Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-dev
Navigation:
Lists: gentoo-dev: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: Gentoo Development <gentoo-dev@g.o>, pageexec@...
From: "Anthony G. Basile" <blueness@g.o>
Subject: Bleeding edge hardened-sources: move PaX markings from ELF to Extended Attributes
Date: Thu, 01 Dec 2011 11:08:37 -0500
Hi everyone,

I've been doing some experimental work with PaX enabled kernels and I
wanted to share it with the community at large for feedback.

Motivation: There are two (soon three) ways of doing PaX markings so
that a PaX enabled kernel knows what restrictions to put on the running
process.  These are:

1) EI_PAX markings.  This puts the pax flags in the ELF header in bytes
14 and 15 of the e_ident[] field.  This was a "hijacked" area and is now
broken. [1]

2) PT_PAX markings.  This puts the flags in an ELF program header.  On
Gentoo systems, all binaries are compiled with a PT_PAX header ready to
go because of a patch against binutils [2].  The problem is precompiled
binaries which lack a PT_PAX header and cannot have one added without
breaking.  (eg. skype).

3) XT_PAX markings.  This is the new experimental way of doing the
markings using xattrs for PaX markings.  Currently, I'm using the name
space "user.pax" so as to allow users to mark their own binaries, but
this may change to "security.pax" depending on what direction upstream
(ie pipacs) wants to go.  The advantage here is that the ELF binary is
not mangled in any way since the xattrs live in the inodes not the
blocks.  The disadvantage is that xattrs is not supported on all
filesystems and in all our utilities we need for portage to work.  I'm
working to get xattrs supported where we need it.  This will also help
with supporting other features like ACL and CAPS.  To this end:

a) There is a patch against tar to support xattrs based on a Fedora's
patch.  [3]
b) Kernels 3.0 and above support xattrs in tmpfs, squashfs and other
filesystems.
c) Python 3.3 and above support os.getxattr and os.setxattr and zmedico
and Arfrever have patched portage to copy xattrs from ${D} to ${ROOT}.
d) There's probably more .... feedback welcome!


I've built two test systems, amd64 and x86, and so far so go. 
Prometheanfire tested too and help find some snags.  If anyone is
interested, I've got a HOWTO on converting any gentoo system to a *pure*
XT_PAX hardened system [4], ie one with *no* EI_PAX or PT_PAX.  This
will not be the final situation where we will have backwards compat with
PT_PAX but not EI_PAX.  However, for testing it will force any issues
with XT_PAX to the foreground.

Since many of you know more about the internals of Gentoo than I, I
would appreciate any suggestions regarding what I might be missing if we
eventually migrate in this direction.


References:

[1] https://bugs.gentoo.org/show_bug.cgi?id=387459

[2] As of this writing, PT_PAX support is provided by patch
63_all_binutils-2.21.1-pt-pax-flags-20110918.patch  which can be
obtained from the patch bundles found at
http://dev.gentoo.org/~vapier/dist/ among other places.

[3] https://bugs.gentoo.org/show_bug.cgi?id=382067

[4]
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=blob;f=HOWTO.txt;h=9edc600f0d81d5e77c6cd7e961a05b56f51b51ec;hb=f4d0da5dcaf12e4b9a70c1d2528becf649b1de61

-- 
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail    : blueness@g.o
GnuPG FP  : 8040 5A4D 8709 21B1 1A88  33CE 979C AF40 D045 5535
GnuPG ID  : D0455535



Replies:
Re: Bleeding edge hardened-sources: move PaX markings from ELF to Extended Attributes
-- Mike Frysinger
Re: Bleeding edge hardened-sources: move PaX markings from ELF to Extended Attributes
-- Duncan
Navigation:
Lists: gentoo-dev: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
contribution of ebuilds? Update for media-sound/darkice
Next by thread:
Re: Bleeding edge hardened-sources: move PaX markings from ELF to Extended Attributes
Previous by date:
Re: contribution of ebuilds? Update for media-sound/darkice
Next by date:
Linking Stage, building a ebuild


Updated Jun 29, 2012

Summary: Archive of the gentoo-dev mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.