winter.txt

Robert Connolly cendres at videotron.ca
Tue Feb 3 12:11:58 PST 2004


We have non-exec kernel stack on first boot! :)
Please update hint.
-------------- next part --------------
AUTHOR: Robert Connolly <cendres at videotron dot ca> (ashes)

DATE:   2004-02-02

LICENSE:        Public Domain

SYNOPSIS:       Position independent executables + Pax

PRIMARY URL:	ftp://twocents.mooo.com/pub/

DESCRIPTION:
Experimental
Position independent executables (pie) is the superset of position independent
code (pic). Pie will be formally available with gcc-3.4, this hint uses the
original patch which made it in gcc-3.4. This provides extra security features
that can be used by Pax/Grsecurity, exec-shield, and others. It is also a good
idea to use ProPolice together with this even though there is overlapping
functionality.

http://gcc.gnu.org/ml/gcc-patches/2003-06/msg00140.html
http://pax.grsecurity.net/
http://www.grsecurity.net/
http://people.redhat.com/mingo/exec-shield/

PREREQUISITES: LFS-5.0

HINT:

=======
Context
=======

	Introduction
	Downloads
	Installation
	Testing
	Feedback
	Acknowledgments

============
Introduction
============
Follow the cvs book with this hint. Unfortunately -fpie is slightly broken in
the glibc-2.3.3 that is in the LFS cvs book. I tested this against 
glibc-2.3-20040129. You also need a binutils that understands -pie, either HJL,
or FSF-cvs. If you use FSF-cvs binutils you will have to comment out the sanity
code in glibc/configure. grep -n -e "too old" configure, and comment out the
whole test. HJL should work without that hassle. I don't have a relro patch for
FSF binutils yet either, so HJL is reccommended.

=========
Downloads
=========
-----
Glibc
-----
Thanks to Teemu Tervo nptl hint. This shouldn't be nessesary soon.

cvs -d :pserver:anoncvs at sources.redhat.com:/cvs/glibc -z3 co libc
mv libc glibc-2.3-`date +%Y%m%d`
tar cjf glibc-2.3-`date +%Y%m%d`.tar.bz2 glibc-2.3-`date +%Y%m%d`
rm -rf glibc-2.3-`date +%Y%m%d

Glibc uses an executable stack in ld.so. To use Pax you will need this patch.
http://csociety-ftp.ecn.purdue.edu/pub/gentoo-portage/ \
	sys-libs/glibc/files/2.3.3/glibc-2.3.3-dl_execstack-PaX-support.patch
http://www.linuxfromscratch.org/patches/downloads/glibc/ \
	glibc-2.3.3-dl_execstack-PaX-support-1.patch
ftp://twocents.mooo.com/pub/hcc/pie/glibc-2.3.3-dl_execstack-PaX-support-1.patch

This gives us Pax friendly behaviour from iconvconfig. I don't think its completely
nessesary. (works on gcc-2.3.3 too)
http://mirror.calvin.edu/gentoo/gentoo-portage/sys-libs/glibc/files/ \
	2.3.2/glibc-2.3.2-iconvconfig-name_insert.patch
ftp://twocents.mooo.com/pub/hcc/pie/glibc-2.3.2-iconvconfig-name_insert.patch

This is pt_gnu support for Pax. Needed to use softmode, will become obligatory
eventualy.
http://mirror.calvin.edu/gentoo/gentoo-portage/sys-libs/glibc/files/ \
	2.3.3/glibc-2.3.3_pre20040117-pt_pax.diff
ftp://twocents.mooo.com/pub/hcc/pie/glibc-2.3.3_pre20040117-pt_pax.diff

--------
Binutils
--------
HJL
ftp://ftp.kernel.org/pub/linux/devel/binutils/binutils-2.14.90.0.8.tar.bz2

This patch combines 3 patches temporarily. When 2.14.90.0.9 is released we will only
need to patch the pt_pax portion. I think I forgot to mention this hint is bleeding
edge :)
ftp://twocents.mooo.com/pub/hcc/pie/ \
	binutils-2.14.90.0.8-pt_pax-eh_frame-relro-1.patch

----
PIE
----
Only need one on these.
http://cvs.mandrakesoft.com/cgi-bin/cvsweb.cgi/~checkout~/ \
        SPECS/gcc/gcc33-pie.patch
http://www.linuxfromscratch.org/patches/downloads/gcc/ \
        gcc-3.3-pie-1.patch
ftp://twocents.mooo.com/pub/hcc/pie/gcc-3.3-pie-2.patch

----
Pax
----
Kernel 2.4
http://pax.grsecurity.net/pax-linux-2.4.23-200401091805.patch

Kernel 2.6
http://pax.grsecurity.net/pax-linux-2.6.1-200401091905.patch

This is an information leak patch. Its not available for 2.6 yet :(
http://cr0.org/pax-obscure/pax+obs-linux-2.4.22-200308302223.tar.gz

----
HGCC
----
This is a specs file editor for changing the default behavior of gcc to use
-fpie and -ftack-protector-all. Check for newer versions. If anyone wants to
write this script better email me. hgcc3 has added ld -z relro and combreloc.
ftp://twocents.mooo.com/pub/hcc/hgcc3.sh

=====================
Installation
=====================
---------
Chapter 5
---------
 - Binutils
Use this everytime you build binutils.
patch -Np1 -i ../binutils-2.14.90.0.8-pt_pax-eh_frame-relro-1.patch

Before make check do hgcc -r. After make check do hgcc -pa-fpie
Repeat this for any binutils make check. No other packages are known to have
issues like this.

 - Glibc-cvs
If you plan to use the programs in /tools after you reboot, then use the patches
from chap6 glibc below.

 - GCC pass 2
patch -Np1 -i ../gcc-3.3-pie-2.patch

 - HGCC
cp hgcc3.sh /tools/bin/hgcc
chmod +x /tools/bin/hgcc
hgcc -pa-fpie

---------
Chapter 6
---------
 - Glibc
patch -Np1 -i ../glibc-2.3.3-dl_execstack-PaX-support-1.patch
patch -Np1 -i ../glibc-2.3.2-iconvconfig-name_insert.patch
patch -Np1 -i ../glibc-2.3.3_pre20040117-pt_pax.diff

Checking for fpie and relro should answer "yes" durring configure.

 - GCC
patch -Np1 -i ../gcc-3.3-pie-2.patch

 - HGCC
cp hgcc3.sh /usr/bin/hgcc
chmod +x /usr/bin/hgcc
hgcc -pa-fpie

 - Grub
hgcc -r before configure, hgcc -pa-fpie after make install.

 - Util Linux
For now pivot_root doesn't build with fpie. Needs investigation, maybe patch.
hgcc -r before configure, hgcc -pa-fpie after make install.

---------
Chapter 8
---------
 - Linux Kernel
patch -Np1 -i ../pax-linux-2.4.23-200401091805.patch

I can boot using all the options except:
CONFIG_PAX_EMUSIGRT and CONFIG_PAX_NOELFRELOCS

========
Testing
========
Download:
http://pax.grsecurity.net/paxtest-0.9.5.tar.gz

========
Feedback
========

<cendres at videotron dot ca>

ACKNOWLEDGMENTS:

* Thanks to Gnu for the GNU toolchain. http://www.gnu.org/
* Thanks to Redhat for contributions to the GNU toolchain.
	http://www.redhat.com/
* Thanks to the Pax team. http://pax.grsecurity.net/
* Thanks to Gentoo and the Hardended Gentoo team for development,
  testing, and patches. http://www.gentoo.org/proj/en/hardened/

CHANGELOG:
[2003-10-18]
* Debut
* Reformat hint
[2003-10-22]
* Reformatted the patches so they're much easier to apply.
* Edit/rewrite hint & synopsis.
[2003-10-24]
* Added caveat.
* Fixed URLS.
* Lite edit
[2003-10-25]
* New bugs found.
[2003-10-26]
* GCC 2.95.3 patches made.
[2003-10-27]
* XFree86-4.3.0 patch made.
* Hint is now Beta - Need more feedback.
[2003-11-03]
* Edit
* Reformatted patches.
[2003-11-12]
* Reformat patches.
* Update/edit hint.
* Add new example tests.
[2003-11-21]
* Reformat patches.
* Add homepage/mirror url.
* Small edit.
[2003-12-01]
* Added Glibc and kernel patches.
* Rewrote install procedure.
[2003-12-20]
* Try to be more informative.
* Removed Gentoo property.
* Added Libsafe.
* Added Pax.
* Added new versions of binutils and glibc.
* Added GCC PIE.
* Rename filename to winter.txt.
[2003-12-21]
* Do not use "Enforce non-executable pages"
* Spell check.
* Fixed URL.
[2003-12-22]
* Added LOPTS to Net-tools.
* Added LDFLAGS to Perl.
[2003-12-25]
* More cflags.
* New tests.
[2004-02-02]
* Update gcc pie patch.
* Moved Libsafe and ProPolice to prolice.txt
* Added fpie to hgcc2.sh
[2004-02-03]
* Add gnu_pt patches.
* Add ld -z relro support.
* Added relro and combreloc to hgcc3.sh


More information about the hints mailing list