[gentoo-commits] data/gentoo-news:master commit in: 2023-01-01-hardening-fortify-assertions/
commit: a49aa1b25808f0e08157406a45560e3b7efba275 Author: Sam James gentoo org> AuthorDate: Sat Jan 14 23:05:23 2023 + Commit: Sam James gentoo org> CommitDate: Sat Jan 14 23:05:23 2023 + URL:https://gitweb.gentoo.org/data/gentoo-news.git/commit/?id=a49aa1b2 2023-01-01-hardening-fortify-assertions: add missing hardened (SELinux) profiles Thanks-to: Oskari Pirhonen gmail.com> Signed-off-by: Sam James gentoo.org> .../2023-01-01-hardening-fortify-assertions.en.txt | 26 ++ 1 file changed, 17 insertions(+), 9 deletions(-) diff --git a/2023-01-01-hardening-fortify-assertions/2023-01-01-hardening-fortify-assertions.en.txt b/2023-01-01-hardening-fortify-assertions/2023-01-01-hardening-fortify-assertions.en.txt index f0aab21..847e968 100644 --- a/2023-01-01-hardening-fortify-assertions/2023-01-01-hardening-fortify-assertions.en.txt +++ b/2023-01-01-hardening-fortify-assertions/2023-01-01-hardening-fortify-assertions.en.txt @@ -5,21 +5,29 @@ Revision: 2 News-Item-Format: 2.0 Display-If-Installed: sys-devel/gcc[hardened] Display-If-Profile: features/hardened -Display-If-Profile: default/linux/ppc64le/17.0/musl/hardened -Display-If-Profile: default/linux/ppc/17.0/musl/hardened -Display-If-Profile: default/linux/amd64/17.0/no-multilib/hardened -Display-If-Profile: default/linux/amd64/17.0/hardened Display-If-Profile: default/linux/amd64/17.0/musl/hardened +Display-If-Profile: default/linux/amd64/17.0/musl/hardened/selinux Display-If-Profile: default/linux/amd64/17.1/hardened +Display-If-Profile: default/linux/amd64/17.1/hardened/selinux Display-If-Profile: default/linux/amd64/17.1/no-multilib/hardened -Display-If-Profile: default/linux/x86/17.0/hardened -Display-If-Profile: default/linux/arm/17.0/musl/armv7a/hardened -Display-If-Profile: default/linux/arm/17.0/musl/armv6j/hardened -Display-If-Profile: default/linux/arm/17.0/armv7a/hardened +Display-If-Profile: default/linux/amd64/17.1/no-multilib/hardened/selinux Display-If-Profile: default/linux/arm/17.0/armv6j/hardened -Display-If-Profile: default/linux/ppc64/17.0/musl/hardened +Display-If-Profile: default/linux/arm/17.0/armv7a/hardened +Display-If-Profile: default/linux/arm/17.0/armv7a/hardened/selinux +Display-If-Profile: default/linux/arm/17.0/armv7a/hardened/selinux +Display-If-Profile: default/linux/arm/17.0/musl/armv6j/hardened +Display-If-Profile: default/linux/arm/17.0/musl/armv6j/hardened/selinux +Display-If-Profile: default/linux/arm/17.0/musl/armv7a/hardened +Display-If-Profile: default/linux/arm/17.0/musl/armv7a/hardened/selinux Display-If-Profile: default/linux/arm64/17.0/hardened +Display-If-Profile: default/linux/arm64/17.0/hardened/selinux Display-If-Profile: default/linux/arm64/17.0/musl/hardened +Display-If-Profile: default/linux/arm64/17.0/musl/hardened/selinux +Display-If-Profile: default/linux/ppc/17.0/musl/hardened +Display-If-Profile: default/linux/ppc64/17.0/musl/hardened +Display-If-Profile: default/linux/ppc64le/17.0/musl/hardened +Display-If-Profile: default/linux/x86/17.0/hardened +Display-If-Profile: default/linux/x86/17.0/hardened/selinux Gentoo's hardened profiles are adopting two new modern toolchain hardening techniques:
[gentoo-commits] data/gentoo-news:master commit in: 2023-01-01-hardening-fortify-assertions/
commit: 6b8c798b7b8b2b2ea9cb833842c733c494ad0df2 Author: Sam James gentoo org> AuthorDate: Sun Jan 1 22:10:25 2023 + Commit: Sam James gentoo org> CommitDate: Sun Jan 1 22:10:25 2023 + URL:https://gitweb.gentoo.org/data/gentoo-news.git/commit/?id=6b8c798b 2023-01-01-hardening-fortify-assertions: add Display-If-Installed: sys-devel/gcc[hardened] Signed-off-by: Sam James gentoo.org> .../2023-01-01-hardening-fortify-assertions.en.txt | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/2023-01-01-hardening-fortify-assertions/2023-01-01-hardening-fortify-assertions.en.txt b/2023-01-01-hardening-fortify-assertions/2023-01-01-hardening-fortify-assertions.en.txt index ea3ac1b..f0aab21 100644 --- a/2023-01-01-hardening-fortify-assertions/2023-01-01-hardening-fortify-assertions.en.txt +++ b/2023-01-01-hardening-fortify-assertions/2023-01-01-hardening-fortify-assertions.en.txt @@ -1,8 +1,9 @@ Title: Hardened profiles improvements Author: Sam James Posted: 2023-01-01 -Revision: 1 +Revision: 2 News-Item-Format: 2.0 +Display-If-Installed: sys-devel/gcc[hardened] Display-If-Profile: features/hardened Display-If-Profile: default/linux/ppc64le/17.0/musl/hardened Display-If-Profile: default/linux/ppc/17.0/musl/hardened
[gentoo-commits] data/gentoo-news:master commit in: 2023-01-01-hardening-fortify-assertions/
commit: 5f74f9d9698950a8204c22eddac11eb4654d260e Author: Sam James gentoo org> AuthorDate: Sun Jan 1 22:09:28 2023 + Commit: Sam James gentoo org> CommitDate: Sun Jan 1 22:09:28 2023 + URL:https://gitweb.gentoo.org/data/gentoo-news.git/commit/?id=5f74f9d9 2023-01-01-hardening-fortify-assertions: mention 'gcc-config latest' Signed-off-by: Sam James gentoo.org> .../2023-01-01-hardening-fortify-assertions.en.txt | 7 --- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/2023-01-01-hardening-fortify-assertions/2023-01-01-hardening-fortify-assertions.en.txt b/2023-01-01-hardening-fortify-assertions/2023-01-01-hardening-fortify-assertions.en.txt index 3b2ff02..ea3ac1b 100644 --- a/2023-01-01-hardening-fortify-assertions/2023-01-01-hardening-fortify-assertions.en.txt +++ b/2023-01-01-hardening-fortify-assertions/2023-01-01-hardening-fortify-assertions.en.txt @@ -39,9 +39,10 @@ of these improvements early, before GCC 12 is marked stable. To fully take advantage of these new settings, GCC must first be upgraded, and then all packages must be re-emerged: -1. emerge --sync -2. emerge --verbose --oneshot ">=sys-devel/gcc-12.2.1_p20221231" -3. emerge --verbose --emptytree @world +1. # emerge --sync +2. # emerge --verbose --oneshot ">=sys-devel/gcc-12.2.1_p20221231" +3. # gcc-config latest +4. # emerge --verbose --emptytree @world ## Troubleshooting
[gentoo-commits] data/gentoo-news:master commit in: 2023-01-01-hardening-fortify-assertions/
commit: 55ff6471ce55a668602922eb922642d0a405b020 Author: Sam James gentoo org> AuthorDate: Sun Jan 1 21:40:20 2023 + Commit: Sam James gentoo org> CommitDate: Sun Jan 1 21:40:20 2023 + URL:https://gitweb.gentoo.org/data/gentoo-news.git/commit/?id=55ff6471 2023-01-01-hardening-fortify-assertions: update GCC version Signed-off-by: Sam James gentoo.org> .../2023-01-01-hardening-fortify-assertions.en.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/2023-01-01-hardening-fortify-assertions/2023-01-01-hardening-fortify-assertions.en.txt b/2023-01-01-hardening-fortify-assertions/2023-01-01-hardening-fortify-assertions.en.txt index dfe9127..3b2ff02 100644 --- a/2023-01-01-hardening-fortify-assertions/2023-01-01-hardening-fortify-assertions.en.txt +++ b/2023-01-01-hardening-fortify-assertions/2023-01-01-hardening-fortify-assertions.en.txt @@ -26,12 +26,12 @@ techniques: 2. libstdc++ assertions (-D_GLIBCXX_ASSERTIONS) [1] These will both be enabled by default with USE=hardened on sys-devel/gcc -for >=sys-devel/gcc-12.2.1_p20221224-r1. +for >=sys-devel/gcc-12.2.1_p20221231. To view the existing list of hardening changes applied by the profiles, see the wiki [2]. -Stable users may wish to add sys-devel/gcc-12.2.1_p20221224-r1 into +Stable users may wish to add sys-devel/gcc-12.2.1_p20221231 into /etc/portage/package.accept_keywords if they wish to take advantage of these improvements early, before GCC 12 is marked stable. @@ -40,7 +40,7 @@ of these improvements early, before GCC 12 is marked stable. To fully take advantage of these new settings, GCC must first be upgraded, and then all packages must be re-emerged: 1. emerge --sync -2. emerge --verbose --oneshot ">=sys-devel/gcc-12.2.1_p20221224-r1" +2. emerge --verbose --oneshot ">=sys-devel/gcc-12.2.1_p20221231" 3. emerge --verbose --emptytree @world ## Troubleshooting
[gentoo-commits] data/gentoo-news:master commit in: 2023-01-01-hardening-fortify-assertions/
commit: 469c078b8ada3bc00da386bd2eaa2dc3410e3323 Author: Sam James gentoo org> AuthorDate: Wed Dec 28 19:33:34 2022 + Commit: Sam James gentoo org> CommitDate: Sun Jan 1 21:16:42 2023 + URL:https://gitweb.gentoo.org/data/gentoo-news.git/commit/?id=469c078b 2023-01-01-hardening-fortify-assertions: add item Bug: https://bugs.gentoo.org/876893 Bug: https://bugs.gentoo.org/876895 Signed-off-by: Sam James gentoo.org> .../2023-01-01-hardening-fortify-assertions.en.txt | 57 ++ 1 file changed, 57 insertions(+) diff --git a/2023-01-01-hardening-fortify-assertions/2023-01-01-hardening-fortify-assertions.en.txt b/2023-01-01-hardening-fortify-assertions/2023-01-01-hardening-fortify-assertions.en.txt new file mode 100644 index 000..dfe9127 --- /dev/null +++ b/2023-01-01-hardening-fortify-assertions/2023-01-01-hardening-fortify-assertions.en.txt @@ -0,0 +1,57 @@ +Title: Hardened profiles improvements +Author: Sam James +Posted: 2023-01-01 +Revision: 1 +News-Item-Format: 2.0 +Display-If-Profile: features/hardened +Display-If-Profile: default/linux/ppc64le/17.0/musl/hardened +Display-If-Profile: default/linux/ppc/17.0/musl/hardened +Display-If-Profile: default/linux/amd64/17.0/no-multilib/hardened +Display-If-Profile: default/linux/amd64/17.0/hardened +Display-If-Profile: default/linux/amd64/17.0/musl/hardened +Display-If-Profile: default/linux/amd64/17.1/hardened +Display-If-Profile: default/linux/amd64/17.1/no-multilib/hardened +Display-If-Profile: default/linux/x86/17.0/hardened +Display-If-Profile: default/linux/arm/17.0/musl/armv7a/hardened +Display-If-Profile: default/linux/arm/17.0/musl/armv6j/hardened +Display-If-Profile: default/linux/arm/17.0/armv7a/hardened +Display-If-Profile: default/linux/arm/17.0/armv6j/hardened +Display-If-Profile: default/linux/ppc64/17.0/musl/hardened +Display-If-Profile: default/linux/arm64/17.0/hardened +Display-If-Profile: default/linux/arm64/17.0/musl/hardened + +Gentoo's hardened profiles are adopting two new modern toolchain hardening +techniques: +1. Level 3 fortification (-D_FORTIFY_SOURCE=3) [0] +2. libstdc++ assertions (-D_GLIBCXX_ASSERTIONS) [1] + +These will both be enabled by default with USE=hardened on sys-devel/gcc +for >=sys-devel/gcc-12.2.1_p20221224-r1. + +To view the existing list of hardening changes applied by the profiles, +see the wiki [2]. + +Stable users may wish to add sys-devel/gcc-12.2.1_p20221224-r1 into +/etc/portage/package.accept_keywords if they wish to take advantage +of these improvements early, before GCC 12 is marked stable. + +## Migration + +To fully take advantage of these new settings, GCC must first +be upgraded, and then all packages must be re-emerged: +1. emerge --sync +2. emerge --verbose --oneshot ">=sys-devel/gcc-12.2.1_p20221224-r1" +3. emerge --verbose --emptytree @world + +## Troubleshooting + +In the event that some packages fail at runtime, please file a bug +with the full details. To temporarily workaround the problem, +it should be possible to recompile broken packages with the +following *FLAGS: +CFLAGS="${CFLAGS} -D_FORTIFY_SOURCE=2" +CXXFLAGS="${CXXFLAGS} -D_FORTIFY_SOURCE=2 -U_GLIBCXX_ASSERTIONS" + +[0] https://bugs.gentoo.org/876893 +[1] https://bugs.gentoo.org/876895 +[2] https://wiki.gentoo.org/wiki/Hardened/Toolchain#Changes