Author: robert Date: 2007-02-09 00:37:39 -0700 (Fri, 09 Feb 2007) New Revision: 973
Modified: branches/2.4-branch/BOOK/chapter01/changelog.xml branches/2.4-branch/BOOK/chapter05/gcc-pass2.xml branches/2.4-branch/BOOK/general.ent Log: Added hardened-specs.h to gcc-pass2. Modified: branches/2.4-branch/BOOK/chapter01/changelog.xml =================================================================== --- branches/2.4-branch/BOOK/chapter01/changelog.xml 2007-02-08 00:34:52 UTC (rev 972) +++ branches/2.4-branch/BOOK/chapter01/changelog.xml 2007-02-09 07:37:39 UTC (rev 973) @@ -110,6 +110,8 @@ </listitem> --> +<listitem><para>February 9th, 2007 [Robert]: Added hardened-specs.h to gcc-pass2.</para></listitem> + <listitem><para>February 7th, 2007 [Robert]: Added a config.site in /tools for uClibc builds.</para></listitem> <listitem><para>February 7th, 2007 [Robert]: Fix Expect to compile with uClibc (HAVE_STROPTS_H).</para></listitem> Modified: branches/2.4-branch/BOOK/chapter05/gcc-pass2.xml =================================================================== --- branches/2.4-branch/BOOK/chapter05/gcc-pass2.xml 2007-02-08 00:34:52 UTC (rev 972) +++ branches/2.4-branch/BOOK/chapter05/gcc-pass2.xml 2007-02-09 07:37:39 UTC (rev 973) @@ -82,6 +82,124 @@ echo "#undef STANDARD_INCLUDE_DIR #define STANDARD_INCLUDE_DIR 0" >> gcc/config/linux.h</userinput></screen> +<para>We can change the default behavior of GCC to add various flags by +creating a hardened specs header file which redefines GCC spec strings. A +detailed summary of the GCC specs is available here: +<ulink url="http://developer.apple.com/documentation/developertools/gcc-4.0.1/gcc/Spec-Files.html"/>.</para> + + <para>The next command creates a header file that will be included during + the build of GCC to reset the default behaviour to add compiler options which + will take optimal advantage of Grsecurity kernels, and make the system less + vulnerable:</para> + +<screen><userinput>cat > gcc/hardened-specs.h << "EOF" +#ifndef HARDENED_SPECS_H +#define HARDENED_SPECS_H + +#if defined(__i386__) && defined(__linux__) && defined(__ELF__) \ + && defined(HAVE_LD_PIE) + +#undef CC1_SPEC +#define CC1_SPEC "%(cc1_cpu) %{profile:-p} \ + %{D__KERNEL__|fpic|fPIC|fpie|fPIE|fno-pic|fno-PIC \ + :;shared|nostdlib|nostartfiles:-fPIC} \ + %{static|D__KERNEL__|fpic|fPIC|fpie|fPIE|fno-pie|fno-PIE| \ + shared|nostdlib|nostartfiles:;:-fPIE}" + +#undef CC1PLUS_SPEC +#define CC1PLUS_SPEC \ + "%{D__KERNEL__|fpic|fPIC|fpie|fPIE|fno-pic|fno-PIC \ + :;shared|nostdlib|nostartfiles:-fPIC} \ + %{static|D__KERNEL__|fpic|fPIC|fpie|fPIE|fno-pie|fno-PIE| \ + shared|nostdlib|nostartfiles:;:-fPIE}" + +#undef ENDFILE_SPEC +#define ENDFILE_SPEC "%{static|nopie:crtend.o%s;:crtendS.o%s} crtn.o%s" + +#undef STARTFILE_SPEC +#define STARTFILE_SPEC "%{shared:;pg|p|profile:gcrt1.o%s; \ + static|nopie:crt1.o%s;:Scrt1.o%s} crti.o%s \ + %{static:crtbeginT.o%s;nopie:crtbegin.o%s;:crtbeginS.o%s}" + +#undef LINK_PIE_SPEC +#define LINK_PIE_SPEC "%{pie:-pie} %{!static:%{!Bstatic: \ + %{nonow:-z lazy;:-z now} %{norelro:-z norelro;:-z relro} \ + %{nocombreloc:-z nocombreloc;:-z combreloc} \ + %{shared|Bshareable|i|r|pie|nopie:;:-pie}}}" + +#else /* __i386__ && __linux__ && __ELF__ && HAVE_LD_PIE */ +#error "You are using an unsupported system. This header can not be used." +#endif /* __i386__ && __linux__ && __ELF__ && HAVE_LD_PIE */ +#endif /* HARDENED_SPECS_H */ +EOF</userinput></screen> + + <para>This command includes the hardened-specs header in the right place:</para> + +<screen><userinput>cp -vi gcc/gcc.c{,.orig} +sed '0,/.*config.h can define.*/s//#include "hardened-specs.h"\n&/' \ + gcc/gcc.c.orig > gcc/gcc.c</userinput></screen> + + <para>Make a copy this header file so we can use it again in chapter 6:</para> + +<screen><userinput>cp -v gcc/hardened-specs.h /tools</userinput></screen> + +<variablelist> + <title>Flags to disable specific options:</title> + + <varlistentry> + <term><parameter><option>-fno-pic -fno-PIC</option></parameter></term> + <listitem> + <para>This will disable '<command>gcc</command> <option>-fPIC</option>'. + If <option>-fpic</option> is used, this will be used instead of + <option>-fPIC</option>.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><parameter><option>-fno-pie -fno-PIE</option></parameter></term> + <listitem> + <para>This will disable '<command>gcc</command> <option>-fPIE</option>'. + If <option>-fpie</option> is used, this will be used instead of + <option>-fPIE</option>.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><parameter><option>-nopie</option></parameter></term> + <listitem> + <para>This will disable '<command>ld</command> <option>-z pie</option>' + as well as disable the linking to <filename class="libraryfile">crtendS.o</filename>, + <filename class="libraryfile">Scrt1.o</filename>, and + <filename class="libraryfile">crtbeginS.o</filename>.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><parameter><option>-norelro</option></parameter></term> + <listitem> + <para>This will disable '<command>ld</command> <option>-z relro</option>' + and enable '<command>ld</command> <option>-z norelro</option>'.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><parameter><option>-nocombreloc</option></parameter></term> + <listitem> + <para>This will disable '<command>ld</command> <option>-z combreloc</option>' + and enable '<command>ld</command> <option>-z nocombreloc</option>'.</para> + </listitem> + </varlistentry> + + <varlistentry> + <term><parameter><option>-nonow</option></parameter></term> + <listitem> + <para>This will disable '<command>ld</command> <option>-z now</option>' + and enable '<command>ld</command> <option>-z lazy</option>'.</para> + </listitem> + </varlistentry> + +</variablelist> + <para>Create a separate build directory again:</para> <screen><userinput>mkdir -v ../gcc-build Modified: branches/2.4-branch/BOOK/general.ent =================================================================== --- branches/2.4-branch/BOOK/general.ent 2007-02-08 00:34:52 UTC (rev 972) +++ branches/2.4-branch/BOOK/general.ent 2007-02-09 07:37:39 UTC (rev 973) @@ -1,6 +1,6 @@ <?xml version="1.0" encoding="ISO-8859-1"?> -<!ENTITY version "2.4-branch-20070207"> -<!ENTITY releasedate "February 7th, 2007"> +<!ENTITY version "2.4-branch-20070209"> +<!ENTITY releasedate "February 9th, 2007"> <!ENTITY milestone "1.0"> <!ENTITY lfs-root "http://www.linuxfromscratch.org/";> -- http://linuxfromscratch.org/mailman/listinfo/hlfs-book FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
