robert at linuxfromscratch.org
Mon May 28 17:59:47 PDT 2007
I made a new gcc-specs patch that seems to be working. I used gcc/configure.ac
from netbsd... it checks:
nm $(gcc -print-file-name=libc.a) | grep __stack_chk_fail
for libc_provides_ssp, so it works with uclibc, and glibc, and in /tools. It
doesn't work if you don't have a libc.a though.
The new patch does nothing by default, we need to:
echo #define DEFAULT_SSP >> gcc/hardened-config.h
and so on, to turn stuff on. It appends to cpp_spec, cc1_spec, and
cc1plus_spec, so it's a little bit more portable to non-x86. except I
couldn't do that with the startfile and endfile specs, they have to be
I removed -fpic completely. Libraries use -fpic anyway, and packages like
mesa-lib that don't use -fpic need patches whether the gcc specs use -fpic or
not.. so just add -fpic to the patch.
I've also been experimenting with glibc builds:
CFLAGS += -fno-stack-protector -D_FORTIFY_SOURCE=0
CXXFLAGS += -fno-stack-protector -D_FORTIFY_SOURCE=0' > configparms &&
echo 'CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2
CXXFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2' > configparms &&
echo 'CFLAGS += -fno-stack-protector -D_FORTIFY_SOURCE=0
CXXFLAGS += -fno-stack-protector -D_FORTIFY_SOURCE=0' > configparms
Glibc has some serious issues when building with ssp or fortify_source, and
there isn't really a way around it. The above commands will leave the
libraries alone, but harden the programs. It's probably as good as it'll get,
except that minor libraries like libresolv could probably also be hardened.
It also means the libc workarounds can come out of the gcc specs. I didn't
get the above working with -pie though, but eventually it should.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: not available
More information about the hlfs-dev