headers
Matt Harrison | 13 Oct 23:52

glibc not using PIE

I'm still fiddling to get my firewall running smoothly on hardened/selinux

I'm re-emerging various things but I'm seeing this:

 PIE hardening not applied, as your compiler doesn't default to PIE

When emerging glibc, google doesn't have any answers...

Any ideas?

thanks

Matt
Permalink | Reply |
headers
Kerin Millar | 14 Oct 02:47

Re: glibc not using PIE

2008/10/13 Matt Harrison <iwasinnamuknow@...>:
> I'm still fiddling to get my firewall running smoothly on hardened/selinux
>
> I'm re-emerging various things but I'm seeing this:
>
>  PIE hardening not applied, as your compiler doesn't default to PIE
>

You set the "hardened" USE flag, which is normally exported by the
standard hardened profile and, indeed, the equivalent sub-profiles in
the selinux namespace. This is appropriate when using - and building -
the hardened toolchain. In the case of glibc, it installs several
patches to aid in the generation of system-wide PIE binaries and
facilitates SSP handling. However, you are not actually using a
suitable instance of gcc with the correct specs activated, presumably
because you didn't begin with a hardened stage tarball - and toolchain
- in the first instance (in turn, perhaps owing to the somewhat
irregular nature of the SELinux installation process in Gentoo). The
only supported compiler for this particular intent is gcc-3.4.6-r2 and
you may peruse and switch between the available specs using the
gcc-config tool. For further details, please refer to the following
pages:

http://www.gentoo.org/proj/en/hardened/primer.xml
http://www.gentoo.org/proj/en/hardened/hardened-toolchain.xml

Cheers,

--Kerin
(Continue reading)

Permalink | Reply |
headers
Matt Harrison | 14 Oct 02:56

Re: glibc not using PIE

Kerin Millar wrote:
> 2008/10/13 Matt Harrison <iwasinnamuknow@...>:
>> I'm still fiddling to get my firewall running smoothly on hardened/selinux
>>
>> I'm re-emerging various things but I'm seeing this:
>>
>>  PIE hardening not applied, as your compiler doesn't default to PIE
>>
> 
> You set the "hardened" USE flag, which is normally exported by the
> standard hardened profile and, indeed, the equivalent sub-profiles in
> the selinux namespace. This is appropriate when using - and building -
> the hardened toolchain. In the case of glibc, it installs several
> patches to aid in the generation of system-wide PIE binaries and
> facilitates SSP handling. However, you are not actually using a
> suitable instance of gcc with the correct specs activated, presumably
> because you didn't begin with a hardened stage tarball - and toolchain

Well I installed from the stage3-hardened 2008 tarball...then I
recompiled most of it for selinux, all the time my profile was set to
selinux-hardened.

> - in the first instance (in turn, perhaps owing to the somewhat
> irregular nature of the SELinux installation process in Gentoo). The
> only supported compiler for this particular intent is gcc-3.4.6-r2 and
> you may peruse and switch between the available specs using the
> gcc-config tool.

Maybe it's defaulting to using 4.x and that isn't hardened.
(Continue reading)

Permalink | Reply |
headers
Matt Harrison | 14 Oct 03:04

Re: glibc not using PIE

Matt Harrison wrote:
> Kerin Millar wrote:
>> 2008/10/13 Matt Harrison <iwasinnamuknow@...>:
>>> I'm still fiddling to get my firewall running smoothly on hardened/selinux
>>>
>>> I'm re-emerging various things but I'm seeing this:
>>>
>>>  PIE hardening not applied, as your compiler doesn't default to PIE
>>>
>> You set the "hardened" USE flag, which is normally exported by the
>> standard hardened profile and, indeed, the equivalent sub-profiles in
>> the selinux namespace. This is appropriate when using - and building -
>> the hardened toolchain. In the case of glibc, it installs several
>> patches to aid in the generation of system-wide PIE binaries and
>> facilitates SSP handling. However, you are not actually using a
>> suitable instance of gcc with the correct specs activated, presumably
>> because you didn't begin with a hardened stage tarball - and toolchain
> 
> Well I installed from the stage3-hardened 2008 tarball...then I
> recompiled most of it for selinux, all the time my profile was set to
> selinux-hardened.
> 
>> - in the first instance (in turn, perhaps owing to the somewhat
>> irregular nature of the SELinux installation process in Gentoo). The
>> only supported compiler for this particular intent is gcc-3.4.6-r2 and
>> you may peruse and switch between the available specs using the
>> gcc-config tool.
> 
> Maybe it's defaulting to using 4.x and that isn't hardened.
(Continue reading)

Permalink | Reply |
headers
Matt Harrison | 14 Oct 03:45

Re: glibc not using PIE

It nearly finished compiling glibc, then I got hit with this:

/var/tmp/portage/sys-libs/glibc-2.6.1/work/build-default-i686-pc-linux-gnu-nptl/math/libm_pic.a(s_ctan.os):
In function `ctan':
s_ctan.c:(.text+0x1f2): undefined reference to `__muldc3'
s_ctan.c:(.text+0x251): undefined reference to `__divdc3'
s_ctan.c:(.text+0x285): undefined reference to `__muldc3'
/var/tmp/portage/sys-libs/glibc-2.6.1/work/build-default-i686-pc-linux-gnu-nptl/math/libm_pic.a(s_ctanh.os):
In function `ctanh':
s_ctanh.c:(.text+0x1cf): undefined reference to `__divdc3'
/var/tmp/portage/sys-libs/glibc-2.6.1/work/build-default-i686-pc-linux-gnu-nptl/math/libm_pic.a(s_cpow.os):
In function `cpow':
s_cpow.c:(.text+0x6b): undefined reference to `__muldc3'
/var/tmp/portage/sys-libs/glibc-2.6.1/work/build-default-i686-pc-linux-gnu-nptl/math/libm_pic.a(s_ctanf.os):
In function `ctanf':
s_ctanf.c:(.text+0x180): undefined reference to `__muldc3'
s_ctanf.c:(.text+0x1c5): undefined reference to `__divsc3'
s_ctanf.c:(.text+0x1fc): undefined reference to `__muldc3'
/var/tmp/portage/sys-libs/glibc-2.6.1/work/build-default-i686-pc-linux-gnu-nptl/math/libm_pic.a(s_ctanhf.os):
In function `ctanhf':
s_ctanhf.c:(.text+0x18b): undefined reference to `__divsc3'
/var/tmp/portage/sys-libs/glibc-2.6.1/work/build-default-i686-pc-linux-gnu-nptl/math/libm_pic.a(s_cpowf.os):
In function `cpowf':
s_cpowf.c:(.text+0x3b): undefined reference to `__mulsc3'
/var/tmp/portage/sys-libs/glibc-2.6.1/work/build-default-i686-pc-linux-gnu-nptl/math/libm_pic.a(s_ctanl.os):
In function `ctanl':
s_ctanl.c:(.text+0x1d2): undefined reference to `__mulxc3'
s_ctanl.c:(.text+0x266): undefined reference to `__divxc3'
s_ctanl.c:(.text+0x2c5): undefined reference to `__mulxc3'
/var/tmp/portage/sys-libs/glibc-2.6.1/work/build-default-i686-pc-linux-gnu-nptl/math/libm_pic.a(s_ctanhl.os):
(Continue reading)

Permalink | Reply |
headers
atoth | 14 Oct 08:25

Re: glibc not using PIE

Instead of solving your particular problem, let me draw your attention to
the experimental hardened toolchain:
https://hardened.gentooexperimental.org/trac/secure/

It provides hardened gcc-4.x based on kevquinn's initial effort. I've been
using it without major hassles for several months now (since June).

If you'll ever happen to give up on SELinux, please give a chance to
grsecurity.

Regards,
Dw.
--

-- 
dr Tóth Attila, Radiológus Szakorvos jelölt, 06-20-825-8057, 06-30-5962-962
Attila Toth MD, Radiologist in Training, +36-20-825-8057, +36-30-5962-962

On Ked, Október 14, 2008 03:45, Matt Harrison wrote:
> It nearly finished compiling glibc, then I got hit with this:
>
> /var/tmp/portage/sys-libs/glibc-2.6.1/work/build-default-i686-pc-linux-gnu-nptl/math/libm_pic.a(s_ctan.os):
> In function `ctan':
> s_ctan.c:(.text+0x1f2): undefined reference to `__muldc3'
> s_ctan.c:(.text+0x251): undefined reference to `__divdc3'
> s_ctan.c:(.text+0x285): undefined reference to `__muldc3'
> /var/tmp/portage/sys-libs/glibc-2.6.1/work/build-default-i686-pc-linux-gnu-nptl/math/libm_pic.a(s_ctanh.os):
> In function `ctanh':
> s_ctanh.c:(.text+0x1cf): undefined reference to `__divdc3'
> /var/tmp/portage/sys-libs/glibc-2.6.1/work/build-default-i686-pc-linux-gnu-nptl/math/libm_pic.a(s_cpow.os):
> In function `cpow':
> s_cpow.c:(.text+0x6b): undefined reference to `__muldc3'
(Continue reading)

Permalink | Reply |
headers
Kerin Millar | 14 Oct 12:14

Re: glibc not using PIE

Try without distcc, with a conservative MAKEOPTS setting and always  
ensure that the toolchain is built in this order: binutils, gcc,  
glibc. Failing that, you could bootstrap (be wary of /etc clobbering  
by baselayout) or roll the affected package again in a "clean" chroot  
before exporting it to the host.

Apologies for the top post - my mobile device makes it unfeasible to  
post in the usual manner.

Cheers,

--Kerin

On 14 Oct 2008, at 02:45, Matt Harrison <iwasinnamuknow@...>  
wrote:

> It nearly finished compiling glibc, then I got hit with this:
>
> /var/tmp/portage/sys-libs/glibc-2.6.1/work/build-default-i686-pc- 
> linux-gnu-nptl/math/libm_pic.a(s_ctan.os):
> In function `ctan':
> s_ctan.c:(.text+0x1f2): undefined reference to `__muldc3'
> s_ctan.c:(.text+0x251): undefined reference to `__divdc3'
> s_ctan.c:(.text+0x285): undefined reference to `__muldc3'
> /var/tmp/portage/sys-libs/glibc-2.6.1/work/build-default-i686-pc- 
> linux-gnu-nptl/math/libm_pic.a(s_ctanh.os):
> In function `ctanh':
> s_ctanh.c:(.text+0x1cf): undefined reference to `__divdc3'
> /var/tmp/portage/sys-libs/glibc-2.6.1/work/build-default-i686-pc- 
> linux-gnu-nptl/math/libm_pic.a(s_cpow.os):
(Continue reading)

Permalink | Reply |
headers
Matt Harrison | 14 Oct 17:49

Re: glibc not using PIE

Kerin Millar wrote:
> Try without distcc, with a conservative MAKEOPTS setting and always
> ensure that the toolchain is built in this order: binutils, gcc, glibc.
> Failing that, you could bootstrap (be wary of /etc clobbering by
> baselayout) or roll the affected package again in a "clean" chroot
> before exporting it to the host.

I hadn't thought of that at all..the toolchain on the distcc server
isn't hardened at all. I'll try it again local only.

Thanks for pointing that out.

Matt
Permalink | Reply |

Gmane