r973 - in branches/2.4-branch/BOOK: . chapter01 chapter05

robert at linuxfromscratch.org robert at linuxfromscratch.org
Thu Feb 8 23:37:40 PST 2007


Author: robert
Date: 2007-02-09 00:37:39 -0700 (Fri, 09 Feb 2007)
New Revision: 973

Modified:
   branches/2.4-branch/BOOK/chapter01/changelog.xml
   branches/2.4-branch/BOOK/chapter05/gcc-pass2.xml
   branches/2.4-branch/BOOK/general.ent
Log:
Added hardened-specs.h to gcc-pass2.

Modified: branches/2.4-branch/BOOK/chapter01/changelog.xml
===================================================================
--- branches/2.4-branch/BOOK/chapter01/changelog.xml	2007-02-08 00:34:52 UTC (rev 972)
+++ branches/2.4-branch/BOOK/chapter01/changelog.xml	2007-02-09 07:37:39 UTC (rev 973)
@@ -110,6 +110,8 @@
 </listitem>
 -->
 
+<listitem><para>February 9th, 2007 [Robert]: Added hardened-specs.h to gcc-pass2.</para></listitem>
+
 <listitem><para>February 7th, 2007 [Robert]: Added a config.site in /tools for uClibc builds.</para></listitem>
 
 <listitem><para>February 7th, 2007 [Robert]: Fix Expect to compile with uClibc (HAVE_STROPTS_H).</para></listitem>

Modified: branches/2.4-branch/BOOK/chapter05/gcc-pass2.xml
===================================================================
--- branches/2.4-branch/BOOK/chapter05/gcc-pass2.xml	2007-02-08 00:34:52 UTC (rev 972)
+++ branches/2.4-branch/BOOK/chapter05/gcc-pass2.xml	2007-02-09 07:37:39 UTC (rev 973)
@@ -82,6 +82,124 @@
 echo "#undef STANDARD_INCLUDE_DIR
 #define STANDARD_INCLUDE_DIR 0" >> gcc/config/linux.h</userinput></screen>
 
+<para>We can change the default behavior of GCC to add various flags by
+creating a hardened specs header file which redefines GCC spec strings. A
+detailed summary of the GCC specs is available here:
+<ulink url="http://developer.apple.com/documentation/developertools/gcc-4.0.1/gcc/Spec-Files.html"/>.</para>
+
+    <para>The next command creates a header file that will be included during
+    the build of GCC to reset the default behaviour to add compiler options which
+    will take optimal advantage of Grsecurity kernels, and make the system less
+    vulnerable:</para>
+
+<screen><userinput>cat > gcc/hardened-specs.h << "EOF"
+#ifndef HARDENED_SPECS_H
+#define HARDENED_SPECS_H
+
+#if defined(__i386__) && defined(__linux__) && defined(__ELF__) \
+    && defined(HAVE_LD_PIE)
+
+#undef CC1_SPEC
+#define CC1_SPEC "%(cc1_cpu) %{profile:-p} \
+    %{D__KERNEL__|fpic|fPIC|fpie|fPIE|fno-pic|fno-PIC \
+    :;shared|nostdlib|nostartfiles:-fPIC} \
+    %{static|D__KERNEL__|fpic|fPIC|fpie|fPIE|fno-pie|fno-PIE| \
+    shared|nostdlib|nostartfiles:;:-fPIE}"
+
+#undef CC1PLUS_SPEC
+#define CC1PLUS_SPEC \
+    "%{D__KERNEL__|fpic|fPIC|fpie|fPIE|fno-pic|fno-PIC \
+    :;shared|nostdlib|nostartfiles:-fPIC} \
+    %{static|D__KERNEL__|fpic|fPIC|fpie|fPIE|fno-pie|fno-PIE| \
+    shared|nostdlib|nostartfiles:;:-fPIE}"
+
+#undef ENDFILE_SPEC
+#define ENDFILE_SPEC "%{static|nopie:crtend.o%s;:crtendS.o%s} crtn.o%s"
+
+#undef STARTFILE_SPEC
+#define STARTFILE_SPEC "%{shared:;pg|p|profile:gcrt1.o%s; \
+        static|nopie:crt1.o%s;:Scrt1.o%s} crti.o%s \
+        %{static:crtbeginT.o%s;nopie:crtbegin.o%s;:crtbeginS.o%s}"
+
+#undef LINK_PIE_SPEC
+#define LINK_PIE_SPEC "%{pie:-pie} %{!static:%{!Bstatic: \
+        %{nonow:-z lazy;:-z now} %{norelro:-z norelro;:-z relro} \
+        %{nocombreloc:-z nocombreloc;:-z combreloc} \
+        %{shared|Bshareable|i|r|pie|nopie:;:-pie}}}"
+
+#else /* __i386__ && __linux__ && __ELF__ && HAVE_LD_PIE */
+#error "You are using an unsupported system. This header can not be used."
+#endif /* __i386__ && __linux__ && __ELF__ && HAVE_LD_PIE */
+#endif /* HARDENED_SPECS_H */
+EOF</userinput></screen>
+
+    <para>This command includes the hardened-specs header in the right place:</para>
+
+<screen><userinput>cp -vi gcc/gcc.c{,.orig}
+sed '0,/.*config.h can define.*/s//#include "hardened-specs.h"\n&/' \
+    gcc/gcc.c.orig > gcc/gcc.c</userinput></screen>
+
+    <para>Make a copy this header file so we can use it again in chapter 6:</para>
+
+<screen><userinput>cp -v gcc/hardened-specs.h /tools</userinput></screen>
+
+<variablelist>
+    <title>Flags to disable specific options:</title>
+
+      <varlistentry>
+        <term><parameter><option>-fno-pic -fno-PIC</option></parameter></term>
+        <listitem>
+          <para>This will disable '<command>gcc</command> <option>-fPIC</option>'.
+          If <option>-fpic</option> is used, this will be used instead of
+          <option>-fPIC</option>.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><parameter><option>-fno-pie -fno-PIE</option></parameter></term>
+        <listitem>
+          <para>This will disable '<command>gcc</command> <option>-fPIE</option>'.
+          If <option>-fpie</option> is used, this will be used instead of
+          <option>-fPIE</option>.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><parameter><option>-nopie</option></parameter></term>
+        <listitem>
+          <para>This will disable '<command>ld</command> <option>-z pie</option>'
+          as well as disable the linking to <filename class="libraryfile">crtendS.o</filename>,
+          <filename class="libraryfile">Scrt1.o</filename>, and
+          <filename class="libraryfile">crtbeginS.o</filename>.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><parameter><option>-norelro</option></parameter></term>
+        <listitem>
+          <para>This will disable '<command>ld</command> <option>-z relro</option>'
+          and enable '<command>ld</command> <option>-z norelro</option>'.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><parameter><option>-nocombreloc</option></parameter></term>
+        <listitem>
+          <para>This will disable '<command>ld</command> <option>-z combreloc</option>'
+          and enable '<command>ld</command> <option>-z nocombreloc</option>'.</para>
+        </listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><parameter><option>-nonow</option></parameter></term>
+        <listitem>
+          <para>This will disable '<command>ld</command> <option>-z now</option>'
+          and enable '<command>ld</command> <option>-z lazy</option>'.</para>
+        </listitem>
+      </varlistentry>
+
+</variablelist>
+
     <para>Create a separate build directory again:</para>
 
 <screen><userinput>mkdir -v ../gcc-build

Modified: branches/2.4-branch/BOOK/general.ent
===================================================================
--- branches/2.4-branch/BOOK/general.ent	2007-02-08 00:34:52 UTC (rev 972)
+++ branches/2.4-branch/BOOK/general.ent	2007-02-09 07:37:39 UTC (rev 973)
@@ -1,6 +1,6 @@
 <?xml version="1.0" encoding="ISO-8859-1"?>
-<!ENTITY version "2.4-branch-20070207">
-<!ENTITY releasedate "February 7th, 2007">
+<!ENTITY version "2.4-branch-20070209">
+<!ENTITY releasedate "February 9th, 2007">
 <!ENTITY milestone "1.0">
 
 <!ENTITY lfs-root "http://www.linuxfromscratch.org/">




More information about the hlfs-book mailing list