[arch-dev-public] Proposal: enabling full ASLR on x86_64 via hardening-wrapper
Allan McRae
allan at archlinux.org
Fri Dec 26 00:56:28 UTC 2014
On 19/12/14 09:31, Daniel Micay wrote:
> The only real barrier to enabling it is the lack of support in GCC for
> simply flipping it on by default. Library code is already built with -fPIC
> and is then linked with -shared. Full ASLR requires building the executable
> code with -fPIE (or -fPIC, which isn't as cheap) and then linking with -pie.
> There are two approaches to this:
>
> 1) Patching the toolchain's spec files (Hardened Gentoo)
> 2) Wrapper scripts for clang/gcc/ld.bfd/ld.gold (Debian, Fedora, Ubuntu)
>
> Upstream hasn't accepted various forms of the first option,
https://gcc.gnu.org/ml/gcc-patches/2014-11/msg01905.html
Best patch I have seen yet - and had no negative comments from upstream.
I'd guess it has a good change to be included in gcc-5.0. If it gets
committed I can backport immediately.
I am not in favour of using the hardening script because I don't find it
adheres to what we consider KISS. Our build system is supposed to be
simple and entirely transparent when looking at the PKGBUILD and default
makepkg.conf. Any user can run "abs" and "makepkg" and get (roughly)
the same package.
Allan
More information about the arch-dev-public
mailing list