Reorganizing things to make easier to track

1 files changed, 520 insertions, 0 deletions

diff --git a/xml/hardenedfaq.xml b/xml/hardenedfaq.xml
new file mode 100644
index 0000000..d68f7ce
--- /dev/null
+++ b/xml/hardenedfaq.xml
@@ -0,0 +1,520 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
+<!-- $Header$ -->
+
+<guide link="/proj/en/hardened/hardenedfaq.xml" lang="en">
+<title>Gentoo Hardened Frequently Asked Questions</title>
+<author title="Author">
+  <mail link="tocharian@gentoo.org">Adam Mondl</mail>
+</author>
+<author title="Contributor">
+  <mail link="solar@gentoo.org">solar</mail>
+</author>
+<author title="Contributor">
+  <mail link="kang@gentoo.org">Guillaume Destuynder</mail>
+</author>
+<author title="Contributor">
+  <mail link="pageexec@freemail.hu">The PaX Team</mail>
+</author>
+<author title="Contributor">
+  <mail link="klondike@xiscosoft.es">klondike</mail>
+</author>
+<author title="Contributor">
+  <mail link="zorry@gentoo.org">Magnus Granberg</mail>
+</author>
+<author title="Contributor">
+  <mail link="blueness@gentoo.org">Anthony G. Basile</mail>
+</author>
+
+<abstract>
+Frequently Asked Questions that arise on the #gentoo-hardened IRC channel and
+the gentoo-hardened mailing list.
+</abstract>
+
+<version>1.11</version>
+<date>2010-11-12</date>
+
+<faqindex>
+<title>Questions</title>
+<section>
+<title>Introduction</title>
+<body>
+
+<p>
+The following is a collection of questions collected from #gentoo-hardened IRC
+channel and the gentoo-hardened mailing list. As such, is geared towards
+answering fastly and concisely 
+rather than providing a whole insight on the technologies behind Gentoo
+Hardened. It is advisable reading the rest of the documentation on the Gentoo
+Hardened Project page and that on 
+the projects' home pages in order to get a better insight.
+</p>
+
+</body>
+</section>
+</faqindex>
+
+<chapter>
+<title>General Questions</title>
+<section id="toolchain">
+<title>What exactly is the "toolchain"?</title>
+<body>
+
+<p>
+The term "toolchain" refers to the combination of software packages commonly
+used to build and develop for a particular architecture.  The toolchain you may
+hear referred to in the gentoo-hardened IRC channel consists of the GNU Compiler
+Collection (GCC), binutils, and the GNU C library (glibc).
+</p>
+
+</body>
+</section>
+
+<section id="whichisbetter">
+<title>What should I use: Grsecurity or SELinux?</title>
+<body>
+
+<p>
+The answer to this question is highly subjective, and very dependent on your
+requisites so the hardened Gentoo project
+simply tries to lay out each technology and leave the choice up to the user.
+This decision requires a lot of research that we have hopefully provided clearly
+in the hardened documentation.  However, if you have any specific questions
+about the security model that each provides, feel free to question the relevant
+developer in our IRC channel or on the mailing list.
+</p>
+
+</body>
+</section>
+
+<section id="aclall">
+<title>Is it possible to use Grsecurity, SELinux and PaX all at the same
+time?</title>
+<body>
+
+<p>
+Yes, this combination is quite possible as PaX works with Grsecurity's RBAC and
+SELinux. The only conflict that arises is you can only use one access control
+system.
+</p>
+
+</body>
+</section>
+
+<section id="hardenedcflags">
+<title>Do I need to pass any flags to LDFLAGS/CFLAGS in order to turn on
+hardened building?</title>
+<body>
+
+<p>
+No, the current toolchain implements the equivalent of <c>CFLAGS="-fPIE
+-fstack-protector-all -D_FORTIFY_SOURCE=2" LDFLAGS="-Wl,-z,now -Wl,-z,relro"</c>
+automatically through GCC's built-in spec and using the specfiles to disable
+them which is a more proper solution. For older hardened-gcc users switch to the
+hardened profile and then upgrade with the following commands:
+</p>
+
+<pre caption="Hardened Toolchain Installation">
+# <i>emerge --oneshot binutils gcc virtual/libc</i>
+# <i>emerge -e system</i>
+# <i>emerge -e world</i>
+</pre>
+
+<note>
+Gentoo patches its GCCs to allow specfiles to be passed through an environment
+variable.  Currently several sets of specfiles are installed on Gentoo systems
+that allow users on supported architectures to easily switch the functionality
+off and on of the toolchain. To access the specs as the end user you can use the
+<c>gcc-config</c> utility.
+</note>
+
+</body>
+</section>
+
+<section id="hardenedcflagsoff">
+<title>How do I turn off hardened building?</title>
+<body>
+
+<p>
+You can use <c>gcc-config</c> to accomplish this:
+</p>
+<pre caption="Example gcc-config output">
+# gcc-config -l 
+ [1] x86_64-pc-linux-gnu-4.4.4 *
+ [2] x86_64-pc-linux-gnu-4.4.4-hardenednopie
+ [3] x86_64-pc-linux-gnu-4.4.4-hardenednopiessp
+ [4] x86_64-pc-linux-gnu-4.4.4-hardenednossp
+ [5] x86_64-pc-linux-gnu-4.4.4-vanilla
+ 
+<comment>To turn off PIE building switch to the hardenednopie profile:</comment>
+# gcc-config x86_64-pc-linux-gnu-4.4.4-hardenednopie
+<comment>To turn off SSP building switch to the hardenednossp profile:</comment>
+# gcc-config x86_64-pc-linux-gnu-4.4.4-hardenednossp
+<comment>To turn off SSP and PIE building switch to the hardenednopiessp profile:</comment>
+# gcc-config x86_64-pc-linux-gnu-4.4.4-hardenednopiessp
+<comment>To turn off all hardened building switch to the vanilla profile:</comment>
+# gcc-config x86_64-pc-linux-gnu-4.4.4-vanilla
+</pre>
+
+<note>
+The previous output will vary according to the gcc version and architecture you
+use, also the commands required to disable things will vary depending on the
+output of the first command.
+</note>
+
+<p>
+Alternatively you can achieve the same by changing your CFLAGS:
+</p>
+
+<p>
+To turn off default SSP building when using the hardened toolchain, append
+<c>-fno-stack-protector</c> to your CFLAGS.
+</p>
+<note>
+On gcc 3.4 releases you need to use <c>-fno-stack-protector-all
+-fno-stack-protector</c>
+</note>
+
+<p>
+If you want to turn off default PIE building then append <c>-nopie</c> to your
+<c>CFLAGS</c>.
+</p>
+
+<impo>
+The flag <c>-fno-pic</c> should not be used as it will specifically enable
+non-PIC code.  Using <c>-nopie</c> instead will revert back to vanilla GCC
+behavior which should be the intended result.
+</impo>
+
+<p>
+If you want to turn off default now binding append <c>-z,lazy</c> to your
+<c>LDFLAGS</c>.
+</p>
+
+<p>
+If you want to turn off default relro binding append <c>-z,norelro</c> to your
+<c>LDFLAGS</c>.
+</p>
+
+<note>
+Relro is default on binutils so be sure that you want to disable it before doing
+so.
+</note>
+
+<note>
+If you are interested in using per-package CFLAGS with Portage currently then
+you may be interested in reading about the script solar has developed to deal
+with this: <uri>http://article.gmane.org/gmane.linux.gentoo.hardened/1204</uri>
+</note>
+
+</body>
+</section>
+
+<section id="hardenedproject">
+<title>I just found out about the hardened project; do I have to install
+everything on the project page in order to install Hardened Gentoo?</title>
+<body>
+
+<p>
+No, the Hardened Gentoo Project is a collection of subprojects that all have
+common security minded goals.  While many of these projects can be installed
+alongside one another, some conflict as well such as several of the ACL
+implementations that Hardened Gentoo offers.
+</p>
+
+</body>
+</section>
+
+<section id="Othreessp">
+<title>Why don't my programs work when I use CFLAGS="-O3" and hardened
+gcc?</title>
+<body>
+
+<p>
+Using the gcc optimization flag <c>-O3</c> has been known to be problematic with
+stack-smashing protector (SSP) and on vanilla builds in some situations. This
+optimization flag is not officially supported and is, therefore, discouraged by
+the hardened team. Compile issues where a user uses <c>CFLAGS="-O3"</c> may be
+closed as INVALID/CANTFIX and/or ignored.
+</p>
+
+</body>
+</section>
+
+<section id="hardenedprofile">
+<title>How do I switch to the hardened profile?</title>
+<body>
+<p>
+To change your profile use eselect to choose it.
+</p>
+
+<note>
+Reading part 1 chapter 6 "Installing the Gentoo BaseSystem" on the
+<uri link="/doc/en/handbook/">Gentoo Handbook</uri> is recommended for better
+instructions on how to change your profile.
+</note>
+
+<pre caption="Set make.profile">
+# <i>eselect profile list</i>
+[1]   default/linux/amd64/10.0
+[2]   default/linux/amd64/10.0/desktop
+[3]   default/linux/amd64/10.0/desktop/gnome *
+[4]   default/linux/amd64/10.0/desktop/kde
+[5]   default/linux/amd64/10.0/developer
+[6]   default/linux/amd64/10.0/no-multilib
+[7]   default/linux/amd64/10.0/server
+[8]   hardened/linux/amd64/10.0
+[9]   hardened/linux/amd64/10.0/no-multilib
+[10]  selinux/2007.0/amd64
+[11]  selinux/2007.0/amd64/hardened
+[12]  selinux/v2refpolicy/amd64
+[13]  selinux/v2refpolicy/amd64/desktop
+[14]  selinux/v2refpolicy/amd64/developer
+[15]  selinux/v2refpolicy/amd64/hardened
+[16]  selinux/v2refpolicy/amd64/server
+# <i>eselect profile set 8</i> <comment>(replace 8 with the desired hardened profile)</comment>
+</pre>
+
+<note>
+The previous output will vary according to the architecture you use, also the
+commands required to choose the profile will vary depending on the output of the
+first command.
+</note>
+
+<p>
+After setting up your profile, you should recompile your system using a hardened
+oolchain so that you have a consistent base:
+</p>
+
+<pre caption="Switch to hardened toolchain">
+# <i>emerge --oneshot binutils gcc virtual/libc</i>
+# <i>emerge -e system</i>
+# <i>emerge -e world</i>
+</pre>
+
+</body>
+</section>
+
+<section id="hardeneddebug">
+<title>How do I debug with gdb?</title>
+<body>
+<p>
+First gotcha is that GDB can't resolve symbols in PIEs; it doesn't realise that
+the addresses are relative in PIEs not absolute. This shows up when you try to
+get a backtrace for example, and see a stream of lines with <e>'??'</e> where
+the symbol should be.
+</p>
+<p>
+To get around this, do the final link stage with <c>-nopie</c> - all the
+preceding object compilations can still be with <c>-fPIE</c> as normal (i.e. the
+default with the hardened compiler) so that your executable is as close as
+possible to the real thing, but the final link must create a regular executable.
+Try adding <c>-nopie</c> to LDFLAGS if you're building with emerge.
+</p>
+<p>
+Another way of accomplishing this, it to emerge <c>>=sys-devel/gdb-7.1</c>,
+which contains a special patch that makes it able to debug executables linked
+with <c>-pie</c>.
+</p>
+<p>
+The second gotcha is that PaX may prevent GDB from setting breakpoints,
+depending on how the kernel is configured. This includes the breakpoint at main
+which you need to get started. To stop PaX doing this, the executable being
+debugged needs the <c>m</c> and <c>x</c> flags. The <c>x</c> flag is set by
+default, so it is enough to do:
+</p>
+<pre caption="Relax PaX for debug">
+# <i>/sbin/paxctl -m foo</i>
+</pre>
+<p>
+At this point, you should be good to go! Fire up gdb in the usual way.  Good
+luck!
+</p>
+</body>
+</section>
+		
+</chapter>
+
+<chapter>
+<title>PaX Questions</title>
+<section id="paxinformation">
+<title>What is the homepage for PaX?</title>
+<body>
+
+<p>
+The homepage for PaX is located at <uri>http://pax.grsecurity.net</uri>.
+</p>
+
+</body>
+</section>
+
+<section id="paxgentoodoc">
+<title>What Gentoo documentation exists about PaX?</title>
+<body>
+
+<p>
+Currently the only Gentoo documentation that exists about PaX is a PaX
+quickstart guide located at the
+<uri>http://www.gentoo.org/proj/en/hardened/pax-quickstart.xml</uri> website.
+</p>
+
+</body>
+</section>
+
+<section id="paxnoelf">
+<title>I keep getting the message: "error while loading shared libraries: cannot
+make segment writable for relocation: Permission denied."  What does this
+mean?</title>
+<body>
+
+<p>
+This error occurs when you enable CONFIG_PAX_NOELFRELOCS as such:
+</p>
+
+<pre caption="Menuconfig Options">
+Non-executable page ---&gt;
+ [*] Restrict mprotect() 
+ [*]   Disallow ELF text relocations
+</pre>
+
+<p>
+If you are using the gentoo hardened toolchain, typically compiling your
+programs will create PIC ELF libraries that do not contain text relocations.
+However, certain libraries still contain text relocations for various reasons
+(often ones that contain assembly that is handled incorrectly).  This can be a
+security vulnerability as an attacker can use non-PIC libraries to execute his
+shellcode.  Non-PIC libraries are also bad for memory consumption as they defeat
+the code sharing purpose of shared libraries.
+</p>
+
+<p>
+To disable this error and allow your program to run, you must sacrifice security
+and allow runtime code generation for that program.  The PaX feature that allows
+you to do that is called MPROTECT.  You must disable MPROTECT on whatever
+executable is using the non-PIC library.
+</p>
+
+<p>
+To check your system for textrels, you can use the program <c>scanelf</c> from
+<c>app-misc/pax-utils</c>. For information on how to use the <c>pax-utils</c>
+package please consult the <uri link="/proj/en/hardened/pax-utils.xml">Gentoo 
+PaX Utilities Guide</uri>.
+</p>
+
+<note>
+Recent versions of <c>sys-apps/portage</c>(>=2.0.53) scan for text relocations
+and print a warning or even abort the merge process, depending on the
+<c>FEATURES</c> you have set in your <path>/etc/make.conf</path>.
+</note>
+
+</body>
+</section>
+
+<section id="paxjava">
+<title>Ever since I started using PaX I can't get Java working, why?</title>
+<body>
+
+<p>
+As part of its design, the Java virtual machine creates a considerable amount of
+code at runtime which does not make PaX happy. Although with current versions of
+java and portage portage will mark the binaries automatically.
+If it doesn't, there are two ways to correct this problem:
+</p>
+
+<pre caption="Enable the marking on your kernel">
+PaX Control ---&gt;
+ [*] Use ELF program header marking
+</pre>
+
+<pre caption="Install paxctl">
+# <i>emerge paxctl</i>
+</pre>
+
+<p>
+When you already have <c>paxctl</c> emerged you can do:
+</p>
+
+<pre caption="Java paxctl Options">
+# <i>paxctl -pemrxs /opt/*-jdk-*/{jre,}/bin/*</i>
+</pre>
+
+<p>
+This option will slightly modify the ELF eheader in order to correctly
+set the PAX flags on the binaries.
+</p>
+
+<note>
+If you are running PaX in conjunction with an additional security implementation
+such as Grsecurity's RBAC, or SELinux you should manage PaX using the kernel
+hooks provided for each implementation.
+</note>
+
+<p>
+The other way is using your security implementation to do this using the kernel
+hooks.
+</p>
+
+</body>
+</section>
+</chapter>
+
+<chapter>
+<title>Grsecurity Questions</title>
+<section id="grsecinformation">
+<title>What is the homepage for Grsecurity?</title>
+<body>
+
+<p>
+The homepage for Grsecurity is located at <uri>http://www.grsecurity.net</uri>.
+</p>
+
+</body>
+</section>
+
+<section id="grsecgentoodoc">
+<title>What Gentoo documentation exists about Grsecurity?</title>
+<body>
+
+<p>
+The most current documentation for Grsecurity is a Grsecurity2 quickstart guide
+located at <uri>http://www.gentoo.org/proj/en/hardened/grsecurity.xml</uri>.
+</p>
+
+</body>
+</section>
+
+<section id="grsecnew">
+<title>Can I use Grsecurity with a recent kernel not on the tree?</title>
+<body>
+
+<p>
+Usually we release a new version of hardened sources not long after a new
+PaX/Grsecurity patch isreleased, so the best option is just waiting a bit for
+the kernel team to adapt the patches and then test them. Anyway if you are very 
+impatient, you can download the patches from
+<uri>http://grsecurity.net/download.php</uri> and try to patch the sources
+yourself. Keep in mind, though, that we won't support kernel sources out of the
+tree.
+</p>
+
+</body>
+</section>
+</chapter>
+
+<chapter>
+<title>SELinux Questions</title>
+<section id="selinuxfaq">
+<title>Where can I find SELinux related frequently asked questions?</title>
+<body>
+
+<p>
+A SELinux specific FAQ can be found at <uri>
+http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=3&amp;
+chap=3</uri>.
+</p>
+
+</body>
+</section>
+</chapter>
+
+</guide>