| 1 | <?xml version="1.0" encoding="UTF-8"?> |
1 | <?xml version="1.0" encoding="UTF-8"?> |
| 2 | <!DOCTYPE guide SYSTEM "/dtd/guide.dtd"> |
2 | <!DOCTYPE guide SYSTEM "/dtd/guide.dtd"> |
| 3 | <!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/hardenedfaq.xml,v 1.30 2012/10/28 15:21:06 swift Exp $ --> |
3 | <!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/hardenedfaq.xml,v 1.35 2013/01/21 15:53:28 klondike Exp $ --> |
| 4 | |
4 | |
| 5 | <guide lang="en"> |
5 | <guide lang="en"> |
| 6 | <title>Gentoo Hardened Frequently Asked Questions</title> |
6 | <title>Gentoo Hardened Frequently Asked Questions</title> |
| 7 | <author title="Author"> |
7 | <author title="Author"> |
| 8 | <mail link="tocharian@gentoo.org">Adam Mondl</mail> |
8 | <mail link="tocharian@gentoo.org">Adam Mondl</mail> |
| 9 | </author> |
9 | </author> |
| 10 | <author title="Contributor"> |
10 | <author title="Contributor"> |
| 11 | <mail link="solar@gentoo.org">solar</mail> |
11 | <mail link="solar@gentoo.org">solar</mail> |
| 12 | </author> |
12 | </author> |
| 13 | <author title="Contributor"> |
13 | <author title="Contributor"> |
| 14 | <mail link="kang@gentoo.org">Guillaume Destuynder</mail> |
14 | <mail link="kang@gentoo.org">Guillaume Destuynder</mail> |
| 15 | </author> |
15 | </author> |
| 16 | <author title="Contributor"> |
16 | <author title="Contributor"> |
| 17 | <mail link="pageexec@freemail.hu">The PaX Team</mail> |
17 | <mail link="pageexec@freemail.hu">The PaX Team</mail> |
| 18 | </author> |
18 | </author> |
| 19 | <author title="Contributor"> |
19 | <author title="Contributor"> |
| 20 | <mail link="klondike@xiscosoft.es">klondike</mail> |
20 | <mail link="klondike@xiscosoft.es">klondike</mail> |
| 21 | </author> |
21 | </author> |
| 22 | <author title="Contributor"> |
22 | <author title="Contributor"> |
| 23 | <mail link="zorry@gentoo.org">Magnus Granberg</mail> |
23 | <mail link="zorry@gentoo.org">Magnus Granberg</mail> |
| 24 | </author> |
24 | </author> |
| 25 | <author title="Contributor"> |
25 | <author title="Contributor"> |
| 26 | <mail link="blueness@gentoo.org">Anthony G. Basile</mail> |
26 | <mail link="blueness@gentoo.org">Anthony G. Basile</mail> |
| 27 | </author> |
27 | </author> |
| 28 | |
28 | |
| 29 | <abstract> |
29 | <abstract> |
| 30 | Frequently Asked Questions that arise on the #gentoo-hardened IRC channel and |
30 | Frequently Asked Questions that arise on the #gentoo-hardened IRC channel and |
| 31 | the gentoo-hardened mailing list. |
31 | the gentoo-hardened mailing list. |
| 32 | </abstract> |
32 | </abstract> |
| 33 | |
33 | |
| 34 | <version>3.4</version> |
34 | <version>5</version> |
| 35 | <date>2011-3-27</date> |
35 | <date>2014-1-21</date> |
| 36 | |
36 | |
| 37 | <faqindex> |
37 | <faqindex> |
| 38 | <title>Questions</title> |
38 | <title>Questions</title> |
| 39 | <section> |
39 | <section> |
| 40 | <title>Introduction</title> |
40 | <title>Introduction</title> |
| 41 | <body> |
41 | <body> |
| 42 | |
42 | |
| 43 | <p> |
43 | <p> |
| 44 | The following is a collection of questions collected from #gentoo-hardened IRC |
44 | The following is a collection of questions collected from #gentoo-hardened IRC |
| 45 | channel and the gentoo-hardened mailing list. As such, is geared towards |
45 | channel and the gentoo-hardened mailing list. As such, is geared towards |
| 46 | answering fast and concisely rather than providing a whole insight on the |
46 | answering fast and concisely rather than providing a whole insight on the |
| 47 | technologies behind Gentoo Hardened. It is advisable reading the rest of the |
47 | technologies behind Gentoo Hardened. It is advisable reading the rest of the |
| 48 | documentation on the Gentoo Hardened Project page and that on the projects' |
48 | documentation on the Gentoo Hardened Project page and that on the projects' |
| 49 | home pages in order to get a better insight. |
49 | home pages in order to get a better insight. |
| 50 | </p> |
50 | </p> |
| … | |
… | |
| 109 | No, the current toolchain implements the equivalent of <c>CFLAGS="-fPIE |
109 | No, the current toolchain implements the equivalent of <c>CFLAGS="-fPIE |
| 110 | -fstack-protector-all -D_FORTIFY_SOURCE=2" LDFLAGS="-Wl,-z,now -Wl,-z,relro"</c> |
110 | -fstack-protector-all -D_FORTIFY_SOURCE=2" LDFLAGS="-Wl,-z,now -Wl,-z,relro"</c> |
| 111 | automatically through GCC's built-in spec and using the specfiles to disable |
111 | automatically through GCC's built-in spec and using the specfiles to disable |
| 112 | them which is a more proper solution. For older hardened-gcc users the best |
112 | them which is a more proper solution. For older hardened-gcc users the best |
| 113 | approach is switch to the hardened profile and then upgrade following the steps |
113 | approach is switch to the hardened profile and then upgrade following the steps |
| 114 | on the <uri link="#hardenedprofile">How to switch to Gentoo Hardened question |
114 | on the <uri link="#hardenedprofile">How to switch to Gentoo Hardened question |
| 115 | </uri> |
115 | </uri> |
| 116 | </p> |
116 | </p> |
| 117 | |
117 | |
| 118 | <note> |
118 | <note> |
| 119 | Manually enabling the hardening flags it is not recommended at all. |
119 | Manually enabling the hardening flags it is not recommended at all. |
| 120 | </note> |
120 | </note> |
| 121 | |
121 | |
| 122 | <note> |
122 | <note> |
| 123 | Sending a -fno... flag will disable the flag, also -fstack-protector-all and |
123 | Sending a -fno... flag will disable the flag, also -fstack-protector-all and |
| 124 | -fstack-protector may interfere when passed directly. |
124 | -fstack-protector will interfere when passed directly breaking stuff like glibc. |
| 125 | </note> |
125 | </note> |
| 126 | |
126 | |
| 127 | <note> |
127 | <note> |
| 128 | Gentoo patches its GCCs to allow specfiles to be passed through an environment |
128 | Gentoo patches its GCCs to allow specfiles to be passed through an environment |
| 129 | variable. Currently several sets of specfiles are installed on Gentoo systems |
129 | variable. Currently several sets of specfiles are installed on Gentoo systems |
| 130 | that allow users on supported architectures to easily switch the functionality |
130 | that allow users on supported architectures to easily switch the functionality |
| 131 | off and on of the toolchain. To access the specs as the end user you can use the |
131 | off and on of the toolchain. To access the specs as the end user you can use the |
| 132 | <c>gcc-config</c> utility. |
132 | <c>gcc-config</c> utility. |
| 133 | </note> |
133 | </note> |
| 134 | |
134 | |
|
|
135 | </body> |
|
|
136 | </section> |
|
|
137 | |
|
|
138 | <section id="hardenedfstack"> |
|
|
139 | <title>Can I add -fstack-protector-all or -fstack-protector in the CFLAGS at |
|
|
140 | make.conf?</title> |
|
|
141 | <body> |
|
|
142 | <p> |
|
|
143 | No, they will likely break the building of many packages, ampongst others glibc. |
|
|
144 | It's better that you leave the profiles do its job. |
|
|
145 | </p> |
| 135 | </body> |
146 | </body> |
| 136 | </section> |
147 | </section> |
| 137 | |
148 | |
| 138 | <section id="hardenedcflagsoff"> |
149 | <section id="hardenedcflagsoff"> |
| 139 | <title>How do I turn off hardened building?</title> |
150 | <title>How do I turn off hardened building?</title> |
| 140 | <body> |
151 | <body> |
| 141 | |
152 | |
| 142 | <p> |
153 | <p> |
| 143 | You can use <c>gcc-config</c> to accomplish this: |
154 | You can use <c>gcc-config</c> to accomplish this: |
| 144 | </p> |
155 | </p> |
| 145 | <pre caption="Example gcc-config output"> |
156 | <pre caption="Example gcc-config output"> |
| 146 | # <i>gcc-config -l</i> |
157 | # <i>gcc-config -l</i> |
| 147 | [1] x86_64-pc-linux-gnu-4.4.4 * |
158 | [1] x86_64-pc-linux-gnu-4.4.4 * |
| 148 | [2] x86_64-pc-linux-gnu-4.4.4-hardenednopie |
159 | [2] x86_64-pc-linux-gnu-4.4.4-hardenednopie |
| 149 | [3] x86_64-pc-linux-gnu-4.4.4-hardenednopiessp |
160 | [3] x86_64-pc-linux-gnu-4.4.4-hardenednopiessp |
| … | |
… | |
| 307 | [1] x86_64-pc-linux-gnu-4.4.4 * |
318 | [1] x86_64-pc-linux-gnu-4.4.4 * |
| 308 | [2] x86_64-pc-linux-gnu-4.4.4-hardenednopie |
319 | [2] x86_64-pc-linux-gnu-4.4.4-hardenednopie |
| 309 | [3] x86_64-pc-linux-gnu-4.4.4-hardenednopiessp |
320 | [3] x86_64-pc-linux-gnu-4.4.4-hardenednopiessp |
| 310 | [4] x86_64-pc-linux-gnu-4.4.4-hardenednossp |
321 | [4] x86_64-pc-linux-gnu-4.4.4-hardenednossp |
| 311 | [5] x86_64-pc-linux-gnu-4.4.4-vanilla |
322 | [5] x86_64-pc-linux-gnu-4.4.4-vanilla |
| 312 | <comment>If the hardened version isn't chosen select it</comment> |
323 | <comment>If the hardened version isn't chosen select it</comment> |
| 313 | # <i>gcc-config x86_64-pc-linux-gnu-4.4.4</i> |
324 | # <i>gcc-config x86_64-pc-linux-gnu-4.4.4</i> |
| 314 | # <i>source /etc/profile</i> |
325 | # <i>source /etc/profile</i> |
| 315 | <comment>Keep emerging the system</comment> |
326 | <comment>Keep emerging the system</comment> |
| 316 | # <i>emerge -e --keep-going system</i> |
327 | # <i>emerge -e --keep-going system</i> |
| 317 | # <i>emerge -e --keep-going world</i> |
328 | # <i>emerge -e --keep-going world</i> |
| 318 | </pre> |
329 | </pre> |
| 319 | |
330 | |
| 320 | <p> |
331 | <p> |
| 321 | The <c>--keep-going</c> option is added to ensure emerge won't stop in case any |
332 | The <c>--keep-going</c> option is added to ensure emerge won't stop in case any |
| 322 | package fails to build. |
333 | package fails to build. If that occurs however, you need to make sure that the |
|
|
334 | remainder of the packages is built. You can check the output of emerge at the |
|
|
335 | end to find out which packages were not rebuilt. |
| 323 | </p> |
336 | </p> |
| 324 | |
337 | |
| 325 | </body> |
338 | </body> |
| 326 | </section> |
339 | </section> |
| 327 | |
340 | |
| 328 | <section id="hardeneddebug"> |
341 | <section id="hardeneddebug"> |
| 329 | <title>How do I debug with gdb?</title> |
342 | <title>How do I debug with gdb?</title> |
| 330 | <body> |
343 | <body> |
| 331 | |
344 | |
| 332 | <p> |
345 | <p> |
| 333 | We have written a <uri link="/proj/en/hardened/hardened-debugging.xml">document |
346 | We have written a <uri link="/proj/en/hardened/hardened-debugging.xml">document |
| 334 | on how to debug with Gentoo Hardened</uri>, so following the recommendations |
347 | on how to debug with Gentoo Hardened</uri>, so following the recommendations |
| 335 | there should fix your problem. |
348 | there should fix your problem. |
| 336 | </p> |
349 | </p> |
| 337 | |
350 | |
| 338 | </body> |
351 | </body> |
| 339 | </section> |
352 | </section> |
| 340 | |
353 | |
| 341 | <section id="jitflag"> |
354 | <section id="jitflag"> |
| 342 | <title>Why is the jit flag disabled in the hardened profile?</title> |
355 | <title>Why is the jit and orc flag disabled in the hardened profile?</title> |
| 343 | <body> |
356 | <body> |
| 344 | |
357 | |
| 345 | <p> |
358 | <p> |
| 346 | JIT means Just In Time Compilation and consist on taking some code meant to be |
359 | JIT means Just In Time Compilation and consist on taking some code meant to be |
| 347 | interpreted (like Java bytecode or JavaScript code) compile it into native |
360 | interpreted (like Java bytecode or JavaScript code) compile it into native |
| 348 | binary code in memory and then executing the compiled code. This means that the |
361 | binary code in memory and then executing the compiled code. This means that the |
| 349 | program need a section of memory which has write and execution permissions to |
362 | program need a section of memory which has write and execution permissions to |
| 350 | write and then execute the code which is denied by PaX, unless the mprotect flag |
363 | write and then execute the code which is denied by PaX, unless the mprotect flag |
| 351 | is unset for the executable. As a result, we disabled the JIT use flag by |
364 | is unset for the executable. As a result, we disabled the JIT use flag by |
| 352 | default to avoid complaints and security problems. |
365 | default to avoid complaints and security problems. ORC use Just In Time |
|
|
366 | Compilation (jit). |
| 353 | </p> |
367 | </p> |
| 354 | |
368 | |
| 355 | <p> |
369 | <p> |
| 356 | You should bear in mind that having a section which is written and then executed |
370 | You should bear in mind that having a section which is written and then executed |
| 357 | can be a serious security problem as the attacker needs to be able to exploit a |
371 | can be a serious security problem as the attacker needs to be able to exploit a |
| 358 | bug between the write and execute stages to write in that section in order to |
372 | bug between the write and execute stages to write in that section in order to |
| 359 | execute any code it wants to. |
373 | execute any code it wants to. |
| 360 | </p> |
374 | </p> |
| 361 | </body> |
375 | </body> |
| 362 | </section> |
376 | </section> |
| 363 | |
377 | |
| 364 | <section id="enablejit"> |
378 | <section id="enablejit"> |
| 365 | <title>How do I enable the jit flag?</title> |
379 | <title>How do I enable the jit or orc flag?</title> |
| 366 | <body> |
380 | <body> |
| 367 | |
381 | |
| 368 | <p> |
382 | <p> |
| 369 | If you need it, we recommend enabling the flag in a per package basis using |
383 | If you need it, we recommend enabling the flag in a per package basis using |
| 370 | <c>/etc/portage/package.use</c> |
384 | <c>/etc/portage/package.use</c> |
| 371 | </p> |
385 | </p> |
| 372 | |
386 | |
| 373 | <pre caption="Example /etc/portage/package.use enabling JIT in some libraries"> |
387 | <pre caption="Example /etc/portage/package.use enabling JIT in some libraries"> |
| 374 | x11-libs/qt-core jit |
388 | x11-libs/qt-core jit |
| 375 | x11-libs/qt-script jit |
389 | x11-libs/qt-script jit |
| 376 | x11-libs/qt-webkit jit |
390 | x11-libs/qt-webkit jit |
| 377 | </pre> |
391 | </pre> |
| 378 | |
392 | |
| 379 | <p> |
393 | <p> |
| 380 | Anyway, you can enable the use flag globally using <c>/etc/make.conf</c> |
394 | Anyway, you can enable the use flag globally using <c>/etc/make.conf</c> |
| … | |
… | |
| 387 | # Please consult http://www.gentoo.org/doc/en/change-chost.xml before changing. |
401 | # Please consult http://www.gentoo.org/doc/en/change-chost.xml before changing. |
| 388 | CHOST="x86_64-pc-linux-gnu" |
402 | CHOST="x86_64-pc-linux-gnu" |
| 389 | # These are the USE flags that were used in addition to what is provided by the |
403 | # These are the USE flags that were used in addition to what is provided by the |
| 390 | # profile used for building. |
404 | # profile used for building. |
| 391 | <comment>#If you have more uses adding jit to the end should suffice</comment> |
405 | <comment>#If you have more uses adding jit to the end should suffice</comment> |
| 392 | USE="jit" |
406 | USE="jit" |
| 393 | |
407 | |
| 394 | MAKEOPTS="-j2" |
408 | MAKEOPTS="-j2" |
| 395 | |
409 | |
| 396 | GENTOO_MIRRORS="ftp://ftp.udc.es/gentoo/" |
410 | GENTOO_MIRRORS="ftp://ftp.udc.es/gentoo/" |
| 397 | |
411 | |
| 398 | SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" |
412 | SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" |
| 399 | </pre> |
413 | </pre> |
| 400 | |
414 | |
| 401 | <impo> |
415 | <impo> |
| 402 | Remember that if you enable JIT code on PaX you may need to disable mprotect on |
416 | Remember that if you enable JIT or ORC code on PaX you may need to disable mprotect on |
| 403 | the binaries using such code, either by them selves or through libraries. Check |
417 | the binaries using such code, either by them selves or through libraries. Check |
| 404 | the <uri link="#paxjavajit">PaX question on Java and JIT to see how to do this |
418 | the <uri link="#paxjavajit">PaX question on Java and JIT to see how to do this |
| 405 | </uri> |
419 | </uri> |
| 406 | </impo> |
420 | </impo> |
| 407 | |
421 | |
| 408 | </body> |
422 | </body> |
| 409 | </section> |
423 | </section> |
| 410 | |
424 | |
| 411 | </chapter> |
425 | </chapter> |
| 412 | |
426 | |
| 413 | <chapter> |
427 | <chapter> |
| 414 | <title>PaX Questions</title> |
428 | <title>PaX Questions</title> |
| 415 | <section id="paxinformation"> |
429 | <section id="paxinformation"> |
| 416 | <title>Where is the homepage for PaX?</title> |
430 | <title>Where is the homepage for PaX?</title> |
| 417 | <body> |
431 | <body> |
Parent Directory
| 
Revision Log
| 
Patch