| Summary: | [toolchain] Enable full relro / -z,now in LDFLAGS by default | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | Hanno Böck <hanno> |
| Component: | Current packages | Assignee: | Gentoo Toolchain Maintainers <toolchain> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | ago, bertrand, dilfridge, hardened, sam |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 876891, 892952 | ||
| Bug Blocks: | 750917 | ||
|
Description
Hanno Böck
2022-10-13 06:12:00 UTC
I understand your concern, but at some point there will be no difference between the default profile and the hardened profile That would in my view be a good outcome. "Gentoo hardened" originated in a time where many exploit mitigation features where considered optional. Most of what originally was hardened, like stack protection and aslr, are considered default everywhere these days. (In reply to Agostino Sarubbo from comment #1) > I understand your concern, but at some point there will be no difference > between the default profile and the hardened profile This isn't a reason by itself to not do it, and the aim is always to get stuff into vanilla builds if we can help it. Hardened is both a testing ground for new hardening stuff which might never make it to vanilla but also stuff where we want it to mature and then graduate. Anyway, here's a recent summary of the differences: https://wiki.gentoo.org/wiki/Hardened/Toolchain#Changes. Soon, we'll add -D_FORTIFY_SOURCE=3 and -D_GLIBCXX_ASSERTIONS to hardened. > Full relro is a hardening feature enabled by the linker flags
> "-z,relro,-z,now". It's enabled in Gentoo hardened, but not by default.
> [...]
> I'd suggest to enable it with profile-23.0.
Works for me, but we need to nail down some technical details first.
In hardened, this is enabled by hardwiring "-z,relro,-z,now" into LDFLAGS
in gcc. That basically means all linker calls coming from gcc are handled (but, e.g., none from clang).
Making this a bit more configurable and moving it to general default is straightforward. But...
Would it make sense to do this inside ld.bfd instead? It already has a build time option ton enable "relro" by default, would need a similar one for "now".
Then again, that would handle all usage of ld.bfd and none of (bäh) ld.gold and ld.lld ...
(In reply to Andreas K. Hüttel from comment #4) > > Full relro is a hardening feature enabled by the linker flags > > "-z,relro,-z,now". It's enabled in Gentoo hardened, but not by default. > > [...] > > I'd suggest to enable it with profile-23.0. At second thought... "-z relro" is already enabled by default in Gentoo since 2017 "-z now" is available in gcc via the hardening flags, so let's just move it out of there and control it with a separate useflag. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=adf44514cf590a860b3140efae31187854cf8cea commit adf44514cf590a860b3140efae31187854cf8cea Author: Sam James <sam@gentoo.org> AuthorDate: 2022-12-05 00:25:46 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-12-05 00:26:35 +0000 toolchain.eclass: allow default-znow, default-stack-clash-protection for 12.2.1_p20221203 Bug: https://bugs.gentoo.org/675050 Bug: https://bugs.gentoo.org/876923 Signed-off-by: Sam James <sam@gentoo.org> eclass/toolchain.eclass | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=975678507aa3cebb0d1d1919d4b684c64d50ffe7 commit 975678507aa3cebb0d1d1919d4b684c64d50ffe7 Author: Sam James <sam@gentoo.org> AuthorDate: 2022-12-05 00:25:19 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2022-12-05 00:26:34 +0000 sys-devel/gcc: use patchset 3 for 12.2.1_p20221203 Includes the default-* hardening bits. Bug: https://bugs.gentoo.org/675050 Bug: https://bugs.gentoo.org/876923 Signed-off-by: Sam James <sam@gentoo.org> sys-devel/gcc/Manifest | 1 + sys-devel/gcc/gcc-12.2.1_p20221203.ebuild | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=8bfd8afef6dd8c66def48ef52abcb624c0077ad1 commit 8bfd8afef6dd8c66def48ef52abcb624c0077ad1 Author: Sam James <sam@gentoo.org> AuthorDate: 2024-03-23 15:04:34 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2024-03-23 15:38:51 +0000 sys-devel/clang-common: updates for 23.0 * Promote -Wl,-z,now to vanilla, following GCC (bug #876923) * Add USE=cet to control -fcf-protection, following GCC (bug #908600, bug #927298) Bug: https://bugs.gentoo.org/876923 Bug: https://bugs.gentoo.org/927298 Closes: https://bugs.gentoo.org/908600 Signed-off-by: Sam James <sam@gentoo.org> profiles/arch/amd64/package.use.mask | 1 + profiles/base/package.use.mask | 1 + profiles/features/musl/package.use.mask | 1 + .../clang-common/clang-common-17.0.6-r2.ebuild | 295 ++++++++++++++++++++ .../clang-common/clang-common-18.1.2-r1.ebuild | 297 +++++++++++++++++++++ .../clang-common/clang-common-19.0.0.9999.ebuild | 10 +- .../clang-common-19.0.0_pre20240316.ebuild | 10 +- sys-devel/clang-common/metadata.xml | 10 + 8 files changed, 621 insertions(+), 4 deletions(-) This is fixed in the 23.0 profiles (available and stable now). Closing. |
