blob: 1ee7c897f3c6361059f7e29def5d8597c2bb4252 (
plain) (
tree)
|
|
<!DOCTYPE html>
<html dir="ltr" lang="en">
<head>
<meta charset='utf-8'>
<title>2.6.3. Toolchain</title>
</head>
<body>
<a href="index.html">GNU/Linux Index</a>
<h1 id="toolchain">2.6.3. Toolchain</h1>
<p>Add flags to pkgmk configuration and change specific ports that
don't build with hardening flags. More information about
<a href="https://wiki.archlinux.org/index.php/DeveloperWiki:Security">arch security</a>,
gentoo security,
<a href="http://gcc.gnu.org/onlinedocs/gcc/Instrumentation-Options.html#Instrumentation-Options">gcc</a> instrumentation-options
and <a href="http://www.gnu.org/software/libc/manual/html_node/Configuring-and-compiling.html">glibc</a>
configuring and compiling. Edit /etc/pkgmk.conf;</p>
<pre>
export CPPFLAGS="-D_FORTIFY_SOURCE=2"
export CFLAGS="-O2 -march=native -mtune=native -fstack-protector-strong --param=ssp-buffer-size=4"
export CXXFLAGS="${CFLAGS}"
export LDFLAGS="-z relro"
</pre>
<p>Above should compile most of the packages, for more
"restrict" and other flags combinations check <a href="conf/pkgmk.conf.harden">pkgmk.conf.handen</a>.</p>
<h3>Core</h3>
<p>Ports in core collection that need to be changed in order
to build with pkgmk harden configuration.</p>
<h4>Glibc</h4>
<ul>
<li><a href="http://www.linuxfromscratch.org/lfs/view/development/chapter06/glibc.html">lfs</a></li>
<li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/glibc">arch</a></li>
</ul>
<pre>
export CPPFLAGS=""
export CFLAGS="-O2 -march=native -mtune=native"
export CXXFLAGS="${CFLAGS}"
export LDFLAGS=""
</pre>
<pre>
../$name-${version:0:4}/configure --prefix=/usr \
--libexecdir=/usr/lib \
--with-headers=$PKG/usr/include \
--enable-kernel=3.12 \
--enable-add-ons \
--enable-static-nss \
--disable-profile \
--disable-werror \
--without-gd \
--enable-obsolete-rpc \
--enable-multi-arch \
--enable-stackguard-randomization \
--enable-stack-protector=strong
</pre>
<h4>Gcc</h4>
<ul>
<li><a href="http://www.linuxfromscratch.org/lfs/view/development/chapter06/gcc.html">lfs</a></li>
<li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/gcc">arch</a></li>
</ul>
<pre>
export CPPFLAGS=""
export CFLAGS="-O2 -march=native -mtune=native"
export CXXFLAGS="${CFLAGS}"
export LDFLAGS=""
</pre>
<h4>Openssl</h4>
<p>Replace openssl by libressl, view if
<a href="https://raw.githubusercontent.com/6c37/crux-ports-dropin/3.3/libressl/Pkgfile">libressl port</a> from 6c37-dropin is updated with
latest <a href="https://raw.githubusercontent.com/libressl-portable/portable/master/ChangeLog">libressl upstream</a>. First install libressl
to ensure it gets all the sources;
<pre>
$ sudo prt-get depinst libressl
</pre>
<p>After complaining about openssl files remove openssl;
<pre>
$ sudo prt-get remove openssl
$ sudo prt-get depinst libressl
</pre>
<h4>libcap</h4>
<ul>
<li><a href="http://www.linuxfromscratch.org/lfs/view/development/chapter06/libcap.html">lfs</a></li>
<li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/libcap">arch</a></li>
</ul>
<h4>bzip2</h4>
<ul>
<li><a href="http://www.linuxfromscratch.org/lfs/view/development/chapter06/bzip2.html">lfs</a></li>
<li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/bzip2">arch</a></li>
</ul>
<h4>hdparm</h4>
<ul>
<li><a href="http://www.linuxfromscratch.org/blfs/view/svn/general/hdparm.html">lfs</a></li>
<li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/hdparm">arch</a></li>
</ul>
<h3>Opt</h3>
<h4>lsof</h4>
<ul>
<li><a href="http://www.linuxfromscratch.org/blfs/view/svn/general/lsof.html">lfs</a></li>
<li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/lsof">arch</a></li>
</ul>
<h4>python</h4>
<ul>
<li><a href="http://www.linuxfromscratch.org/blfs/view/svn/general/python2.html">lfs</a></li>
<li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/python2">arch</a></li>
</ul>
<h4>zip</h4>
<ul>
<li><a href="http://www.linuxfromscratch.org/blfs/view/svn/general/zip.html">lfs</a></li>
<li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/zip">arch</a></li>
</ul>
<h4>glew</h4>
<ul>
<li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/glew">arch</a></li>
</ul>
<h4>dmenu</h4>
<ul>
<li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/dmenu">arch</a></li>
</ul>
<h4>Boost</h4>
<ul>
<li><a href="http://www.linuxfromscratch.org/blfs/view/svn/general/boost.html">lfs</a></li>
<li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/boost">arch</a></li>
</ul>
<pre>
export CPPFLAGS=""
export CFLAGS="-O2 -march=native -mtune=native"
export CXXFLAGS="${CFLAGS}"
export LDFLAGS=""
</pre>
<h3>Contrib</h3>
<h4>gsl</h4>
<ul>
<li><a href="http://www.linuxfromscratch.org/blfs/view/svn/general/gsl.html">lfs</a></li>
<li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/gsl">arch</a></li>
</ul>
<a href="index.html">GNU/Linux Index</a>
<p>This is part of the LeetIO System Documentation.
Copyright (C) 2021
LeetIO Team.
See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a>
for copying conditions.</p>
</body>
</html>
|