On Thu, Apr 19, 2012 at 8:08 AM, Anthony G. Basile <bluen...@gentoo.org> wrote: > On 04/19/2012 09:01 AM, Fabio Erculiani wrote: >> >> On Thu, Apr 19, 2012 at 2:47 PM, Anthony G. Basile<bluen...@gentoo.org> >> wrote: >>> >>> On 04/19/2012 08:26 AM, Mitch Harder wrote: >>>> >>>> On Thu, Apr 19, 2012 at 6:38 AM, Fabio Erculiani<lx...@sabayon.org> >>>> wrote: >>>>> >>>>> Hardened GCC (4.6 for now, 4.5 and 4.4 are coming) and Glibc are now >>>>> in sabayon-limbo. >>>>> >>>>> # readelf -h /usr/lib/libutil.so | grep Type >>>>> Type: DYN (Shared object file) >>>>> >>>>> Now the question is: what pkgs should be compiled with hardened flags? >>>>> >>> I'm confused by your readelf. All shared objects, hardened or not, are >>> marked ET_DYN in their elf header. Look at >>> >>> http://www.trapkit.de/tools/checksec.html >>> >>> for how to check what's hardened and what's not. >> >> Yes, you're right. Forgive me. I guess Mitch was talking about ELF >> executables and not shared libraries. > > > Correct. > > On hardened: > # readelf -h /bin/ls | grep Type > > Type: DYN (Shared object file) > > > On vanilla. > # readelf -h /bin/ls | grep Type > Type: EXEC (Executable file) > > > But this is just PIE. For SSP check for the __stack_chk_fail symbol: > > readelf -s /bin/ls | grep __stack_chk_fail > > > You will see it there on hardened, but not vanilla. For _FORTIFY_SOURCES=2 > its a bit more involved since you need to look at the various functions in > glibc, so just use Tobias's script. > >
Thanks for those tips. Initially I used the readelf test for PIE on executables only, but at some point, I made a mistaken assumption that the readelf test for PIE worked on libraries. >>> >>> >>> In order of priority: >>> >>> 1) Harden the core libraries. The ones that are provided by base. >>> >>> 2) Harden the important binaries, again the ones provided by base. >>> >>> 3) Harden the setuids, which are probably all part of 2. >>> >>> If you do 3 without doing 1, you will have issues. >>> OK, how about something like this for the first step?: emerge -1av $(cat /usr/portage/profiles/base/packages | grep -v "#" | grep -v "virtual" | grep -v "baselayout" | grep -v "gcc") We've already hardened gcc, so there's no need to re-build it. Also, the virtuals and baselayout package shouldn't need hardening. This gives us a nice 26 package list.