On 10/24/2011 02:58 AM, "Paweł Hajdan, Jr." wrote: > >> How would we say, >> if you use gcc-config and choose gcc-4.5.1-hardened spec, mask >> gdb-7.0*? I don't think its impossible, but I'm not seeing how to >> proceed right now. > First, I'd like the hardened spec to be non-default, so that if the user > chooses the hardened spec he'd be "on his own", and expect possibly more > breakages. Well not totally on their own, they'd report it and we'd have to see what we want to do on an ad hoc basis. So maybe the first step would be to just build 5 specs:
[1] x86_64-pc-linux-gnu-4.4.5 [2] x86_64-pc-linux-gnu-4.4.5-hardenednopie [3] x86_64-pc-linux-gnu-4.4.5-hardenednopiessp [4] x86_64-pc-linux-gnu-4.4.5-hardenednossp [5] x86_64-pc-linux-gnu-4.4.5-vanilla Here [1] = fully hardened. Then ship with no other changes. When bug start to come in, you can deal with each --- some may be fixes at the package level (usually the build system), some may be ebuild fixes, some may need to go into the profiles. There is one other catch Zorry pointed out, glibc. There are some patches against glibc which would have to go in unconditionally. Take a look at eblit-src_unpack-post() in glibc-2.12.2.ebuild. Currently they're if use hardened. That conditional would be removed. > Second, profiles/hardened/package.mask seems to contain only few > entries, and a more recent gdb than 7.0 works and is in stable. I've > checked on my hardened system. This doesn't seem to be a serious issue, > maybe we can just punt gdb 7.0 or print a message that it's expected to > be broken with hardened spec. Those profiles have some ancient stuff in them which we know about, but haven't removed for legacy reasons. You want to look at the files under profiles/hardened/linux/ What would wind up happening if hardened goes mainstream is that those profiles would be reduced to just the maskings/unmaskings for a pax hardened kernel. Selinux has its own. > Third - can we forcefully disable hardened features in packages that are > not compatible? My assumption is yes, and we should probably print a > warning then. There are a few things you can do here, yes. It is always possible to turn off hardening because the *last* resort solution is just switch compile specs in the ebuild. This is only if none of the other methods work, the best method being fix the build system so you can switch the feature off in configure. I had to use it once for virtualbox which has a brain dead build system. There we warn the user to switch specs in pkg_setup() using ... if built_with_use sys-devel/gcc hardened. > Fourth - we can add the gcc spec to emerge --info. > > What do you think? > Good idea. -- Anthony G. Basile, Ph.D. Gentoo Linux Developer [Hardened] E-Mail : [email protected] GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535 GnuPG ID : D0455535
