Summary: | After upgrade to portage-2.1.1 gcc can't be build with hardened | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Honza <hkmaly> |
Component: | Hardened | Assignee: | The Gentoo Linux Hardened Team <hardened> |
Status: | RESOLVED INVALID | ||
Severity: | normal | ||
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- |
Description
Honza
2006-09-16 03:55:54 UTC
(In reply to comment #0) > I have a non-hardened system, but I'm thinking about change - I was using > several grsecurity in 2.4 and still think about find similar in 2.6 (and you > don't make it simple with your "you can't have X and PaX at same time" type of thinking). You can use X with PaX/grsec. Just make sure you don't activate the Direct IO config entry (hint: iirc its currently not supported, but works in general). > After upgrade of portage, posibility to build gcc with hardened flag disappear > - the flag is in () and stays unset, while it react on commandline USE set > before. Is it a bug, is it a hint that something undocumented is missing on my > system so it's not possible to build hardened gcc, or is that only another way > to limit number of people installing hardened features with your "all or > nothing" approach ? portage just masks the useflag as stated in profiles/default-linux/package.use.mask (as gcc compiled with hardened is no longer supported in the default profile). Probably INVALID. > Note 1: I don't have 2.4 glibc. > Note 2: I have same situation on i386 and amd64 system. > > Portage 2.1.1 (default-linux/amd64/2006.0, gcc-3.4.3, glibc-2.3.6-r4, 2.6.12-gentoo-r8-64 x86_64) ^^^^^^^^ Change that to hardened/amd64/ and you should be able to build gcc-3.4.6 with USE=hardened > > After upgrade of portage, posibility to build gcc with hardened flag disappear > > - the flag is in () and stays unset, while it react on commandline USE set > > before. Is it a bug, is it a hint that something undocumented is missing on my > > system so it's not possible to build hardened gcc, or is that only another way > > to limit number of people installing hardened features with your "all or > > nothing" approach ? > > portage just masks the useflag as stated in > profiles/default-linux/package.use.mask (as gcc compiled with hardened is no > longer supported in the default profile). > > Probably INVALID. > So the change is not bug, but new feature ... (previous portage ignored that). Why is hardened gcc not supported in default profile ? > > Note 1: I don't have 2.4 glibc. > > Note 2: I have same situation on i386 and amd64 system. > > > > Portage 2.1.1 (default-linux/amd64/2006.0, gcc-3.4.3, glibc-2.3.6-r4, 2.6.12-gentoo-r8-64 x86_64) > ^^^^^^^^ > Change that to hardened/amd64/ and you should be able to build gcc-3.4.6 with > USE=hardened > There is -3dnow -3dnowext -sse -sse2 in hardened profiles. I think it will kill video encoding performance. That's the all-or-nothing approach - I will prefer to have the few application I need performace-optimized with disabled ET_EXEC base randomization, not speaking about that I don't thing 3dnow/sse/mmx is not compatible with pie, there are sse enabled libraries (like DirectFB, flac), aren't they ? And amd64 have more registers that i386 anyway, plus IP-relative addressing. (In reply to comment #2) > > > system so it's not possible to build hardened gcc, or is that only another way > > > to limit number of people installing hardened features with your "all or > > > nothing" approach ? $ cat /usr/portage/profiles/default-linux/package.use.mask # Note that this requires portage-2.1.1+ so if you need this functionality, # make sure your package forces a new-enough portage. sys-devel/gcc hardened Not a bug, the flag is package.use.masked. Use proper hardened profile to avoid breakage. |