Thursday, September 4, 2008

A Look At the Specs ...

(warning: GCC internals ahead. For ye who wishes to stay sane, stay away, stay very far away)

Part of the major changes hardy->intrepid was the inclusion of hardening configurations in GCC. This was originally handled via a script called hardening-wrapper, which using the alternates system to replace GCC with a wrapper script, which passed a variety of options (see the wiki for the full list) and was controllable via environmental variables.

After intrepid, all of these options (aside from PIE) was moved into GCC specifically via the spec mechanism. For those unaware, GCC (and binutils) is essentially several smaller programs, such as the C preprocessor, cc1, assembler, linker, etc. The specs strings is essentially a rules system that controls the arguements to each of these mini programs. Lets take a more specific look at these strings. You can view the gcc specs can be viewed with gcc -dumpspecs

(Ubuntu GCC 4.3.1 Intrepid Alpha, for beverity sake, here's just a small section)

%{C|CC:%{!E:%eGCC does not support -C or -CC without -E}} %{!Q:-quiet} %{nostdinc*} %{C} %{CC} %{v} %{I*&F*} %{P} %I %{MD:-MD %{!o:%b.d}%{o*:%.d%*}} %{MMD:-MMD %{!o:%b.d}%{o*:%.d%*}} %{M} %{MM} %{MF*} %{MG} %{MP} %{MQ*} %{MT*} %{!E:%{!M:%{!MM:%{!MT:%{!MQ:%{MD|MMD:%{o*:-MQ %*}}}}}}} %{remap} %{g3|ggdb3|gstabs3|gcoff3|gxcoff3|gvms3:-dD} %{H} %C %{D*&U*&A*} %{i*} %Z %i %{fmudflap:-D_MUDFLAP -include mf-runtime.h} %{fmudflapth:-D_MUDFLAP -D_MUDFLAPTH -include mf-runtime.h} %{!D_FORTIFY_SOURCE:%{!D_FORTIFY_SOURCE=*:%{!U_FORTIFY_SOURCE:-D_FORTIFY_SOURCE=2}}} %{E|M|MM:%W{o*}}

While this appears to a load of messy strings, it defines the command line arguements GCC accepts, and what it does. The last section for instance was added in Ubuntu to add the FORTIFY_SOURCE defines, as well as include the offswitch for it. Adding the PIE switch would be done under the cc1 section which is what handles the PIE processing, in a similar mechanism. This way, we can apply PIE to every package, and then manually add -fno-PIE on any package that requires it to be disabled.

This is a quick overview of specs, and I hope you learned something by reading it, and understanding how this will be done.

1 comment:

Chris Rohlf said...

Keep the posts coming. I have been looking forward to these changes in Ubuntu for awhile. Also you might want to add your email address to your blog somewhere.