blob: 23f565515ea3dd61532d71a0936d2945b70abf4c (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
|
<!DOCTYPE html>
<html dir="ltr" lang="en">
<head>
<meta charset='utf-8'>
<title>2.6.3. Toolchain</title>
</head>
<body>
<a href="index.html">Core OS Index</a>
<h1 id="toolchain">2.6.3. Toolchain</h1>
<p>Add flags to pkgmk configuration and change specific ports that
don't build with hardening flags. More information about
<a href="https://wiki.archlinux.org/index.php/DeveloperWiki:Security">arch security</a>,
gentoo security,
<a href="http://gcc.gnu.org/onlinedocs/gcc/Instrumentation-Options.html#Instrumentation-Options">gcc</a> instrumentation-options
and <a href="http://www.gnu.org/software/libc/manual/html_node/Configuring-and-compiling.html">glibc</a>
configuring and compiling. Edit /etc/pkgmk.conf;</p>
<pre>
export CPPFLAGS="-D_FORTIFY_SOURCE=2"
export CFLAGS="-O2 -march=native -mtune=native -fstack-protector-strong --param=ssp-buffer-size=4"
export CXXFLAGS="${CFLAGS}"
export LDFLAGS="-z relro"
</pre>
<p>Above should compile most of the packages, for more
"restrict" and other flags combinations check <a href="conf/pkgmk.conf.harden">pkgmk.conf.handen</a>.</p>
<h3>Core</h3>
<p>Ports in core collection that need to be changed in order
to build with pkgmk harden configuration.</p>
<h4>Glibc</h4>
<ul>
<li><a href="http://www.linuxfromscratch.org/lfs/view/development/chapter06/glibc.html">lfs</a></li>
<li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/glibc">arch</a></li>
</ul>
<pre>
export CPPFLAGS=""
export CFLAGS="-O2 -march=native -mtune=native"
export CXXFLAGS="${CFLAGS}"
export LDFLAGS=""
</pre>
<pre>
../$name-${version:0:4}/configure --prefix=/usr \
--libexecdir=/usr/lib \
--with-headers=$PKG/usr/include \
--enable-kernel=3.12 \
--enable-add-ons \
--enable-static-nss \
--disable-profile \
--disable-werror \
--without-gd \
--enable-obsolete-rpc \
--enable-multi-arch \
--enable-stackguard-randomization \
--enable-stack-protector=strong
</pre>
<h4>Gcc</h4>
<ul>
<li><a href="http://www.linuxfromscratch.org/lfs/view/development/chapter06/gcc.html">lfs</a></li>
<li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/gcc">arch</a></li>
</ul>
<pre>
export CPPFLAGS=""
export CFLAGS="-O2 -march=native -mtune=native"
export CXXFLAGS="${CFLAGS}"
export LDFLAGS=""
</pre>
<h4>Openssl</h4>
<p>Replace openssl by libressl, view if
<a href="https://raw.githubusercontent.com/6c37/crux-ports-dropin/3.3/libressl/Pkgfile">libressl port</a> from 6c37-dropin is updated with
latest <a href="https://raw.githubusercontent.com/libressl-portable/portable/master/ChangeLog">libressl upstream</a>. First install libressl
to ensure it gets all the sources;
<pre>
$ sudo prt-get depinst libressl
</pre>
<p>After complaining about openssl files remove openssl;
<pre>
$ sudo prt-get remove openssl
$ sudo prt-get depinst libressl
</pre>
<h4>libcap</h4>
<ul>
<li><a href="http://www.linuxfromscratch.org/lfs/view/development/chapter06/libcap.html">lfs</a></li>
<li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/libcap">arch</a></li>
</ul>
<h4>bzip2</h4>
<ul>
<li><a href="http://www.linuxfromscratch.org/lfs/view/development/chapter06/bzip2.html">lfs</a></li>
<li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/bzip2">arch</a></li>
</ul>
<h4>hdparm</h4>
<ul>
<li><a href="http://www.linuxfromscratch.org/blfs/view/svn/general/hdparm.html">lfs</a></li>
<li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/hdparm">arch</a></li>
</ul>
<h3>Opt</h3>
<h4>lsof</h4>
<ul>
<li><a href="http://www.linuxfromscratch.org/blfs/view/svn/general/lsof.html">lfs</a></li>
<li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/lsof">arch</a></li>
</ul>
<h4>python</h4>
<ul>
<li><a href="http://www.linuxfromscratch.org/blfs/view/svn/general/python2.html">lfs</a></li>
<li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/python2">arch</a></li>
</ul>
<h4>zip</h4>
<ul>
<li><a href="http://www.linuxfromscratch.org/blfs/view/svn/general/zip.html">lfs</a></li>
<li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/zip">arch</a></li>
</ul>
<h4>glew</h4>
<ul>
<li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/glew">arch</a></li>
</ul>
<h4>dmenu</h4>
<ul>
<li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/dmenu">arch</a></li>
</ul>
<h4>Boost</h4>
<ul>
<li><a href="http://www.linuxfromscratch.org/blfs/view/svn/general/boost.html">lfs</a></li>
<li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/boost">arch</a></li>
</ul>
<pre>
export CPPFLAGS=""
export CFLAGS="-O2 -march=native -mtune=native"
export CXXFLAGS="${CFLAGS}"
export LDFLAGS=""
</pre>
<h3>Contrib</h3>
<h4>gsl</h4>
<ul>
<li><a href="http://www.linuxfromscratch.org/blfs/view/svn/general/gsl.html">lfs</a></li>
<li><a href="https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/gsl">arch</a></li>
</ul>
<a href="index.html">Core OS Index</a>
<p>This is part of the Tribu System Documentation.
Copyright (C) 2020
Tribu Team.
See the file <a href="../fdl-1.3-standalone.html">Gnu Free Documentation License</a>
for copying conditions.</p>
</body>
</html>
|