Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 09 Feb 2012 16:46:40 +0100 (CET)
From: g.esp@...e.fr
To: owl-dev@...ts.openwall.com
Subject: Re: -Wl,-z,now (was: %optflags for new gcc)



----- Mail original -----
> De: "Vasiliy Kulikov" <segoon@...nwall.com>
> À: owl-dev@...ts.openwall.com
> Envoyé: Jeudi 9 Février 2012 15:51:21
> Objet: Re: [owl-dev] -Wl,-z,now (was: %optflags for new gcc)
> 
> Hi Gilles,
> 
> On Wed, Feb 08, 2012 at 08:18 +0100, Gilles Espinasse wrote:
> > That's doable to have a nonow option when patching the specs like
> > in
> > http://ipcop.svn.sourceforge.net/viewvc/ipcop/ipcop/trunk/src/patches/gcc-4.4.5_fpie-1.patch?view=log
> > Patch was borrowed as is from HLFS.
> 
> Thank you for the information!
> 
> However, I hesitate introducing -z,nonow as an alias to -z,lazy - Owl
> is not so widespread to introduce such trivial new args.  IMHO it
> would
> confuse new users/developers rather than simplify spec files.
> 
I should say we have nonow on ipcop because we are lazy, someone made that patch and we used that change.

We haven't feel the need to use nonow on ipcop. Probably the only case was when I tried some klibc hack disabling every hardening option trying to make our floppy boot fit again on the size. But the overhead was mostly due to the bigger kernel, caused by stackprotector option. As if you compile a kernel without stackprotector option, you need to compile the modules with that same option, we let the floppy broken (and none ask for) to not be forced to compile the kernel twice just for boot floppy.

We had only a few issue on ipcop with pie enabled by default on a few packages, not so hard as done far after gentoo.
gnupg-1.4 and psmisc>22.13 are compiled with LDFLAGS +=-pie or TEXTREL issue happen for us (not for gentoo, that may be an issue in your gcc pie patch, gentoo change is far more elaborate)
syslinux has another issue (only if you don't follow distrib advice to not fully recompile syslinux) I have a patch to fix that for upstream.

With full hardened default, the only remaining issues are the test suites of binutils, gcc, gdb (maybe glibc).
I know there is a bunch of patches aiming to fix that, I haven't tried yet.

Gilles

Powered by blists - more mailing lists

Your e-mail address:

Powered by Openwall GNU/*/Linux - Powered by OpenVZ