PIE & PAX
cendres at videotron.ca
Fri Feb 27 16:34:49 PST 2004
I'd like to refresh the buglist:
Binutils _testsuite_ doesn't like pie, ssp, or pax. Binutils make check will
pass if -fno-stack-protector and -no-pie are in CFLAGS just for the
testsuite. -no-pie needs to be add into 2 test.exp files. The problem with
pax_flags is the testsuite isn't expecting the added fields from pt_pax and
match tests are failing. Binutils is the only testsuite in the lfs base that
has these problems. There are many possible solutions... maybe the cc1_specs
can be modified with something I haven't tried yet (see note below), the
testsuite could be repaired to work with at least pie, or the testsuite could
be hacked to shut up and stop complaining.
Note: With exception to grub everything builds with pie unless its static. Its
not right to add a list of filters ahead of -pie just to satisfy binutils
testsuite. SSP is different, it doesn't belong in libs, just main
executables. So to build something like glibc or gcc with SSP, either use
'env CFLAGS/CXXFLAGS' and let the makefiles figure it out, or use a lengthy
list of filters in cc1_specs.
Grub doesn't like pie or ssp. I'm pretty sure its the only dynamic executable
left, other than gcc2. I'm not sure if it makes any difference if grub is
staticly linked, it should still work either way. If its staticly linked
RANDEXEC can be disabled in the pax kernel to improve preformance with almost
no loss in functionality/security from pax.
And basicly all the glibc applications have text relocation. This doesn't seem
to affect building minor apps, but would mean notextrel couldn't be enabled
if the system were to rebuild itself. This should be fixable though with some
And in OpenPaX 2.6 patch this error is screwing up the hwclock.
security/pax/Kconfig.openpax:54:warning: 'select' used by config symbol
'OPENPAX_IO' refer to undefined symbol 'CONFIG_RTC'
I think using this i/o option would eliminate the need for the hwclock script
on boot, since its hardcoded in the kernel. I didn't check but grsec should
have a similiar feature for kernel-2.4.
More information about the hlfs-dev