Let's start with this command: "gcc-config -l". You should see multiple
favors of each version of hardened gcc you installed. If the green mark is
beside the one without any additional tag at the end: that means you
compile executables hardened by default if you are running gcc (either
through make or executing g++). If you do not have -nopie and -vanilla
tags appended to the end of the particular version of gcc, that means your
gcc of that version is not hardened. You can switch back to the original
behavior with gcc-config selecting the vanilla profile. Just don't forget
to flip it back to the default hardened. Ebuilds can switch some features
(pie, ssp) on and off at compile time.
If you want to make sure, that your executable is hardened you can use the
binutils executable called "readelf". Some examples:
"readelf -h <executable> | grep DYN" - shows if the executable is PIE
"readelf -s <executable> | grep {guard|stack}" - shows if the executable
is SSP-enabled (use guard for the old-, and stack for the new ssp
implementation)
"readelf -l <executable> | grep RELRO" and "readelf -d <executable> | grep
BIND" shows that some linker options were applied on the executable, which
make the hardening more complete.
Is it clearer now?
Regards,
Dw.
--
dr Tóth Attila, Radiológus Szakorvos jelölt, 06-20-825-8057, 06-30-5962-962
Attila Toth MD, Radiologist in Training, +36-20-825-8057, +36-30-5962-962
On Hét, November 24, 2008 21:06, Jan Klod wrote:
> Please, could someone give a short introduction in how should I make sure,
> I
> am compiling with hardened features support? And if I do manually with
> some "make" or "gcc" or "g++"?
> Thank you...
>
