On Thu, 16 Mar 2006 23:02:19 -0600 Mikey <[EMAIL PROTECTED]> wrote: > What I am curious about is the fact that I didn't really notice any > special CFLAGS being used while everything was compiling. Various > documents tell me it is transparent, that the settings are read from > the gcc spec file. Should I not be seeing cflags specific to hardened > settings while everything is compiling?
No, you won't see anything in the compilation logs. The flags are switched on automatically by the hardened gcc specs. > So I guess my question is - how do I know everything is actually > being compiled with the hardened specific flags? A diff > on /usr/lib/gcc/i686-pc-linux-gnu/3.4.5/specs and hardened.specs > shows no differences, is it safe to assume the default specs file is > being used even though it is not being set anywhere in the > environment? The hardened gcc specs do four things: 1) compiles with -fPIE, links with -fPIE -pie, to create position independent executables. 'readelf -h <executable>' will show the type as "DYN" instead of "EXEC". 'scanelf -pRE ET_EXEC' will find any non-PIEs on your path. There will be some. 2) compiles with -fstack-protector-all (except in some situations where we know it causes trouble). Not so easy to check, but 'readelf -s <executable/library> | grep stack_smash_handler' should show references (will be stack_chk_fail if/when we move to gcc-4.1), 'scanelf -qplRS __stack_smash_handler' will list all the executables/libraries that use SSP (I don't know of a quick way to find anything that _doesn't_ reference a given symbol). Again, there will be some stuff that doesn't use SSP. 3) links with -z relro and -z now. 'readelf -l <file>' will show a GNU_RELRO program header and 'readelf -d <file>' will show a tag type $FLAGS" with value "BIND_NOW". 'scanelf -plRb' will show you the whether each exec/library/object is BIND_NOW or BIND_LAZY. Everything should be RELRO, as it never causes problems; the only thing that doesn't like BIND_NOW is X (in particular the graphics drivers). If an ebuild switches any of this off (not everything is compatible with the things the hardened compiler does), you'll see it in the compilation logs; look for -fno-pie, -fno-PIE, -nopie, -fno-stack-protector, -nonow, -norelro. Of particular note; only "X" uses -nonow as far as I know, and nothing uses "-norelro". If you do 'gcc -v' it'll show you what specs files are being used (specs files are accumulative; later files modify/replace entries in earlier ones). Also: echo | gcc -dM -E - | grep -E 'SSP|PIC' will show: #define __SSP__ 1 #define __SSP_ALL__ 2 #define __PIC__ 1 if the compiler is hardened. -- Kevin F. Quinn
signature.asc
Description: PGP signature
