| View previous topic :: View next topic |
| Author |
Message |
kernelOfTruth
Watchman
Joined: 20 Dec 2005
Posts: 6111
Location: Vienna, Austria; Germany; hello world :)
|
 Posted: Mon Aug 07, 2006 9:38 pm Post subject: Securing Gentoo with cflags and ldflags |
 |
|
Hi there,
since gcc 4.0 and 4.1 (still) don't support profiles,
I am trying to secure my system without hardened use-flag (I had troubles with hardened gentoo) but with some other use-flags, cflags and ldflags:
I use the following flags and have some questions:
CFLAGS="${CFLAGS} -D_FORTIFY_SOURCE=1"
==> would it do much harm to the system to change the setting to "2" (modifying all apps ?!) ?
LDFLAGS="-Wl,-z,relro -Wl,-z,combreloc"
USEFLAGS="pic" (and more, I've made bad experience with pie, some applications such as xorg-server/xorg-x11 didn't run)
I've found the following cflag on the net:
"-DG_DISABLE_ASSERT" what does it actually do?
Thanks in advance for your input 
_________________
https://github.com/kernelOfTruth/ZFS-for-SystemRescueCD/tree/ZFS-for-SysRescCD-4.9.0
https://github.com/kernelOfTruth/pulseaudio-equalizer-ladspa
Hardcore Gentoo Linux user since 2004  |
|
| Back to top |
|
 |
lnxz
Guru
Joined: 03 Jul 2005
Posts: 472
Location: Earth
|
| Posted: Tue Aug 08, 2006 1:58 pm Post subject: |
|
|
AFAIK the main downside of FORTIFY_SOURCE is a minor decrease in performance because of the extra run time checks. Also, I believe some broken applications might refuse to work/compile, but I'm not certain, as I've never used it.
-Wl,-z,combreloc is enabled by default, I think, but you might be interested in looking into -Wl,-z,now.
-DG_DISABLE_ASSERT is a pre processor option that, judging by the name, omits assert calls in the code.
assert is used to catch conditions which should not occur, and is mainly used for debugging. Granted that the developers tested the code prior to releasing it, doing a lot of assertions is utterly useless for the end user, since they should never fail in any case. |
|
| Back to top |
|
|
kernelOfTruth
Watchman
Joined: 20 Dec 2005
Posts: 6111
Location: Vienna, Austria; Germany; hello world :)
|
|
| Back to top |
|
|
allotment
n00b
Joined: 01 Sep 2006
Posts: 2
|
| Posted: Fri Sep 01, 2006 6:49 am Post subject: |
|
|
| Quote: | | USEFLAGS="pic" (and more, I've made bad experience with pie, some applications such as xorg-server/xorg-x11 didn't run) |
Going to do my first gentoo install soon.
From the doc I understand Xorg must be compilled statically (same for xorg-server? are we taling about different things here)
Code Listing 2.1: Install Staticly Linked Xorg (to avoid elfloader problem)
echo "x11-base/xorg-x11 static" >> /etc/portage/package.use
emerge x11-base/xorg-x11
| Quote: | do ati-drivers and nvidia-drivers / nvidia-kernel now work with hardened gentoo?
|
I understand PaX does not, but you can disable PaX on a given application
All these is theoritical knowledge, hope it helps |
|
| Back to top |
|
|
kernelOfTruth
Watchman
Joined: 20 Dec 2005
Posts: 6111
Location: Vienna, Austria; Germany; hello world :)
|
| Posted: Thu Sep 07, 2006 2:12 pm Post subject: |
|
|
@allotment:
Thanks !
I have this working here on a laptop & workstation (with proprietary nvidia & ati-drivers)
I think the only difference is to the conventional way is, that I'm not using hardened profile, but hardened toolchain (gcc, glibc, hardened useflag, d_fortify_source=2)
xorg-x11 / xorg-server should work fine now with hardened, since dlloader is now standard and elfloader deprecated ...
I have parts of PaX & grsecurity activated, too & had no problems so far ... (running 2.6.17-emission8)
_________________
https://github.com/kernelOfTruth/ZFS-for-SystemRescueCD/tree/ZFS-for-SysRescCD-4.9.0
https://github.com/kernelOfTruth/pulseaudio-equalizer-ladspa
Hardcore Gentoo Linux user since 2004 |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
