1 |
On 07/15/2011 02:44 AM, Michał Górny wrote: |
2 |
> On Thu, 14 Jul 2011 19:19:11 -0400 |
3 |
> Mike Frysinger <vapier@g.o> wrote: |
4 |
> |
5 |
>>> 3) Since a hardened kernel can be configure with various flavors of |
6 |
>>> "pax" or "grsec" or "selinux", there should be useflags to reflect |
7 |
>>> userland needs to conform. There already is a "selinux" flag which |
8 |
>>> is set by selinux profiles. Currently we don't see a need for a |
9 |
>>> "grsec" flag, however, there is a need for a "pax" global use flag |
10 |
>>> which we propose calling "pax_kernel". (If nothing else to |
11 |
>>> distinguish it from app-arch/pax.) |
12 |
>>> |
13 |
>>> Userland binaries which will run under a pax enabled kernel may need |
14 |
>>> special treatment to run, or else they'll be killed by the kernel. |
15 |
>>> The best example here is an RWX mmapping. Although the ideal case |
16 |
>>> is to "fix the code" this is not always feasible and so binaries |
17 |
>>> will still need markings with paxctl -m. |
18 |
>> if `paxctl` is installed, then i say always run `paxctl` on the |
19 |
>> problematic binaries regardless of USE flags. have the |
20 |
>> hardened-sources package depend on paxctl, and then that takes care |
21 |
>> of the dependency. -mike |
22 |
> Do we support migrating existing systems to hardened? If so, then this |
23 |
> solution will leave users with a need to manually remerge pax-setting |
24 |
> packages. Though, I guess, it's pretty easy to grab that package list |
25 |
> on pax-utils.eclass inherit. |
26 |
> |
27 |
|
28 |
That could be a workable solution and would avoid the extra global flag, |
29 |
but there is a glitch --- see below. This can work because all gentoo |
30 |
binaries are built with the needed ELF program header (PT_PAX) anyhow, |
31 |
whether they're run under a non-hardened or pax-hardened kernel. We can |
32 |
mark them where needed as if they were going to be run under a |
33 |
pax-hardened kernel, and if they're run under a non-hardened kernel, the |
34 |
header is ignored and no harm done. |
35 |
|
36 |
We do support "migration to hardened" but that means migrating to |
37 |
"hardened toolchain + resulting hardened binaries". You cannot avoid an |
38 |
emerge world there. "Migrating to a hardened kernel" would mean nothing |
39 |
more than compiling hardened-sources and rebooting. If the binaries are |
40 |
correctly marked when they were first built, the user should be okay |
41 |
without re-emerging anything. |
42 |
|
43 |
So, here's the glitch. For example, in dev-lang/mono, following the |
44 |
above plan, we would drop the "hardened" flag, remove |
45 |
|
46 |
DEPEND=" ... hardened? ( sys-apps/paxctl )" |
47 |
|
48 |
and replace |
49 |
|
50 |
if use hardened ; then |
51 |
ewarn "We are disabling MPROTECT on the mono binary." |
52 |
sed '/exec/ i\paxctl -mr "$r/@mono_runtime@"' -i |
53 |
"${S}"/runtime/mono-wrapper.in |
54 |
fi |
55 |
|
56 |
with just |
57 |
|
58 |
ewarn "We are disabling MPROTECT on the mono binary." |
59 |
sed '/exec/ i\paxctl -mr "$r/@mono_runtime@"' -i |
60 |
"${S}"/runtime/mono-wrapper.in |
61 |
|
62 |
But this assumes that paxctl is on the user's system which is not |
63 |
guaranteed unless the users has emerged hardened-sources (which will |
64 |
depend on paxctl). scanelf would have to be the replacement in such |
65 |
cases because it is guaranteed to be there by the profiles. |
66 |
|
67 |
-- |
68 |
Anthony G. Basile, Ph.D. |
69 |
Gentoo Linux Developer [Hardened] |
70 |
E-Mail : blueness@g.o |
71 |
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535 |
72 |
GnuPG ID : D0455535 |