From owner-freebsd-security@FreeBSD.ORG  Sun Dec 30 13:34:11 2007
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 9B9F616A474
	for <freebsd-security@freebsd.org>;
	Sun, 30 Dec 2007 13:34:11 +0000 (UTC)
	(envelope-from tataz@tataz.chchile.org)
Received: from smtp5-g19.free.fr (smtp5-g19.free.fr [212.27.42.35])
	by mx1.freebsd.org (Postfix) with ESMTP id 5D53913C461
	for <freebsd-security@freebsd.org>;
	Sun, 30 Dec 2007 13:34:11 +0000 (UTC)
	(envelope-from tataz@tataz.chchile.org)
Received: from smtp5-g19.free.fr (localhost.localdomain [127.0.0.1])
	by smtp5-g19.free.fr (Postfix) with ESMTP id 7D84E3F618C;
	Sun, 30 Dec 2007 14:34:10 +0100 (CET)
Received: from tatooine.tataz.chchile.org (tataz.chchile.org [82.233.239.98])
	by smtp5-g19.free.fr (Postfix) with ESMTP id 538693F6160;
	Sun, 30 Dec 2007 14:34:10 +0100 (CET)
Received: from obiwan.tataz.chchile.org (unknown [192.168.1.25])
	by tatooine.tataz.chchile.org (Postfix) with ESMTP id 4E0B39B497;
	Sun, 30 Dec 2007 13:31:07 +0000 (UTC)
Received: by obiwan.tataz.chchile.org (Postfix, from userid 1000)
	id 44122405B; Sun, 30 Dec 2007 14:31:07 +0100 (CET)
Date: Sun, 30 Dec 2007 14:31:07 +0100
From: Jeremie Le Hen <jeremie@le-hen.org>
To: Dag-Erling =?iso-8859-1?Q?Sm=F8rgrav?= <des@des.no>
Message-ID: <20071230133107.GE10467@obiwan.tataz.chchile.org>
References: <477277FF.30504@googlemail.com> <86myrvhht9.fsf@ds4.des.no>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <86myrvhht9.fsf@ds4.des.no>
User-Agent: Mutt/1.5.15 (2007-04-06)
Cc: Gunther Mayer <gunther.mayer@googlemail.com>, freebsd-security@freebsd.org
Subject: Re: ProPolice/SSP in 7.0
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 30 Dec 2007 13:34:11 -0000

Hi,

On Thu, Dec 27, 2007 at 11:52:02PM +0100, Dag-Erling Smørgrav wrote:
> Gunther Mayer <gunther.mayer@googlemail.com> writes:
> > I've known about ProPolice/SSP for a while now (from the Gentoo world)
> > and am aware that FreeBSD 7.0 doesn't yet support it though I know of
> > Jeremy Le Hen's patches (http://tataz.chchile.org/~tataz/FreeBSD/SSP/).
> 
> Wrong.  FreeBSD 7 has had SSP support since May; the patch you mention
> just turns it on by default.  You can probably achieve the same effect
> by adding -fstack-protector to CFLAGS and COPTFLAGS in make.conf.

This is mostly true.  Given that stack protection requires extra
symbols from either libc or GNU libssp, it is disabled to sys/boot/
stuff and could also be disabled for /rescue.  In order to compile the
kernel with SSP, it must contain the required symbols as well (the
canary and the stack smash handler).

Regards,
-- 
Jeremie Le Hen
< jeremie at le-hen dot org >< ttz at chchile dot org >