grsecurity forums

Hi,

if I understood it correctly, I have to re-compile all my apps of my linux box after patching my kernel with stack smashing protection and random address layout.

As I read, It seems that I need to replace my binutils with the patched version and I need a gcc-patch (the pro-police add-on?) -- is this correct too?

Yes you have to recompile all packages with an ssp/pie patched gcc. Also binutils must be patched for pax flags.

I would suggest not to do it yourself but use a distro that does it per default, e.g Hardend Gentoo, Adamantix or hlfs.

newbie123 wrote:if I understood it correctly, I have to re-compile all my apps of my linux box after patching my kernel with stack smashing protection and random address layout.

As I read, It seems that I need to replace my binutils with the patched version and I need a gcc-patch (the pro-police add-on?) -- is this correct too?

for ssp (propolice) and PIE (randomizable main executable) you have to recompile, for PT_PAX_FLAGS you don't, the latest paxctl can add it to a binary directly (-C switch, that you should use after -c fails). ssp needs a gcc patch, PIE is supported by vanilla gcc these days (since 3.3+ or so), you no longer need the old trickery. as suggested above, you're probably better off by not rolling your own distro but use an existing one that provides all these features.