On 19/12/14 09:31, Daniel Micay wrote:
The only real barrier to enabling it is the lack of support in GCC for simply flipping it on by default. Library code is already built with -fPIC and is then linked with -shared. Full ASLR requires building the executable code with -fPIE (or -fPIC, which isn't as cheap) and then linking with -pie. There are two approaches to this:
1) Patching the toolchain's spec files (Hardened Gentoo) 2) Wrapper scripts for clang/gcc/ld.bfd/ld.gold (Debian, Fedora, Ubuntu)
Upstream hasn't accepted various forms of the first option,
https://gcc.gnu.org/ml/gcc-patches/2014-11/msg01905.html Best patch I have seen yet - and had no negative comments from upstream. I'd guess it has a good change to be included in gcc-5.0. If it gets committed I can backport immediately. I am not in favour of using the hardening script because I don't find it adheres to what we consider KISS. Our build system is supposed to be simple and entirely transparent when looking at the PKGBUILD and default makepkg.conf. Any user can run "abs" and "makepkg" and get (roughly) the same package. Allan