Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-dev
Navigation:
Lists: gentoo-dev: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-dev@g.o
From: Mike Frysinger <vapier@g.o>
Subject: Re: Bleeding edge hardened-sources: move PaX markings from ELF to Extended Attributes
Date: Wed, 7 Dec 2011 17:11:46 -0500
On Thursday 01 December 2011 11:08:37 Anthony G. Basile wrote:
> 2) PT_PAX markings.  This puts the flags in an ELF program header.  On
> Gentoo systems, all binaries are compiled with a PT_PAX header ready to
> go because of a patch against binutils [2].  The problem is precompiled
> binaries which lack a PT_PAX header and cannot have one added without
> breaking.  (eg. skype).
> 
> 3) XT_PAX markings.  This is the new experimental way of doing the
> markings using xattrs for PaX markings.  Currently, I'm using the name
> space "user.pax" so as to allow users to mark their own binaries, but
> this may change to "security.pax" depending on what direction upstream
> (ie pipacs) wants to go.  The advantage here is that the ELF binary is
> not mangled in any way since the xattrs live in the inodes not the
> blocks.  The disadvantage is that xattrs is not supported on all
> filesystems and in all our utilities we need for portage to work.  I'm
> working to get xattrs supported where we need it.  This will also help
> with supporting other features like ACL and CAPS.  To this end:

i happily look forward to the time where we can deprecate PT_PAX support in 
binutils.  it is, by far, the largest thorn in my side when it comes to 
stabilization and false positive test failures in binutils.

> a) There is a patch against tar to support xattrs based on a Fedora's
> patch.  [3]

sorry, now that i know this is a bit more important than "i've been playing 
with this stuff", i'll try and get to it faster
-mike
Attachment:
signature.asc (This is a digitally signed message part.)
References:
Bleeding edge hardened-sources: move PaX markings from ELF to Extended Attributes
-- Anthony G. Basile
Navigation:
Lists: gentoo-dev: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
Re: Bleeding edge hardened-sources: move PaX markings from ELF to Extended Attributes
Next by thread:
Linking Stage, building a ebuild
Previous by date:
Re: Re: Bleeding edge hardened-sources: move PaX markings from ELF to Extended Attributes
Next by date:
{bi,multi}arch support for all x86/amd64/ppc/sparc systems


Updated Jun 29, 2012

Summary: Archive of the gentoo-dev mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.