I have decided to take the hardened profile for a spin on a couple of my edge servers. I grabbed stage1-x86-hardened-2.6-2006.0.tar.bz2, verified the profile was set to profiles/hardened/x86/2.6/, did my bootstrap and emerge -e system. Everything looks to have gone ok.
What I am curious about is the fact that I didn't really notice any special CFLAGS being used while everything was compiling. Various documents tell me it is transparent, that the settings are read from the gcc spec file. Should I not be seeing cflags specific to hardened settings while everything is compiling? gcc-config -l shows: [1] i686-pc-linux-gnu-3.4.5 * [2] i686-pc-linux-gnu-3.4.5-hardenednopie [3] i686-pc-linux-gnu-3.4.5-hardenednopiessp [4] i686-pc-linux-gnu-3.4.5-hardenednossp [5] i686-pc-linux-gnu-3.4.5-vanilla When I look in /etc/env.d/05gcc, nothing is set for GCC_SPECS: PATH="/usr/i686-pc-linux-gnu/gcc-bin/3.4.5" ROOTPATH="/usr/i686-pc-linux-gnu/gcc-bin/3.4.5" MANPATH="/usr/share/gcc-data/i686-pc-linux-gnu/3.4.5/man" INFOPATH="/usr/share/gcc-data/i686-pc-linux-gnu/3.4.5/info" LDPATH="/usr/lib/gcc/i686-pc-linux-gnu/3.4.5" GCC_SPECS="" /etc/env.d/gcc/config points to i686-pc-linux-gnu-3.4.5, which contains: PATH="/usr/i686-pc-linux-gnu/gcc-bin/3.4.5" ROOTPATH="/usr/i686-pc-linux-gnu/gcc-bin/3.4.5" LDPATH="/usr/lib/gcc/i686-pc-linux-gnu/3.4.5" GCCBITS="32" MANPATH="/usr/share/gcc-data/i686-pc-linux-gnu/3.4.5/man" INFOPATH="/usr/share/gcc-data/i686-pc-linux-gnu/3.4.5/info" STDCXX_INCDIR="g++-v3" When I look at some of the other config files such as i686-pc-linux-gnu-3.4.5-hardenednopie, it defines a GCC_SPECS file: PATH="/usr/i686-pc-linux-gnu/gcc-bin/3.4.5" ROOTPATH="/usr/i686-pc-linux-gnu/gcc-bin/3.4.5" LDPATH="/usr/lib/gcc/i686-pc-linux-gnu/3.4.5" GCCBITS="32" MANPATH="/usr/share/gcc-data/i686-pc-linux-gnu/3.4.5/man" INFOPATH="/usr/share/gcc-data/i686-pc-linux-gnu/3.4.5/info" STDCXX_INCDIR="g++-v3" GCC_SPECS="/usr/lib/gcc/i686-pc-linux-gnu/3.4.5/hardenednopie.specs" So I guess my question is - how do I know everything is actually being compiled with the hardened specific flags? A diff on /usr/lib/gcc/i686-pc-linux-gnu/3.4.5/specs and hardened.specs shows no differences, is it safe to assume the default specs file is being used even though it is not being set anywhere in the environment?
pgp1Nard5N5f5.pgp
Description: PGP signature
