What exactly is the "toolchain"?
The term "toolchain" refers to the combination of software packages commonly used to build and develop for a particular architecture. The toolchain you may hear referred to in the gentoo-hardened IRC channel consists of the GNU Compiler Collection (GCC), binutils, and the GNU C library (glibc).
What should I use: grsecurity, RSBAC or SELinux?
The answer to this question is highly subjective, so the hardened Gentoo project simply tries to lay out each technology and leave the choice up to the user. This decision requires a lot of research that we have hopefully provided clearly in the hardened documentation. However, if you have any specific questions about the security model that each provides, feel free to question the relevant developer in our IRC channel or on the mailing list.
Is it possible to use grsecurity, RSBAC, SELinux and PaX all at the same time?
Yes, this combination is quite possible as PaX works with grsecurity, RSBAC and SELinux. The only conflict that arises is you can only use one access control system.
Do I need to pass any flags to LDFLAGS/CFLAGS in order to turn on PIE/SSP building?
No, the current toolchain implements the equivalent of CFLAGS="-fPIE -fstack-protector-all" LDFLAGS="-Wl,-z,now -Wl,-z,relro" automatically through GCC's specfile which is a more proper solution. For older hardened-gcc users, add USE="hardened pic" to your /etc/make.conf and then upgrade with the following commands:
Code Listing 2.1: Hardened Toolchain Installation |
# emerge --oneshot binutils gcc virtual/libc # emerge -e world |
Note: Gentoo patches its GCCs to allow specfiles to be passed through an environment variable. Currently several sets of specfiles are installed on Gentoo systems that allow users on supported architectures to easily switch the functionality off and on of the toolchain. To access the specs as the end user you can use the gcc-config utility. |
How do I turn off PIE/SSP building?
You can use gcc-config to accomplish this:
Code Listing 2.2: Example gcc-config output |
# gcc-config -l
[1] i686-pc-linux-gnu-3.4.4 *
[2] i686-pc-linux-gnu-3.4.4-hardenednopie
[3] i686-pc-linux-gnu-3.4.4-hardenednopiessp
[4] i686-pc-linux-gnu-3.4.4-hardenednossp
[5] i686-pc-linux-gnu-3.4.4-vanilla
To turn off SSP building switch to the hardenednossp profile:
# gcc-config i686-pc-linux-gnu-3.4.4-hardenednossp
|
Alternatively you can achieve the same by changing your CFLAGS:
To turn off default SSP building when using the hardened toolchain, append -fno-stack-protector-all -fno-stack-protector to your CFLAGS.
If you want to turn off default PIE building then append -nopie to your CFLAGS.
Important: The flag -fno-pic should not be used as it will specifically enable non-PIC code. Using -nopie instead will revert back to vanilla GCC behavior which should be the intended result. |
Note: If you are interested in using per-package CFLAGS with Portage currently then you may be interested in reading about the script solar has developed to deal with this: http://article.gmane.org/gmane.linux.gentoo.hardened/1204 |
My kernel compilation fails with the error "error: structure has no member named `curr_ip'", how do I fix that?
In order to use PaX on hardened-sources, you must enable grsecurity as well in your kernel config. This should be fixed in a future kernels.
I just found out about the hardened project; do I have to install everything on the project page in order to install Hardened Gentoo?
No, the Hardened Gentoo Project is a collection of subprojects that all have common security minded goals. While many of these projects can be installed alongside one another, some conflict as well such as several of the ACL implementations that Hardened Gentoo offers.
Why don't my programs work when I use CFLAGS="-O3" and hardened gcc?
Using the gcc optimization flag -O3 has been known to be problematic with stack-smashing protector (SSP) in some situations. This optimization flag is not officially supported and therefore discouraged by the hardened team. Compile issues where a user uses CFLAGS="-O3" will be closed as INVALID/CANTFIX and or ignored.
What happened to bootstrap-cascade.sh?
Recently, the old bootstrap.sh and bootstrap-2.6.sh were deprecated. In their place, bootstrap-cascade.sh has been renamed to bootstrap.sh.
How do I switch to the hardened profile?
Code Listing 2.3: Set make.profile |
# cd /etc # rm make.profile # ln -s ../usr/portage/profiles/hardened/x86 make.profile (For 2.4 kernels) # ln -s ../usr/portage/profiles/hardened/x86/2.6 make.profile (For 2.6 kernels) |
After setting up your profile, you should recompile your system using a hardened toolchain so that you have a consistent base:
Code Listing 2.4: Switch to hardened toolchain |
# emerge --oneshot binutils gcc virtual/libc # emerge -e world |
First gotcha is that GDB can't resolve symbols in PIEs; it doesn't realise that the addresses are relative in PIEs not absolute. This shows up when you try to get a backtrace for example, and see a stream of lines with '??' where the symbol should be.
To get around this, do the final link stage with -nopie - all the preceding object compilations can still be with -fPIE as normal (i.e. the default with the hardened compiler) so that your executable is as close as possible to the real thing, but the final link must create a regular executable. Try adding -nopie to LDFLAGS if you're building with emerge.
Another way of accomplishing this, it to emerge =sys-devel/gdb-6.3-r5, which contains a special patch that makes it able to debug executeables linked with -pie.
The second gotcha is that PaX may prevent GDB from setting breakpoints, depending on how the kernel is configured. This includes the breakpoint at main which you need to get started. To stop PaX doing this, the executable being debugged needs the m and x flags. The x flag is set by default, so it is enough to do:
Code Listing 2.5: Relax PaX for debug |
# /sbin/paxctl -m foo
|
At this point, you should be good to go! Fire up gdb in the usual way. Good luck!
The homepage for PaX is located at http://pax.grsecurity.net.
What Gentoo documentation exists about PaX?
Currently the only Gentoo documentation that exists about PaX is a PaX quickstart guide located at the http://www.gentoo.org/proj/en/hardened/pax-quickstart.xml website.
I keep getting the message: "error while loading shared libraries: cannot make segment writable for relocation: Permission denied." What does this mean?
This error occurs when you enable CONFIG_PAX_NOELFRELOCS as such:
Code Listing 3.1: Menuconfig Options |
Non-executable page -> [*] Disallow ELF text relocations |
If you are using the gentoo hardened toolchain, typically compiling your programs will create PIC ELF libraries that do not contain text relocations. However, certain libraries still contain text relocations for various reasons (often ones that contain assembly that is handled incorrectly). This can be a security vulnerability as an attacker can use non-PIC libraries to execute his shellcode. Non-PIC libraries are also bad for memory consumption as they defeat the code sharing purpose of shared libraries.
To disable this error and allow your program to run, you must sacrifice security and allow runtime code generation for that program. The PaX feature that allows you to do that is called MPROTECT. You must disable MPROTECT on whatever executable is using the non-PIC library.
To check your system for textrels, you can use the program scanelf from app-misc/pax-utils. For information on how to use the pax-utils package please consult the Gentoo PaX Utilities Guide.
Note: Recent versions of sys-apps/portage(>=2.0.53) scan for text relocations and print a warning or even abort the merge process, depending on the FEATURES you have set in your /etc/make.conf. |
Ever since I started using PaX I can't get Java working, why?
As part of its design, the Java virtual machine creates a considerable amount of code at runtime which does not make PaX happy. There are two ways to correct this problem:
Code Listing 3.2: Install Chpax |
# emerge chpax # /etc/init.d/chpax start |
Or if you already have chpax emerged then you can do:
Code Listing 3.3: Java Chpax Options |
# chpax -pemrxs /opt/*-jdk-*/{jre,}/bin/*
|
Both of these options will slightly modify the ELF eheader in order to correctly set the PAX flags on the binaries.
Note: If you are running PaX in conjunction with an additional security implementation such as RSBAC, grsecurity, or SELinux you should manage PaX using the kernel hooks provided for each implementation. |
On RSBAC, you can label all Java files with the following command.
Code Listing 3.4: Java PaX options with RSBAC |
# for i in $(ls /opt/*(jdk|sdk)*/{jre,}/bin/*);do attr_set_file_dir FILE $i pax_flags pmerxs;done
|
What is the homepage for grsecurity?
The homepage for grsecurity is located at http://www.grsecurity.net.
What Gentoo documentation exists about grsecurity?
The most current documentation for grsecurity is a Grsecurity2 quickstart guide located at http://www.gentoo.org/proj/en/hardened/grsecurity.xml.
Can I use grsecurity with a 2.6.8, 2.6.8.1, or 2.6.9 kernel?
Due to significant changes in the 2.6.8 kernel that broke PaX, neither a PaX nor a grsecurity patch are available for kernels 2.6.8, 2.6.8.1, or 2.6.9. Although an experimental patch is available for 2.6.10, the official stance of the PaX Team regarding 2.6 kernels should be noted and taken into consideration before use: http://forums.grsecurity.net./viewtopic.php?t=968.
What is the homepage for RSBAC?
The homepage for RSBAC is located at http://www.rsbac.org.
What Gentoo documentation exists about RSBAC?
All Gentoo RSBAC documentation is located at the RSBAC subproject page found at: http://www.gentoo.org/proj/en/hardened/rsbac/index.xml
Moreover, non-Gentoo RSBAC documentation can be found in the RSBAC handbook, found at: http://www.rsbac.org/documentation/rsbac_handbook
How do I use an initial ramdisk with a RSBAC enabled kernel?
To use an initial ramdisk with a RSBAC enabled kernel, a special kernel option must be enabled or else RSBAC will treat the initrd as the root device:
Code Listing 5.1: Menuconfig Options |
General RSBAC options --->
[*] Delayed init for initial ramdisk
|
Where can I find SELinux related frequently asked questions?
A SELinux specific FAQ can be found at http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=3&chap=3.