfaulting is expected. Do you have chpax/paxctl installed? No, not yet. I must admit I do not know much about hardened yet, but I want to play around with it and get some experience, so I started with preparing the setup by setting the hardened profile and switching to a hardened kernel. I have my entire system on the hardened profile (including X and nvidia [yes, despite the warnings of the hardened team about nvidia]) and no problems. My guess is that your problem with GLX lies somewhere else. That's good to hear! So I will stick with hardened. Would it be possible to make these changes permanent, that is, can I tell portage to compile specific packages with a specific compiler? /etc/portage/package.compilerflavor or something? Don't know. On the wiki there is a way to switch CFLAGS, don't know if something like that can be used to strip SSP and/or PIC flags from the hardened. I don't find this information there, I guess I did not look hard enough. But there is /etc/portage/bashrc, I can put a little script in there, stripping those flags for the given packages. No problem. Thanks again, Wonko -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] Switching to hardened
Eric Martin writes: Dan Farrell wrote: You might consider building packages but not installing them -- I think could use --buildpkgonly (aka -B) to achieve this end. If the world emerge with a -B flag finishes successfully, I think that means all packages were built and you are ready to emerge world with --usepkgonly (-K) without having to worry about build-time issues that could cause conflicting packages on the system. But what does everyone else think? I like it. The only problem is it might not work in some situations where you need program A to compile program B (kde4 requires qt4). I've never gone from a non-hardened system - hardened though so take my comments with a grain of salt. This could also work on other tricky upgrades. Nice idea. Maybe next time... I already had started the migration. And screwed up. I forgot about distcc being active, so some other boxes helped in compiling, but they do not have the hardened profile, and thus no hardened gcc. So, in fact nothing was compiled on the local machine. I emerged -e again, this time without distcc and ccache. All compiled fine, except for media-video/mplayer-1.0_rc2_p24929-r1 (vf_decimate.c:26: error: can't find a register in class `BREG' while reloading `asm') and net-nntp/pan-0.132-r1, which claims to need about 300 more megabytes of memory to compile. I did not reboot yet as I am not near the machine, but so far things work well. Mplayer is not needed on that machine anyway. I then decided to harden my desktop PC, too. I want to get some experience with the hardened setup, and I want that machine to be able to act as a distcc server for another hardened machine which will be set up soon. Here, also mplayer and some more packages failed. x11-misc/xaos-3.2: i386.c: In function `_control87': i386.c:31: error: PIC register `bx' clobbered in `asm' Solved by using the vanilla gcc. x11-misc/xscreensaver-5.04: lockward.c:59: error: syntax error before uint8_t app-emulation/dosemu-1.3.3: vga.c: In function `pcivga_init': vga.c:493: error: `PCI_CLASS_DISPLAY_VGA' undeclared (first use in this function) mplayer: compiles with vanilla gcc. But most annoying is that the nvidia drivers do not seem to work. First, they refused to compile telling me that this would do more harm than good with a hardened setup. I put them into packages.unmask, now they compile and the nvidia module loads, but still X has no GLX, xorg.0.log says Failed to initialize GLX extension (NVIDIA X driver not found), glxinfo segfaults. I guess I will try to re-compile all X stuff with the vanilla gcc. Would it be possible to make these changes permanent, that is, can I tell portage to compile specific packages with a specific compiler? /etc/portage/package.compilerflavor or something? If this makes things complicated, I think I will go back to a normal setup at least for my desktop machine. Thre hardened gcc will stay for distcc purposes (I will run two distccs on different ports, one for the hardened, one for the vanilla gcc), but I prefer to have a system which will run OpenGL. Wonko -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] Switching to hardened
On Wed, 30 Jan 2008 11:49:48 +0100 Alex Schuster [EMAIL PROTECTED] wrote: Dan Farrell writes: Alex Schuster [EMAIL PROTECTED] wrote: I want to harden the gentoo running on my little server, but I'm a little worried about possible problems. Like, services not coming up when rebooting after an emerge -e world. Do you see any possibility for that? Absolutely. These problems can be overcome with a little attention, but outdated config files that were not updated with dispatch-conf or etc-update might not work with newer versions of software. Sure. But the system is up to date, emerge -uN world gives nothing. It's only the re-compiling of everything with a hardened gcc that worries me a little. If something might go wrong there, I would wait with re-compiling until I know I have physical access to the machine for a while, while most of the time I am away some 100 km from it. I must admit that I should know more about the hardened stuff, but I thought I'd start with the preparations. Configuring things like Pax would come later, when emerge -e world has finished on this slow machine (and when I have read all the howtos). Wonko You might consider building packages but not installing them -- I think could use --buildpkgonly (aka -B) to achieve this end. If the world emerge with a -B flag finishes successfully, I think that means all packages were built and you are ready to emerge world with --usepkgonly (-K) without having to worry about build-time issues that could cause conflicting packages on the system. But what does everyone else think? -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] Switching to hardened
Dan Farrell wrote: You might consider building packages but not installing them -- I think could use --buildpkgonly (aka -B) to achieve this end. If the world emerge with a -B flag finishes successfully, I think that means all packages were built and you are ready to emerge world with --usepkgonly (-K) without having to worry about build-time issues that could cause conflicting packages on the system. But what does everyone else think? I like it. The only problem is it might not work in some situations where you need program A to compile program B (kde4 requires qt4). I've never gone from a non-hardened system - hardened though so take my comments with a grain of salt. This could also work on other tricky upgrades. -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] Switching to hardened
Dan Farrell writes: Alex Schuster [EMAIL PROTECTED] wrote: I want to harden the gentoo running on my little server, but I'm a little worried about possible problems. Like, services not coming up when rebooting after an emerge -e world. Do you see any possibility for that? Absolutely. These problems can be overcome with a little attention, but outdated config files that were not updated with dispatch-conf or etc-update might not work with newer versions of software. Sure. But the system is up to date, emerge -uN world gives nothing. It's only the re-compiling of everything with a hardened gcc that worries me a little. If something might go wrong there, I would wait with re-compiling until I know I have physical access to the machine for a while, while most of the time I am away some 100 km from it. I must admit that I should know more about the hardened stuff, but I thought I'd start with the preparations. Configuring things like Pax would come later, when emerge -e world has finished on this slow machine (and when I have read all the howtos). Wonko -- gentoo-user@lists.gentoo.org mailing list
[gentoo-user] Switching to hardened
Hi there! I want to harden the gentoo running on my little server, but I'm a little worried about possible problems. Like, services not coming up when rebooting after an emerge -e world. Do you see any possibility for that? I followed the guide at http://rockfloat.com/howto/gentoo-hardened.html (activate hardened profile, enable some kernel options and build new hardened kernel, emerge binutils gcc virtual/libc), and added -fforce-addr to my CFLAGS. I then switched back to gcc 3.4 from gcc 4 with gcc-config, and now I should do the emerge -e world. I guess this is quite safe? Wonko -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] Switching to hardened
On Wed, 30 Jan 2008 04:19:08 +0100 Alex Schuster [EMAIL PROTECTED] wrote: I want to harden the gentoo running on my little server, but I'm a little worried about possible problems. Like, services not coming up when rebooting after an emerge -e world. Do you see any possibility for that? Absolutely. These problems can be overcome with a little attention, but outdated config files that were not updated with dispatch-conf or etc-update might not work with newer versions of software. -- gentoo-user@lists.gentoo.org mailing list
