[gentoo-dev] Re: Modular X and hardened
"Kevin F. Quinn (Gentoo)" <[EMAIL PROTECTED]> posted [EMAIL PROTECTED], excerpted below, on Fri, 12 May 2006 12:51:57 +0200: > We (hardened) haven't had the time to investigate further, and we don't > want to complicate the stabilisation effort of modular X (which is a big > enough job as it is) so we've left it as it is for the moment. Nice maybe clickable bug URL: http://bugs.gentoo.org/show_bug.cgi?id=110506 I'm still of the opinion that as long as people only following the advice in the portage QA SUID warning, to set LDFLAGS="-Wl,-z,now", end up with a broken package, it shouldn't be stabilized. Merging the xorg-server ebuild itself invokes that warning, yet anyone following its advice ends up with a broken xorg-server. Are users expected to ignore instructions now? That's why I can't see how it can be stabilized under current conditions. Either there needs to be a way to block that message from portage (yeah, not likely), or the ebuild needs to be able to correct for the situation where a user actually /does/ follow the instructions (seems more reasonable). This won't resolve the hardened spec-file angle, but I can verify that a simple call to flagomatic's filter-ldflags solves the following instructions angle, as I have LDFLAGS="-Wl,-z,now" set in make.conf, and routinely modify the xorg-server and xf86-video-ati ebuilds in my overlay, to invoke the filter-ldflags call. It works. As for upstream, there's a comment from Ajax on the bug indicating they will try to fix it by 7.1, but no promises. Apparently, the elfloader compatibility stuff in 7.0 made it essentially impossible. If I'm not mistaken (and I might be), 6.9/7.0 was the last release supporting that, with 7.1 completing the switch to dlloader and removing the elfloader compatibility stuff, thus enabling a solution. I'm running 7.1-rc2 ATM, and still had to add the filter-ldflags call to make it work, so while the solution might be possible with 7.1, it's not yet implemented, and 7.2 would be the new target. Whatever solution Gentoo comes up with is therefore now known to be needed at least for 7.0 and 7.1. Hopefully, by 7.2, the solution will be included upstream. -- Duncan - List replies preferred. No HTML msgs. "Every nonfree program has a lord, a master -- and if you use the program, he is your master." Richard Stallman -- gentoo-dev@gentoo.org mailing list
Re: [gentoo-dev] Re: Modular X and hardened
On Fri, 2006-05-12 at 12:03 +, Duncan wrote: > "Kevin F. Quinn (Gentoo)" <[EMAIL PROTECTED]> posted > [EMAIL PROTECTED], excerpted below, on Fri, > 12 May 2006 12:51:57 +0200: > > > We (hardened) haven't had the time to investigate further, and we don't > > want to complicate the stabilisation effort of modular X (which is a big > > enough job as it is) so we've left it as it is for the moment. > > Nice maybe clickable bug URL: > http://bugs.gentoo.org/show_bug.cgi?id=110506 > > I'm still of the opinion that as long as people only following the advice > in the portage QA SUID warning, to set LDFLAGS="-Wl,-z,now", end up with a > broken package, it shouldn't be stabilized. Merging the xorg-server > ebuild itself invokes that warning, yet anyone following its advice ends > up with a broken xorg-server. Are users expected to ignore instructions > now? That's why I can't see how it can be stabilized under current > conditions. Either there needs to be a way to block that message from > portage (yeah, not likely), or the ebuild needs to be able to correct for > the situation where a user actually /does/ follow the instructions (seems > more reasonable). This won't resolve the hardened spec-file angle, but I > can verify that a simple call to flagomatic's filter-ldflags solves the > following instructions angle, as I have LDFLAGS="-Wl,-z,now" set in > make.conf, and routinely modify the xorg-server and xf86-video-ati ebuilds > in my overlay, to invoke the filter-ldflags call. It works. > > As for upstream, there's a comment from Ajax on the bug indicating they > will try to fix it by 7.1, but no promises. Apparently, the elfloader > compatibility stuff in 7.0 made it essentially impossible. If I'm not > mistaken (and I might be), 6.9/7.0 was the last release supporting that, > with 7.1 completing the switch to dlloader and removing the elfloader > compatibility stuff, thus enabling a solution. > > I'm running 7.1-rc2 ATM, and still had to add the filter-ldflags call to > make it work, so while the solution might be possible with 7.1, it's not > yet implemented, and 7.2 would be the new target. Whatever solution > Gentoo comes up with is therefore now known to be needed at least for 7.0 > and 7.1. Hopefully, by 7.2, the solution will be included upstream. This was handled in the 6.8.x series and got dropped for unknown reasons when the modular X porting started happening. Unless your dead set on modular X I'd stick with the 6.8.x series. > -- > Duncan - List replies preferred. No HTML msgs. > "Every nonfree program has a lord, a master -- > and if you use the program, he is your master." Richard Stallman > -- Ned Ludd <[EMAIL PROTECTED]> Gentoo Linux -- gentoo-dev@gentoo.org mailing list
Re: [gentoo-dev] Re: Modular X and hardened
Ned Ludd wrote: > This was handled in the 6.8.x series and got dropped for unknown > reasons when the modular X porting started happening. > Unless your dead set on modular X I'd stick with the 6.8.x series. We are using the solution that was suggested to us by members of the hardened team. If you have a different solution, please do submit a patch for it. Thanks, Donnie signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] Re: Modular X and hardened
On Sat, 13 May 2006 13:10:22 -0700 Donnie Berkholz <[EMAIL PROTECTED]> wrote: > Ned Ludd wrote: > > This was handled in the 6.8.x series and got dropped for unknown > > reasons when the modular X porting started happening. > > Unless your dead set on modular X I'd stick with the 6.8.x series. > > We are using the solution that was suggested to us by members of the > hardened team. The current solution (bail if -z,now is set in the compiler specs) is not one suggested by the hardened team, just need to make that clear, and it's not something we would encourage elsewhere. However until we can provide a solution for such a high-profile package we are not going to make a fuss. Our suggestion was to 'append-flags -nonow' on the server and video driver builds, but when a helpful user tried it, it wasn't enough - we simply haven't had the resource to work it out properly yet. > If you have a different solution, please do submit a > patch for it. With regards to Duncan's (non-hardened) problem, adding: filter-ldflags -Wl,-z,now to x-modular.eclass as he suggests should be fine; his issue is different to that with the hardened compiler in as much as he has added the '-Wl,-z,now' to LDFLAGS as advised by the QA message and the above filter will just remove it again; whereas to deal with the hardened compiler we need to reliably add a flag to all the relevant link commands (the bit that takes the effort is working out which are relevant). Duncan - perhaps it would be useful if you could raise a separate bug about the QA message and Xorg, and attach the diff you apply to x-modular.eclass. -- Kevin F. Quinn signature.asc Description: PGP signature
Re: [gentoo-dev] Re: Modular X and hardened
Kevin F. Quinn (Gentoo) wrote: > The current solution (bail if -z,now is set in the compiler specs) is > not one suggested by the hardened team, just need to make that clear, > and it's not something we would encourage elsewhere. However until we > can provide a solution for such a high-profile package we are not going > to make a fuss. > > Our suggestion was to 'append-flags -nonow' on the server and video > driver builds, but when a helpful user tried it, it wasn't enough - > we simply haven't had the resource to work it out properly yet. Oh, OK, let's argue semantics. It's suggested by a hardened user on a bug the hardened team is CC'd on, but the team didn't say anything was wrong with the change. > With regards to Duncan's (non-hardened) problem, adding: > > filter-ldflags -Wl,-z,now > > to x-modular.eclass as he suggests should be fine; his issue is > different to that with the hardened compiler in as much as he has added > the '-Wl,-z,now' to LDFLAGS as advised by the QA message and the above > filter will just remove it again; whereas to deal with the hardened > compiler we need to reliably add a flag to all the relevant link > commands (the bit that takes the effort is working out which are > relevant). Now I'm confused. Do you want this filter instead of the current situation, in addition to, or what? This is exactly why I asked for a patch. Thanks, Donnie signature.asc Description: OpenPGP digital signature
Re: [gentoo-dev] Re: Modular X and hardened
On Sat, 13 May 2006 23:04:10 -0700
Donnie Berkholz <[EMAIL PROTECTED]> wrote:
> Kevin F. Quinn (Gentoo) wrote:
>
> Oh, OK, let's argue semantics. It's suggested by a hardened user on a
> bug the hardened team is CC'd on, but the team didn't say anything was
> wrong with the change.
That's because for the moment we don't have a better suggestion; we
can't say "don't do it" in this case until we have a solution. Our
silence doesn't mean we like the solution; it means we haven't got
anything better to suggest for now.
> > With regards to Duncan's (non-hardened) problem, adding:
> >
> > filter-ldflags -Wl,-z,now
> >
> > to x-modular.eclass as he suggests should be fine; his issue is
> > different to that with the hardened compiler in as much as he has
> > added the '-Wl,-z,now' to LDFLAGS as advised by the QA message and
> > the above filter will just remove it again; whereas to deal with
> > the hardened compiler we need to reliably add a flag to all the
> > relevant link commands (the bit that takes the effort is working
> > out which are relevant).
>
> Now I'm confused. Do you want this filter instead of the current
> situation, in addition to, or what? This is exactly why I asked for a
> patch.
This is a completely separate issue, nothing to do with the hardened
team or the hardened compiler. It causes the same problem in the end,
but a completely different way.
The QA checks in portage advise the user to try:
LDFLAGS='-Wl,-z,now' emerge ${PN}
because the X server is "suid, dyn linked and using lazy
bindings". This warning becomes fatal if FEATURES=stricter,
so you may want to RESTRICT it (which doesn't remove the warning, so
you should be able to find it in your build logs for xorg-server).
In summary, for Duncan's issue I suggest adding:
# Xorg server is unaviodably suid with lazy bindings
RESTRICT="stricter"
to the xorg-server ebuild to stop it dying for people with
FEATURES=stricter (the comment helps people who have enabled STRICTER
to see why it's disabled, in case anything else crops up) and also to
add:
filter-ldflags -Wl,-z,now
to the eclass (perhaps in x-modular_src_compile, or in both
x-modular_src_config and x-modular_src_make). If you do it just on the
xorg-server ebuild, and people do what Duncan did and set LDFLAGS in
make.conf, it'll set BIND_NOW on everything which at the very least
will cause the radeon and GL drivers to fail to load.
Obviously I haven't tried it so it would be useful if Duncan could
raise a bug with the exact change he made.
--
Kevin F. Quinn
signature.asc
Description: PGP signature
Re: [gentoo-dev] Re: Modular X and hardened
On Sun, May 14, 2006 at 11:32:13AM +0200, Kevin F. Quinn (Gentoo) wrote: [...] > In summary, for Duncan's issue I suggest adding: > > # Xorg server is unaviodably suid with lazy bindings > RESTRICT="stricter" > > to the xorg-server ebuild to stop it dying for people with > FEATURES=stricter (the comment helps people who have enabled STRICTER > to see why it's disabled, in case anything else crops up) and also to > add: > > filter-ldflags -Wl,-z,now > > to the eclass (perhaps in x-modular_src_compile, or in both > x-modular_src_config and x-modular_src_make). If you do it just on the > xorg-server ebuild, and people do what Duncan did and set LDFLAGS in > make.conf, it'll set BIND_NOW on everything which at the very least > will cause the radeon and GL drivers to fail to load. The idea of filter-ldflags is a bad one, IMO. There are an infinite number of ways to enable a flag (for -z now: -Wl,-z,now; -Wl,-z -Wl,now; -Xlinker -z -Xlinker -now; -Wl,-O1,-z,now; ...). Even if you restrict yourself to the sane ones, you can't reasonably catch them all. Normally, the proper fix would be `append-ldflags -Wl,-z,nonow`, but as binutils completely ignores this, that's not going to work either (as also noted earlier). I think the only sane thing to do (treating -Wl,-z,now -Wl,-O1 differently from -Wl,-z,now,-O1 is not sane) is to give a warning message telling users not to enable -z now even if portage states otherwise. Ideally, binutils would also be patched to support -z nonow, and -Wl,-z,nonow would be appended to LDFLAGS, but that's something for later concern. -- gentoo-dev@gentoo.org mailing list
Re: [gentoo-dev] Re: Modular X and hardened
On Sun, 14 May 2006 12:46:23 +0200 Harald van Dijk <[EMAIL PROTECTED]> wrote: > The idea of filter-ldflags is a bad one, IMO. There are an infinite > number of ways to enable a flag (for -z now: -Wl,-z,now; > -Wl,-z -Wl,now; -Xlinker -z -Xlinker -now; -Wl,-O1,-z,now; ...). Even > if you restrict yourself to the sane ones, you can't reasonably catch > them all. That's true enough, however if people follow the QA instructions they'll do the -Wl,-z,now version. People doing other variations can get picked up when they raise a bug with emerge --info. Or we could make filter-ldflags more intelligent, of course. > Normally, the proper fix would be `append-ldflags -Wl,-z,nonow` Ideally, yes - but as you note, "-z nonow" does not exist. BTW '-nonow' is a separate thing (note, no '-z'), added by us to the hardened compiler specs to switch off the automatic -z,now we do on links. > but as binutils completely ignores > this, that's not going to work either (as also noted earlier). I > think the only sane thing to do (treating -Wl,-z,now -Wl,-O1 > differently from -Wl,-z,now,-O1 is not sane) is to give a warning > message telling users not to enable -z now even if portage states > otherwise. Ideally, binutils would also be patched to support -z > nonow, and -Wl,-z,nonow would be appended to LDFLAGS, but that's > something for later concern. -- Kevin F. Quinn signature.asc Description: PGP signature
Re: [gentoo-dev] Re: Modular X and hardened
Kevin F. Quinn (Gentoo) wrote: > # Xorg server is unaviodably suid with lazy bindings > RESTRICT="stricter" > > to the xorg-server ebuild to stop it dying for people with > FEATURES=stricter (the comment helps people who have enabled STRICTER > to see why it's disabled, in case anything else crops up) and also to > add: Done, thanks for the suggestion. Donnie signature.asc Description: OpenPGP digital signature
