On Monday 23 January 2012 15:12:47 Francesco Riosa wrote: > 2012/1/23 Mike Gilbert: > > On Mon, Jan 23, 2012 at 2:57 PM, Jason A. Donenfeld wrote: > >> To check for PIE, > >> > >> readelf -h /bin/su | grep Type > >> > >> If it says EXEC, no PIE. If it says DYN, yes PIE. > > > > I'm asking "how does one enable PIE/ASLR", not how to check if it is > > enabled already. > > - PIE should be -fPIC also for the executable, not only for the .so > (has a performance impact)
not entirely sure what you're saying here. i'll clarify in general:
- build all code going into shared libraries with -fPIC
(regardless of hardening, this is Gentoo policy today)
- build code going into executables with -fPIE
(this is what hardened does, not default Gentoo systems)
you could build all code (including executables) with -fPIC, but that has
useless overhead compared to -fPIE. it's small but not insignificant.
> - ASLR you need "hardened" use for gcc, and the toolchain, pax kernel help
> too
the hardened toolchain "helps", but it is not required. ASLR is in the
mainline Linux kernel and iirc, enabled by default. it is already operating
on all shared libraries because those are PIC.
-mike
signature.asc
Description: This is a digitally signed message part.
