Note: "permalinks" may not be as permanent as we would like,
direct links of old sources may well be a few messages off.
On Thu, Apr 24, 2014 at 05:37:40PM +0200, Mark van Dijk wrote: > Hi > > >> When trying to compile drbd 8.4 using gcc 4.8.2, the following problem > >> occurs. As I have no idea to fix it I hope you can help me. > > > > You seem to suspect gcc version incompatibility, > > or why do you list the compiler version? > > > > Does it work with a different compiler version? > > If so, which platform (OS) are you on, > > and is this the "default" compiler there, > > or where did you optain it? > > Why did I list the compiler version, I don't really know, just a habit I > suppose. I'm sorry, I'm not at all familiar with coding. This GCC > version is the default on Funtoo (Gentoo fork). > > > Which DRBD git hash do you try to compile? > > Against which kernel do you try to compile? > > Today I tried to compile hash 3c1f46cb against kernel 3.13.9-hardened. > This is a grsec enabled kernel. I enabled most of the grsec options and > figured to disable options one by one when something breaks. > > In the case of drbd, I found that its compilation fails when > CONFIG_PAX_CONSTIFY_PLUGIN is enabled. Disabling this option allows the > module to compile succesfully. So I will keep it disabled. > > In case it is helpful here is the description for > CONFIG_PAX_CONSTIFY_PLUGIN. > > --- > By saying Y here the compiler will automatically constify a class > of types that contain only function pointers. This reduces the > kernel's attack surface and also produces a better memory layout. > > Note that the implementation requires a gcc with plugin support, > i.e., gcc 4.5 or newer. You may need to install the supporting > headers explicitly in addition to the normal gcc package. > > Note that if some code really has to modify constified variables > then the source code will have to be patched to allow it. Examples > can be found in PaX itself (the no_const attribute) and for some > out-of-tree modules at http://www.grsecurity.net/~paxguy1/ . > --- > > As it sounds like this grsec option is useful to decrease attack > vectors, are you inclined to support this kernel option some day? Or is > it too exotic? Please let me know. I don't really care right now. Though I think that constifying kernel module function pointers would not be top of *my* list if the goal is to reduce "attack surface"... Patches accepted, I guess ... -- : Lars Ellenberg : LINBIT | Your Way to High Availability : DRBD/HA support and consulting http://www.linbit.com DRBD® and LINBIT® are registered trademarks of LINBIT, Austria. __ please don't Cc me, but send to list -- I'm subscribed