Hi Anthony,
At Thu, 14 Jul 2011 09:41:48 -0400,
Anthony G. Basile wrote:
> It looks like you missed something in the process. The steps to
> converting are (skipping details):
>
> 1) switch profile
> 2) recompile the toolchain: emerge glibc gcc binutils
> 3) recompile system: emerge -e system
> 4) recompile world: emerge -e world
I did executed all steps in this order and rebuilt all packages. Just now I
did some tries and recompiled some of the packages which fail. However this
changed nothing.
One thing that should possibly be said: I'm using gcc-4.6.1. I was using gcc
4.6.0 for quite some time on ~amd64 ere I switched to hardened last week. I
didn't encounter any special problems during the transition.
> If you didn't do these, its possible you have some binaries left that
> will trigger pax violations.
>
> One way to quickly check if you got hardened binaries is to use a script
> called checksec.sh [1] and run it on /bin or /sbin. You should see that
> all your binaries have FULL RELRO, STACK CANARY, NX, PIE and ASLR.
I just executed the script for /bin and the result [1] was very mixed. Nearly
all
binaries have FULL RELRO and PIE, but most have no STACK CANARY and NX. I
checked whether this could be changed and rebuilt coreutils twice, but the
output was the same every time.
However this seems not to be a big problem since the system is currently
running normal (Xfce desktop session) with my current list [2] of exceptions
to mprotect which contains only binaries under /usr.
Thanks for the advice.
Markus
[1]
RELRO STACK CANARY NX PIE FILE
Full RELRO Canary found NX enabled PIE enabled
/bin/attr
Full RELRO No canary found NX disabled PIE enabled
/bin/basename
Full RELRO Canary found NX enabled PIE enabled
/bin/bash
Full RELRO No canary found NX disabled PIE enabled
/bin/bsdcpio
Full RELRO No canary found NX disabled PIE enabled
/bin/bsdtar
Full RELRO No canary found NX disabled PIE enabled
/bin/btrfs-debug-tree
Partial RELRO No canary found NX disabled No PIE
/bin/busybox
Full RELRO No canary found NX disabled PIE enabled
/bin/bzip2
Full RELRO No canary found NX disabled PIE enabled /bin/cat
Full RELRO Canary found NX enabled PIE enabled
/bin/chacl
Full RELRO No canary found NX disabled PIE enabled
/bin/chgrp
Full RELRO No canary found NX disabled PIE enabled
/bin/chmod
Full RELRO No canary found NX disabled PIE enabled
/bin/chown
Full RELRO No canary found NX disabled PIE enabled
/bin/chroot
Full RELRO No canary found NX disabled PIE enabled /bin/cp
Full RELRO No canary found NX disabled PIE enabled
/bin/cpio
Full RELRO No canary found NX disabled PIE enabled /bin/cut
Full RELRO No canary found NX disabled PIE enabled
/bin/date
Full RELRO No canary found NX disabled PIE enabled /bin/dd
Full RELRO No canary found NX disabled PIE enabled /bin/df
Full RELRO No canary found NX disabled PIE enabled /bin/dir
Full RELRO No canary found NX disabled PIE enabled
/bin/dirname
Full RELRO No canary found NX disabled PIE enabled
/bin/dmesg
Full RELRO No canary found NX disabled PIE enabled /bin/du
Full RELRO No canary found NX disabled PIE enabled
/bin/echo
Full RELRO Canary found NX enabled PIE enabled /bin/ed
Full RELRO No canary found NX disabled PIE enabled
/bin/egrep
Full RELRO No canary found NX disabled PIE enabled /bin/env
Full RELRO No canary found NX disabled PIE enabled
/bin/expr
Full RELRO No canary found NX disabled PIE enabled
/bin/false
Full RELRO No canary found NX disabled PIE enabled
/bin/fgrep
Full RELRO No canary found NX disabled PIE enabled
/bin/findmnt
Full RELRO No canary found NX disabled PIE enabled
/bin/fuser
Full RELRO Canary found NX enabled PIE enabled
/bin/gawk
Full RELRO Canary found NX enabled PIE enabled
/bin/getfacl
Full RELRO Canary found NX enabled PIE enabled
/bin/getfattr
Full RELRO No canary found NX disabled PIE enabled
/bin/grep
Full RELRO No canary found NX disabled PIE enabled
/bin/groups
Full RELRO No canary found NX disabled PIE enabled
/bin/gzip
Full RELRO No canary found NX disabled PIE enabled
/bin/head
Full RELRO Canary found NX enabled PIE enabled
/bin/hostname
Full RELRO No canary found NX disabled PIE enabled
/bin/kill
Full RELRO No canary found NX disabled PIE enabled /bin/ln
Full RELRO No canary found NX disabled PIE enabled
/bin/login
Full RELRO No canary found NX disabled PIE enabled /bin/ls
Full RELRO No canary found NX disabled PIE enabled
/bin/lsblk
Full RELRO No canary found NX disabled PIE enabled
/bin/lsmod
Full RELRO Canary found NX enabled PIE enabled
/bin/mail
Full RELRO Canary found NX enabled PIE enabled
/bin/mbchk
Full RELRO No canary found NX disabled PIE enabled
/bin/mkdir
Full RELRO No canary found NX disabled PIE enabled
/bin/mkfifo
Full RELRO No canary found NX disabled PIE enabled
/bin/mknod
Full RELRO No canary found NX disabled PIE enabled
/bin/mktemp
Full RELRO No canary found NX disabled PIE enabled
/bin/more
Full RELRO No canary found NX disabled PIE enabled
/binmount
Full RELRO Canary found NX enabled PIE enabled
/bin/mountpoint
Full RELRO No canary found NX disabled PIE enabled /bin/mv
Full RELRO No canary found NX disabled PIE enabled
/bin/nano
Full RELRO Canary found NX enabled PIE enabled
/bin/netstat
Full RELRO No canary found NX disabled PIE enabled
/binpasswd
Full RELRO Canary found NX enabled PIE enabled /binping
Full RELRO Canary found NX enabled PIE enabled
/binping6
Full RELRO No canary found NX disabled PIE enabled /bin/ps
Full RELRO No canary found NX disabled PIE enabled /bin/pwd
Full RELRO No canary found NX disabled PIE enabled
/bin/readlink
Full RELRO No canary found NX disabled PIE enabled /bin/rm
Full RELRO No canary found NX disabled PIE enabled
/bin/rmdir
Full RELRO No canary found NX disabled PIE enabled
/bin/run-parts
Full RELRO No canary found NX disabled PIE enabled /bin/sed
Full RELRO No canary found NX disabled PIE enabled /bin/seq
Full RELRO Canary found NX enabled PIE enabled
/bin/setfacl
Full RELRO Canary found NX enabled PIE enabled
/bin/setfattr
Full RELRO No canary found NX disabled PIE enabled
/bin/sleep
Full RELRO No canary found NX disabled PIE enabled
/bin/sort
Full RELRO No canary found NX disabled PIE enabled
/bin/stty
Full RELRO No canary found NX disabled PIE enabled /binsu
Full RELRO No canary found NX disabled PIE enabled
/bin/sync
Full RELRO No canary found NX disabled PIE enabled
/bin/tail
Full RELRO No canary found NX disabled PIE enabled /bin/tar
Full RELRO Canary found NX enabled PIE enabled
/bin/tcsh
Full RELRO No canary found NX disabled PIE enabled
/bin/tempfile
Full RELRO No canary found NX disabled PIE enabled
/bin/touch
Full RELRO No canary found NX disabled PIE enabled /bin/tr
Full RELRO No canary found NX disabled PIE enabled
/bin/true
Full RELRO No canary found NX disabled PIE enabled /bin/tty
Full RELRO No canary found NX disabled PIE enabled
/binumount
Full RELRO No canary found NX disabled PIE enabled
/bin/uname
Full RELRO No canary found NX disabled PIE enabled
/bin/vdir
Full RELRO No canary found NX disabled PIE enabled /bin/wc
Full RELRO No canary found NX disabled PIE enabled /bin/yes
Full RELRO Canary found NX enabled PIE enabled /bin/zsh
Full RELRO Canary found NX enabled PIE enabled
/bin/zsh-4.3.12
[2]
/usr/bin/emacs-23
/usr/bin/gkrellm
/usr/bin/perl
/usr/bin/python2.7
/usr/bin/spamc
/usr/bin/ssh
/usr/bin/sudo
/usr/bin/Terminal
/usr/bin/xchat
/usr/bin/xfce4-mixer
/usr/bin/xfce4-panel
/usr/bin/xfce4-session
/usr/bin/xfce4-session-logout
/usr/bin/xfconf-query
/usr/bin/xfdesktop
/usr/bin/Xorg
/usr/bin/xscreensaver
/usr/games/bin/enigma
/usr/lib64/courier/courier-authlib/authdaemond
/usr/lib64/xfce4/xfconf/xfconfd
/usr/libexec/gcc/x86_64-pc-linux-gnu/4.6.1/cc1
/usr/libexec/gcc/x86_64-pc-linux-gnu/4.6.1/cc1plus
/usr/libexec/gcc/x86_64-pc-linux-gnu/4.6.1/lto1
/usr/libexec/git-core/git
/usr/libexec/polkitd
/usr/libexec/udisks-daemon
/usr/libexec/xfce4/panel-plugins/xfce4-mixer-plugin
/usr/sbin/collectd
/usr/sbin/console-kit-daemon
--
Aoccdrnig to a threoy, it deosn't mttaer in waht oredr the ltteers in a wrod
are, the olny iprmoatnt tihng is taht the frist and lsat ltteer are in the
rghit pclae. The rset can be a taotl mses and you can sitll raed it in msot
csaes. Tihs is bcuseae the huamn mnid deos not raed ervey lteter by istlef,
but the wrod as a wlohe. And I awlyas thought slpeling was ipmorantt.
