On Sun, Apr 11, 2021 at 6:01 PM Guillermo <gdiazhartusch_at_gmail.com> wrote:
>
> I guess this executable stack thing is toolchain- / libc-specific?
It's dependent on the build procedure and/or the toolchain.
> The
> relevant test is using 'readelf -l' to check if there is a GNU_STACK
> program header, and that its flags are RW instead of RWE, right?
Yes.
> No sign of RWE flags... Even after
> doing 'make strip' with the original version of the makefile that
> removes the .note.GNU-stack section.
Assuming the skarnet Makefiles are used as-is and no deviations are
made by the distribution's package build procedure, the breaking point
is making strip and static linking with packages that are build-time
dependencies. So for example, make strip skalibs and then statically
link all other skarnet packages with it. Or make strip execline and
then statically link s6 with it. Then the resulting executables or
shared libraries end up with an executable stack.
If dynamic linking is used all throughout the dependency chain, I
don't think it can happen (again assuming the skarnet Makefiles are
used as-is). A shared library or executable doesn't have
.note.GNU-stack section, so removing it has no effect. A shared
library or executable has a GNU_STACK header instead.
It's also possible that the Gentoo toolchain is configured so that the
linker forcibly marks the stack as non-executable on anything that it
links. But according to this page that doesn't appear to be the case:
<
https://wiki.gentoo.org/wiki/Hardened/Toolchain>.
See also: <
https://wiki.gentoo.org/wiki/Hardened/GNU_stack_quickstart>.
Received on Sun Apr 11 2021 - 17:56:33 UTC