| 1 |
On 07/15/2011 02:44 AM, Michał Górny wrote: |
| 2 |
> On Thu, 14 Jul 2011 19:19:11 -0400 |
| 3 |
> Mike Frysinger <vapier@g.o> wrote: |
| 4 |
> |
| 5 |
>>> 3) Since a hardened kernel can be configure with various flavors of |
| 6 |
>>> "pax" or "grsec" or "selinux", there should be useflags to reflect |
| 7 |
>>> userland needs to conform. There already is a "selinux" flag which |
| 8 |
>>> is set by selinux profiles. Currently we don't see a need for a |
| 9 |
>>> "grsec" flag, however, there is a need for a "pax" global use flag |
| 10 |
>>> which we propose calling "pax_kernel". (If nothing else to |
| 11 |
>>> distinguish it from app-arch/pax.) |
| 12 |
>>> |
| 13 |
>>> Userland binaries which will run under a pax enabled kernel may need |
| 14 |
>>> special treatment to run, or else they'll be killed by the kernel. |
| 15 |
>>> The best example here is an RWX mmapping. Although the ideal case |
| 16 |
>>> is to "fix the code" this is not always feasible and so binaries |
| 17 |
>>> will still need markings with paxctl -m. |
| 18 |
>> if `paxctl` is installed, then i say always run `paxctl` on the |
| 19 |
>> problematic binaries regardless of USE flags. have the |
| 20 |
>> hardened-sources package depend on paxctl, and then that takes care |
| 21 |
>> of the dependency. -mike |
| 22 |
> Do we support migrating existing systems to hardened? If so, then this |
| 23 |
> solution will leave users with a need to manually remerge pax-setting |
| 24 |
> packages. Though, I guess, it's pretty easy to grab that package list |
| 25 |
> on pax-utils.eclass inherit. |
| 26 |
> |
| 27 |
|
| 28 |
That could be a workable solution and would avoid the extra global flag, |
| 29 |
but there is a glitch --- see below. This can work because all gentoo |
| 30 |
binaries are built with the needed ELF program header (PT_PAX) anyhow, |
| 31 |
whether they're run under a non-hardened or pax-hardened kernel. We can |
| 32 |
mark them where needed as if they were going to be run under a |
| 33 |
pax-hardened kernel, and if they're run under a non-hardened kernel, the |
| 34 |
header is ignored and no harm done. |
| 35 |
|
| 36 |
We do support "migration to hardened" but that means migrating to |
| 37 |
"hardened toolchain + resulting hardened binaries". You cannot avoid an |
| 38 |
emerge world there. "Migrating to a hardened kernel" would mean nothing |
| 39 |
more than compiling hardened-sources and rebooting. If the binaries are |
| 40 |
correctly marked when they were first built, the user should be okay |
| 41 |
without re-emerging anything. |
| 42 |
|
| 43 |
So, here's the glitch. For example, in dev-lang/mono, following the |
| 44 |
above plan, we would drop the "hardened" flag, remove |
| 45 |
|
| 46 |
DEPEND=" ... hardened? ( sys-apps/paxctl )" |
| 47 |
|
| 48 |
and replace |
| 49 |
|
| 50 |
if use hardened ; then |
| 51 |
ewarn "We are disabling MPROTECT on the mono binary." |
| 52 |
sed '/exec/ i\paxctl -mr "$r/@mono_runtime@"' -i |
| 53 |
"${S}"/runtime/mono-wrapper.in |
| 54 |
fi |
| 55 |
|
| 56 |
with just |
| 57 |
|
| 58 |
ewarn "We are disabling MPROTECT on the mono binary." |
| 59 |
sed '/exec/ i\paxctl -mr "$r/@mono_runtime@"' -i |
| 60 |
"${S}"/runtime/mono-wrapper.in |
| 61 |
|
| 62 |
But this assumes that paxctl is on the user's system which is not |
| 63 |
guaranteed unless the users has emerged hardened-sources (which will |
| 64 |
depend on paxctl). scanelf would have to be the replacement in such |
| 65 |
cases because it is guaranteed to be there by the profiles. |
| 66 |
|
| 67 |
-- |
| 68 |
Anthony G. Basile, Ph.D. |
| 69 |
Gentoo Linux Developer [Hardened] |
| 70 |
E-Mail : blueness@g.o |
| 71 |
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535 |
| 72 |
GnuPG ID : D0455535 |
Archives