I made a new gcc-specs patch that seems to be working. I used gcc/configure.ac from netbsd... it checks: nm $(gcc -print-file-name=libc.a) | grep __stack_chk_fail for libc_provides_ssp, so it works with uclibc, and glibc, and in /tools. It doesn't work if you don't have a libc.a though.
The new patch does nothing by default, we need to: echo #define DEFAULT_SSP >> gcc/hardened-config.h and so on, to turn stuff on. It appends to cpp_spec, cc1_spec, and cc1plus_spec, so it's a little bit more portable to non-x86. except I couldn't do that with the startfile and endfile specs, they have to be completely replaced. I removed -fpic completely. Libraries use -fpic anyway, and packages like mesa-lib that don't use -fpic need patches whether the gcc specs use -fpic or not.. so just add -fpic to the patch. I've also been experimenting with glibc builds: echo 'build-programs=no CFLAGS += -fno-stack-protector -D_FORTIFY_SOURCE=0 CXXFLAGS += -fno-stack-protector -D_FORTIFY_SOURCE=0' > configparms && make && echo 'CFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2 CXXFLAGS += -fstack-protector-all -D_FORTIFY_SOURCE=2' > configparms && make && echo 'CFLAGS += -fno-stack-protector -D_FORTIFY_SOURCE=0 CXXFLAGS += -fno-stack-protector -D_FORTIFY_SOURCE=0' > configparms make check Glibc has some serious issues when building with ssp or fortify_source, and there isn't really a way around it. The above commands will leave the libraries alone, but harden the programs. It's probably as good as it'll get, except that minor libraries like libresolv could probably also be hardened. It also means the libc workarounds can come out of the gcc specs. I didn't get the above working with -pie though, but eventually it should. robert
pgpZt01oKYRw5.pgp
Description: PGP signature
-- http://linuxfromscratch.org/mailman/listinfo/hlfs-dev FAQ: http://www.linuxfromscratch.org/faq/ Unsubscribe: See the above information page
