cvs commit: hints propolice.txt
tushar at linuxfromscratch.org
tushar at linuxfromscratch.org
Tue Oct 28 21:25:12 PST 2003
tushar 03/10/28 22:25:12
Modified: . propolice.txt
Updated Hint: propolice
Revision Changes Path
1.4 +54 -21 hints/propolice.txt
RCS file: /home/cvsroot/hints/propolice.txt,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -u -r1.3 -r1.4
--- propolice.txt 25 Oct 2003 00:36:51 -0000 1.3
+++ propolice.txt 29 Oct 2003 05:25:12 -0000 1.4
@@ -1,6 +1,6 @@
AUTHOR: Robert Connolly <cendres at videotron dot ca> (ashes)
LICENSE: Public Domain
@@ -11,9 +11,9 @@
-This hint requires that you have sufficient knowledge of LinuxFromScratch.
-This hint is available for GCC version 3.3.1.
-Note: Gcc-2.95.3 and gcc-3.2.3 patches are coming soon.
+This hint requires that you have sufficient knowledge of Linux.
+See ceveats below.
+This hint is available for GCC version 3.3.1 and 2.95.3.
Note: gcc-core package is the only required component. Others are optional.
@@ -24,44 +24,65 @@
attacks. ProPolice stack guard has been used against xlockmore-3.10,
Perl-5.003, elm-2.003, and SuperProbe-2.11 which all have known root exploits.
Testing showed that when these programs were exploited the stack guard
-terminated them with a message that a stack smashing attack had been detected.
-This guard protects against bugs and attacks not yet conceived. It has shown
-to be robust, practical to use, and preform well. ProPolice has been
-intergrated into OpenBSD, and should be added to Gentoo Linux in the near
+terminated them with a message stating a stack smashing attack had been
+detected. This guard protects against bugs and attacks not yet conceived.
+It has shown to be robust, practical to use, and preform well. ProPolice has
+been intergrated into OpenBSD, and should be added to Gentoo Linux in the near
future, among others. The official website for ProPolice can be found in the
-acknowledgments at the end of this document.
+acknowledgments at the end of this document. ProPolice is still young and has
+not been widely tested. It is my opinion ProPolice, or a varient, will become
+a normal part of all GNU systems after enough real world testing has been done.
+This patch adds two compile options to GCC; -fstack-protector enables the
+protection, and -fno-stack-protector disables the protection.
-Binutils make check dies from errors when using gcc-propolice.
-FAIL: S-records with constructors
-This was tested on several machines.
-Aside from that it looks good.
-This hint is _alpha_ atm.
+You can expect a handfull of errors from regression tests in the toolchain.
+Binutils being the worse. I tested the ProPolice _Only_ patch on several systems
+with similiar results. Grub will only build with -fno-stack-protector, or you
+can use lilo. Xfree needs a patch to enable OpenBSD ProPolice code. The X server
+will be protected, but not the modules. You can also expect problems with
+libPAM, and likely some unknown problems exist. I have made the authors of these
+software bundles aware of the problems, and hope they're resolved in future
Choose your patche(s)
-There are 2 types of patches.
+There are 2 types of patches for GCC.
1. With the ProPolice _Only_ patch the -fstack-protector is used by default
including during GCC's boostrap phase. With this patch all the software you
build with GCC will be automaticly protected. If you experience any abnormal
errors, the -fno-stack-protector can be set to debug the error. Please report
+any problems. ProPolice build errors are easy to spot, look for "smash".
2. With generic protection GCC does not utilize the patch, and is set
-fno-stack-protector by default. -fstack-protector can be set in CFLAGS and
-CXXFLAGS to enable the guard.
+CXXFLAGS to enable the guard. This is good for testers.
+If you read this patch you will see how simple it is.
@@ -70,6 +91,9 @@
cd gcc-3.3.1 &&
patch -Np1 -i ../gcc-3.3.1-propolice_only.patch
+patch -Np1 -i ../XFree86-4.3.0-propolice.patch
When it is installed you can confirm the binaries are protected.
@@ -86,7 +110,7 @@
-* More testing.
@@ -100,6 +124,8 @@
* IBM is a registered trademark of the IBM Corporation found at
+* Thanks to Gentoo for providing documents and patch http://www.gentoo.org/
+* Thanks to OpenBSD for their XFree86 code. http://www.openbsd.org/
@@ -112,4 +138,11 @@
* Added caveat.
* Fixed URLS.
* Lite edit
+* New bugs found.
+* GCC 2.95.3 patches made.
+* XFree86-4.3.0 patch made.
+* Hint is now Beta - Need more feedback.
More information about the hints