On 04/19/2012 09:01 AM, Fabio Erculiani wrote:
On Thu, Apr 19, 2012 at 2:47 PM, Anthony G. Basile<[email protected]> wrote:
On 04/19/2012 08:26 AM, Mitch Harder wrote:
On Thu, Apr 19, 2012 at 6:38 AM, Fabio Erculiani<[email protected]>
wrote:
Hardened GCC (4.6 for now, 4.5 and 4.4 are coming) and Glibc are now
in sabayon-limbo.
# readelf -h /usr/lib/libutil.so | grep Type
Type: DYN (Shared object file)
Now the question is: what pkgs should be compiled with hardened flags?
I'm confused by your readelf. All shared objects, hardened or not, are
marked ET_DYN in their elf header. Look at
http://www.trapkit.de/tools/checksec.html
for how to check what's hardened and what's not.
Yes, you're right. Forgive me. I guess Mitch was talking about ELF
executables and not shared libraries.
Correct.
On hardened:
# readelf -h /bin/ls | grep Type
Type: DYN (Shared object file)
On vanilla.
# readelf -h /bin/ls | grep Type
Type: EXEC (Executable file)
But this is just PIE. For SSP check for the __stack_chk_fail symbol:
readelf -s /bin/ls | grep __stack_chk_fail
You will see it there on hardened, but not vanilla. For
_FORTIFY_SOURCES=2 its a bit more involved since you need to look at the
various functions in glibc, so just use Tobias's script.
In order of priority:
1) Harden the core libraries. The ones that are provided by base.
2) Harden the important binaries, again the ones provided by base.
3) Harden the setuids, which are probably all part of 2.
If you do 3 without doing 1, you will have issues.
--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail : [email protected]
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535
GnuPG ID : D0455535
--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail : [email protected]
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535
GnuPG ID : D0455535
