[grsec] difference between "new" and "legacy" toolchain
Peter S. Mazinger
ps.m at gmx.net
Tue Nov 2 11:53:03 EST 2004
On Sun, 31 Oct 2004, Marcel Meyer wrote:
> Thank you all for answering my question. :-)
>
> Am Samstag, 30. Oktober 2004 20:15 schrieb pageexec at freemail.hu:
> > > enabling the PAX features requires your applications beeing compiled
> > > with "a new toolchain". Now I'm wondering what's that exactly. Does
> > > this only mean, I need simply a quite recent gcc/coreutils/etc. or
> > > what's so special about the needed toolchain?
> >
> > you need only a new binutils (ld) and you can find the patch on the
> > PaX homepage. gentoo already includes it by default, [...]
> Ah, ok. That explains my confusion. It did work with my current toolchain
> (using gentoo) but I did not need to patch it...
>
> Thanks for mentioning it.
>
> BTW: I read through some docs and decided to add the following flags. Are
> they OK for the toolchain mentioned above together with PAX/GRsecurity or
> too less/much (I mean do they interfere or are simply useless with the
> special patched toolchain)?
>
> CFLAGS="-O2 -march=i686 -pipe -fomit-frame-pointer -fstack-protector-all
> -fPIE -fPIC"
you should not use -fPIE -fPIC, use -fPIC for libs and -fPIE for execs
if a lib is built w/ -fPIE, you'll end up w/ text relocation
if you really want to add it to CFLAGS, use only -fPIC (it will though
produce some overhead on execs)
> LDFLAGS="-Wl,-z,now -Wk,-z,relro"
s/-Wk/-Wl/
ok to use
Peter
--
Peter S. Mazinger <ps dot m at gmx dot net> ID: 0xA5F059F2
Key fingerprint = 92A4 31E1 56BC 3D5A 2D08 BB6E C389 975E A5F0 59F2
More information about the grsecurity
mailing list