I have a non-hardened system, but I'm thinking about change - I was using several grsecurity in 2.4 and still think about find similar in 2.6 (and you don't make it simple with your "you can't have X and PaX at same time" type of thinking). After upgrade of portage, posibility to build gcc with hardened flag disappear - the flag is in () and stays unset, while it react on commandline USE set before. Is it a bug, is it a hint that something undocumented is missing on my system so it's not possible to build hardened gcc, or is that only another way to limit number of people installing hardened features with your "all or nothing" approach ? Note 1: I don't have 2.4 glibc. Note 2: I have same situation on i386 and amd64 system. Portage 2.1.1 (default-linux/amd64/2006.0, gcc-3.4.3, glibc-2.3.6-r4, 2.6.12-gentoo-r8-64 x86_64) ================================================================= System uname: 2.6.12-gentoo-r8-64 x86_64 AMD Athlon(tm) 64 Processor 3000+ Gentoo Base System version 1.6.15 Last Sync: Sat, 16 Sep 2006 08:50:01 +0000 app-admin/eselect-compiler: [Not Present] dev-java/java-config: 1.2.11 dev-lang/python: 2.3.5-r2, 2.4.2 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: [Not Present] dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.12 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.15.92.0.2-r10, 2.16.1-r3 sys-devel/gcc-config: 1.3.13-r3 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -pipe -mtune=athlon64" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/X11/xkb /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-O2 -pipe -mtune=athlon64" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig digest distlocks metadata-transfer sandbox sfperms" GENTOO_MIRRORS="ftp://ftp.tu-clausthal.de/pub/linux/gentoo http://ftp.sh.cvut.cz/MIRRORS/gentoo/gentoo/ http://www.mirror.ac.uk/sites/www.ibiblio.org/gentoo/ http://gentoo.oregonstate.edu http://www.ibiblio.org/pub/Linux/distributions/gentoo" LINGUAS="cs en en_GB" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="amd64 3dnowex X Xaw3d aalib acpi alsa apache2 apm audiofile avi berkdb bitmap-fonts browserplugin bzip2 bzlib caps cdr cli crypt cups curl dbase dbm dbx dga directfb divx4linux dlloader doc dri dvd dvdr eds elibc_glibc emboss encode esd ethereal exif fbcon flac flash foomaticdb fortran gd gdbm ggi gif gnome gpm gstreamer gtk gtk2 iconv imagemagick imlib innodb input_devices_evdev input_devices_keyboard input_devices_mouse ipv6 isdnlog java jpeg kernel_linux lcms lesstif libcaca libwww linguas_cs linguas_en linguas_en_GB lirc lzw lzw-tiff mad mailwrapper mbox mcal memlimit mhash mikmod mime ming mmap mmx2 mng motif mozilla mp3 mpeg multislot mysql ncurses nls nptl offensive oggvorbis openal opengl oss pam pcntl pcre pdflib perl php plotutils png posix pppd python qt qt3 qt4 quicktime readline reflection rtc samba sdl session shared sharedmem slang sndfile snmp sockets spell spl sqlite ssl sysvipc tcpd tetex theora tiff truetype truetype-fonts type1-fonts unicode usb userland_GNU v4l v4l2 vhosts video_cards_fbdev video_cards_nv video_cards_nvidia video_cards_r128 video_cards_vesa videos wmf xml xorg xosd xpm xsl xv xvid zip zlib" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS
(In reply to comment #0) > I have a non-hardened system, but I'm thinking about change - I was using > several grsecurity in 2.4 and still think about find similar in 2.6 (and you > don't make it simple with your "you can't have X and PaX at same time" type of thinking). You can use X with PaX/grsec. Just make sure you don't activate the Direct IO config entry (hint: iirc its currently not supported, but works in general). > After upgrade of portage, posibility to build gcc with hardened flag disappear > - the flag is in () and stays unset, while it react on commandline USE set > before. Is it a bug, is it a hint that something undocumented is missing on my > system so it's not possible to build hardened gcc, or is that only another way > to limit number of people installing hardened features with your "all or > nothing" approach ? portage just masks the useflag as stated in profiles/default-linux/package.use.mask (as gcc compiled with hardened is no longer supported in the default profile). Probably INVALID. > Note 1: I don't have 2.4 glibc. > Note 2: I have same situation on i386 and amd64 system. > > Portage 2.1.1 (default-linux/amd64/2006.0, gcc-3.4.3, glibc-2.3.6-r4, 2.6.12-gentoo-r8-64 x86_64) ^^^^^^^^ Change that to hardened/amd64/ and you should be able to build gcc-3.4.6 with USE=hardened
> > After upgrade of portage, posibility to build gcc with hardened flag disappear > > - the flag is in () and stays unset, while it react on commandline USE set > > before. Is it a bug, is it a hint that something undocumented is missing on my > > system so it's not possible to build hardened gcc, or is that only another way > > to limit number of people installing hardened features with your "all or > > nothing" approach ? > > portage just masks the useflag as stated in > profiles/default-linux/package.use.mask (as gcc compiled with hardened is no > longer supported in the default profile). > > Probably INVALID. > So the change is not bug, but new feature ... (previous portage ignored that). Why is hardened gcc not supported in default profile ? > > Note 1: I don't have 2.4 glibc. > > Note 2: I have same situation on i386 and amd64 system. > > > > Portage 2.1.1 (default-linux/amd64/2006.0, gcc-3.4.3, glibc-2.3.6-r4, 2.6.12-gentoo-r8-64 x86_64) > ^^^^^^^^ > Change that to hardened/amd64/ and you should be able to build gcc-3.4.6 with > USE=hardened > There is -3dnow -3dnowext -sse -sse2 in hardened profiles. I think it will kill video encoding performance. That's the all-or-nothing approach - I will prefer to have the few application I need performace-optimized with disabled ET_EXEC base randomization, not speaking about that I don't thing 3dnow/sse/mmx is not compatible with pie, there are sse enabled libraries (like DirectFB, flac), aren't they ? And amd64 have more registers that i386 anyway, plus IP-relative addressing.
(In reply to comment #2) > > > system so it's not possible to build hardened gcc, or is that only another way > > > to limit number of people installing hardened features with your "all or > > > nothing" approach ? $ cat /usr/portage/profiles/default-linux/package.use.mask # Note that this requires portage-2.1.1+ so if you need this functionality, # make sure your package forces a new-enough portage. sys-devel/gcc hardened Not a bug, the flag is package.use.masked. Use proper hardened profile to avoid breakage.
