We became a little hung up working out the details of how we would roll out hardened capabilities for our users, and in our own workflow.
Sabayon wants to take an incremental approach to hardening. Hopefully, this is just out of an over-abundance of caution. But we are concerned about potential impacts on our users, and we need to ability to manage the packages that are hardened. Our current plan is to use /etc/portage/env/<file.conf> and /etc/portage/package.env to manage the packages that will be built hardened. This will hopefully eliminate the need to constantly manually swap gcc profiles, and provide a method to manage the rollout of hardened packages. This outline summarizes our current plan for rolling out hardened packages incrementally: (1) Build sys-devel/gcc with "hardened" (2) Set gcc-config back to -vanilla by default (3) Edit /etc/portage/env/hardened.conf and insert the following: ==============> # This configuration assumes the default profile is -vanilla GCC_SPECS="" <============== (4) Edit /etc/portage/package.env and add the packages you want to be hardened. For example: ==============> media-libs/tiff hardened.conf <============== (5) Rebuild your packages (6) Spot check packages to confirm they are built normal or hardened by testing one of the executables or .so libraries. # readelf -h /usr/bin/bmp2tiff For a hardened package, you'll see a line like this to indicate ASLR has been built: Type: DYN (Shared object file) If the package was built normally, Type: EXEC (Executable file) Let us know if anybody has any feedback on this proposal.
