Compiling proftpd with hardened-gcc yields: gcc -march=pentium4 -O3 -pipe -fforce-addr -foptimize-sibling-calls -fno-inline -finline-limit=1000 -Wall -c cap_sys.c -o cap_sys.o cap_sys.c: In function `capget': cap_sys.c:14: error: can't find a register in class `BREG' while reloading `asm' make[1]: *** [cap_sys.o] Error 1 make[1]: Leaving directory `/var/tmp/portage/proftpd-1.2.9_rc2/work/proftpd-1.2.9rc2/lib/libcap' make: *** [dirs] Error 2 attached is a patch to avoid using -yet_exec to compile proftpd. Thanks to the guys in #gentoo-hardened for helping me figure this out.
Created attachment 18767 [details, diff] patch
fixed in cvs, added -yet_exec to fix configure and later sed it out again Alex
Reeversing the previous commit. The reason this happens with proftpd is it includes its own bundled libcap which is not a position independent safe version. pic code uses reserves the ebx register and the ebx gets munched by the glibc version of _syscall2() so the two are not really compatible. More info on the bundled version of libcap with proftpd can be found in proftpd's bugzilla. http://bugs.proftpd.org/show_bug.cgi?id=2000 Using modern glibc with we can get the true desired result with. has_version sys-devel/hardened-gcc && echo > lib/libcap/cap_sys.c solar@simple proftpd $ file `which proftpd` /usr/sbin/proftpd: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), stripped
merged second fix in cvs. This fix also allows users that have -fPIC in C[XX]FLAGS to also compile proftpd without getting the exact same BREG errors (such as prelink users)