PIE & PAX

Robert Connolly cendres at videotron.ca
Fri Feb 27 16:34:49 PST 2004


I'd like to refresh the buglist:

Binutils _testsuite_ doesn't like pie, ssp, or pax. Binutils make check will 
pass if -fno-stack-protector and -no-pie are in CFLAGS just for the 
testsuite. -no-pie needs to be add into 2 test.exp files. The problem with 
pax_flags is the testsuite isn't expecting the added fields from pt_pax and 
match tests are failing. Binutils is the only testsuite in the lfs base that 
has these problems. There are many possible solutions... maybe the cc1_specs 
can be modified with something I haven't tried yet (see note below), the 
testsuite could be repaired to work with at least pie, or the testsuite could 
be hacked to shut up and stop complaining.
Note: With exception to grub everything builds with pie unless its static. Its 
not right to add a list of filters ahead of -pie just to satisfy binutils 
testsuite. SSP is different, it doesn't belong in libs, just main 
executables. So to build something like glibc or gcc with SSP, either use 
'env CFLAGS/CXXFLAGS' and let the makefiles figure it out, or use a lengthy 
list of filters in cc1_specs.

Grub doesn't like pie or ssp. I'm pretty sure its the only dynamic executable 
left, other than gcc2. I'm not sure if it makes any difference if grub is 
staticly linked, it should still work either way. If its staticly linked 
RANDEXEC can be disabled in the pax kernel to improve preformance with almost 
no loss in functionality/security from pax.

And basicly all the glibc applications have text relocation. This doesn't seem 
to affect building minor apps, but would mean notextrel couldn't be enabled 
if the system were to rebuild itself. This should be fixable though with some 
investigation.

And in OpenPaX 2.6 patch this error is screwing up the hwclock.
security/pax/Kconfig.openpax:54:warning: 'select' used by config symbol 
'OPENPAX_IO' refer to undefined symbol 'CONFIG_RTC'

I think using this i/o option would eliminate the need for the hwclock script 
on boot, since its hardcoded in the kernel. I didn't check but grsec should 
have a similiar feature for kernel-2.4.




More information about the hlfs-dev mailing list