On Thu, Apr 19, 2012 at 6:38 AM, Fabio Erculiani <[email protected]> wrote: > Hardened GCC (4.6 for now, 4.5 and 4.4 are coming) and Glibc are now > in sabayon-limbo. > > # readelf -h /usr/lib/libutil.so | grep Type > Type: DYN (Shared object file) > > Now the question is: what pkgs should be compiled with hardened flags? >
The suid binaries would be a great place to start. I've run across two methods to identify the suid binaries. This method is really fast, and checks everywhere: qfile $(scanelf -O 4711 -p -F%F -B) Another method which makes a targeted scan of specific directories is: find <directory> -perm +06000 -type f | xargs equery b For example: find /sbin/ -perm +06000 -type f | xargs equery b I've found each method may give slightly different results. *** IMPORTANT *** The x11-base/xorg-server package will be tagged as an suid binary package. We probably want to save that package for a separate round of 'hardened'. I've tested running hardened x11-base/xorg-server on x86 with nvidia proprietary drivers and on x86_64 with intel xorg drivers. Both worked very well. However, in the case of the nvidia drivers on x86, the nvidia driver replaces much of the xorg-server code, so I can't say I really tested the performance impact. The rest of the suid binary packages are the types of packages that will not affect the overall speed of the system (assuming there even is an impact).
