Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 10 Nov 2011 23:48:07 +0400
From: "Dmitry V. Levin" <ldv@...linux.org>
To: owl-dev@...ts.openwall.com
Subject: Re: %optflags for new gcc

On Mon, Nov 07, 2011 at 12:29:04AM +0400, Solar Designer wrote:
> On Sat, Nov 05, 2011 at 08:13:58PM +0400, Dmitry V. Levin wrote:
> > In Sisyphus, I changed gcc LINK_COMMAND_SPEC to pass -z relro to the
> > linker by default.  That was more than 3 years ago.
> 
> Don't you think this would be better done in binutils, such as to take
> care of packages that invoke ld directly?

My rationale was that only those projects that use quite unusual linking
schemes (like linux kernel) invoke ld directly, all the rest use gcc/g++
for linking.

> > In Sisyphus, I changed gcc spec to use -D_FORTIFY_SOURCE=2 and
> > -fstack-protector by default.  That was more than 5 years ago.
> > There were some workarounds made in several packages, but
> > I don't remember any details.
> 
> Wow.  I did not realize you had made those changes in Sisyphus.
> 
> I guess -D_FORTIFY_SOURCE=2 and -fstack-protector would cause issues
> when building kernel modules.

The -D_FORTIFY_SOURCE=2 is not an issue for linux kernel because it
doesn't use glibc (and _FORTIFY_SOURCE is a glibc feature).
The -fstack-protector is supposedly worked around in linux kernel make
files long time ago, and all modern 3rd party kernel modules use these
make files for build.

> Did ALT Linux receive (m)any problem
> reports from users trying to build additional kernel modules, such as
> hardware vendors'?  How do you recommend we deal with this?

I'm not aware of such issues.

> I just took a look at http://sisyphus.ru/en/srpm/Sisyphus/gcc4.5/patches

http://git.altlinux.org/gears/g/gcc4.5.git?p=gcc4.5.git;a=tree;f=patches
might be more up to date.

> The patches to consider in this context appear to be:
> 
> gcc44-alt-escalate-always-overflow.patch

This is very useful for policy enforcement when you have to deal with
large package repositories like Sisyphus, but might be not very suitable
for small and self-contained ones like Owl.

> gcc45-alt-defaults-relro.patch
> gcc45-alt-defaults-stack-protector.patch
> gcc43-alt-spp-buffer-size.patch
> gcc43-alt-defaults-FORTIFY_SOURCE.patch
> gcc45-deb-alt-defaults-format-security.patch
> gcc45-deb-alt-testsuite-printf.patch
> gcc45-deb-alt-testsuite-format.patch

Yes, and also gcc43-alt-testsuite.patch that adjusts test suite for
-D_FORTIFY_SOURCE=2.


-- 
ldv

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ