On 04/19/2012 08:26 AM, Mitch Harder wrote:
On Thu, Apr 19, 2012 at 6:38 AM, Fabio Erculiani<[email protected]> wrote:
Hardened GCC (4.6 for now, 4.5 and 4.4 are coming) and Glibc are now
in sabayon-limbo.
# readelf -h /usr/lib/libutil.so | grep Type
Type: DYN (Shared object file)
Now the question is: what pkgs should be compiled with hardened flags?
I'm confused by your readelf. All shared objects, hardened or not, are
marked ET_DYN in their elf header. Look at
http://www.trapkit.de/tools/checksec.html
for how to check what's hardened and what's not.
The suid binaries would be a great place to start.
I've run across two methods to identify the suid binaries.
This method is really fast, and checks everywhere:
qfile $(scanelf -O 4711 -p -F%F -B)
Another method which makes a targeted scan of specific directories is:
find<directory> -perm +06000 -type f | xargs equery b
For example:
find /sbin/ -perm +06000 -type f | xargs equery b
I've found each method may give slightly different results.
*** IMPORTANT ***
The x11-base/xorg-server package will be tagged as an suid binary package.
We probably want to save that package for a separate round of 'hardened'.
I've tested running hardened x11-base/xorg-server on x86 with nvidia
proprietary drivers and on x86_64 with intel xorg drivers. Both
worked very well.
However, in the case of the nvidia drivers on x86, the nvidia driver
replaces much of the xorg-server code, so I can't say I really tested
the performance impact.
The rest of the suid binary packages are the types of packages that
will not affect the overall speed of the system (assuming there even
is an impact).
In order of priority:
1) Harden the core libraries. The ones that are provided by base.
2) Harden the important binaries, again the ones provided by base.
3) Harden the setuids, which are probably all part of 2.
If you do 3 without doing 1, you will have issues.
--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail : [email protected]
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535
GnuPG ID : D0455535
