1 |
Hi Markus, |
2 |
|
3 |
It looks like you missed something in the process. The steps to |
4 |
converting are (skipping details): |
5 |
|
6 |
1) switch profile |
7 |
2) recompile the toolchain: emerge glibc gcc binutils |
8 |
3) recompile system: emerge -e system |
9 |
4) recompile world: emerge -e world |
10 |
|
11 |
If you didn't do these, its possible you have some binaries left that |
12 |
will trigger pax violations. |
13 |
|
14 |
One way to quickly check if you got hardened binaries is to use a script |
15 |
called checksec.sh [1] and run it on /bin or /sbin. You should see that |
16 |
all your binaries have FULL RELRO, STACK CANARY, NX, PIE and ASLR. |
17 |
|
18 |
|
19 |
Ref: |
20 |
|
21 |
[1] http://tk-blog.blogspot.com/2009/02/checksec.html |
22 |
|
23 |
|
24 |
|
25 |
On 07/14/2011 05:54 AM, Markus Oehme wrote: |
26 |
> Hi, |
27 |
> |
28 |
> I successfully switched to hardened profile during the last week and it was |
29 |
> quite painless. I think I can hand out some praise for the great work done |
30 |
> on Gentoo Hardened. :) |
31 |
> |
32 |
> Just one thing puzzles me a bit. I activated pax in hardened sources and |
33 |
> this resulted in quite some segfaulting processes due to mprotect. I found |
34 |
> lines like the following in the logs. |
35 |
> |
36 |
> Jul 13 17:09:41 localhost kernel: [ 286.180994] grsec: denied RWX mprotect of /lib64/ld-2.13.so by /usr/bin/python2.7[decibel-audio-p:6393] uid/euid:1000/1000 gid/egid:1005/1005, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0 |
37 |
> |
38 |
> I remedied this with paxctl -m /usr/bin/python2.7 and similar, but the list |
39 |
> [1] of binaries where I had to do this includes some stuff, where mprotect |
40 |
> would be quite useful (sudo, polkitd, etc.). Also I didn't see a note in the |
41 |
> docs (which otherwise are really helpful :) about what to expect for |
42 |
> excpetions from mprotect. Is this expected behaviour or have I made some |
43 |
> mistake in my configuration? |
44 |
> |
45 |
> |
46 |
> Markus |
47 |
> |
48 |
> [1] |
49 |
> /usr/lib64/courier/courier-authlib/authdaemond |
50 |
> /usr/sbin/console-kit-daemon |
51 |
> /usr/libexec/polkitd |
52 |
> /usr/bin/xfconf-query |
53 |
> /usr/lib64/xfce4/xfconf/xfconfd |
54 |
> /usr/bin/xscreensaver |
55 |
> /usr/bin/xfce4-session |
56 |
> /usr/bin/gkrellm |
57 |
> /usr/bin/Xorg |
58 |
> /usr/bin/xfdesktop |
59 |
> /usr/bin/xfce4-panel |
60 |
> /usr/bin/Terminal |
61 |
> /usr/libexec/udisks-daemon |
62 |
> /usr/bin/xfce4-session-logout |
63 |
> /usr/bin/emacs-23 |
64 |
> /usr/bin/sudo |
65 |
> /usr/bin/perl |
66 |
> /usr/libexec/xfce4/panel-plugins/xfce4-mixer-plugin |
67 |
> /usr/bin/xfce4-mixer |
68 |
> /usr/bin/python2.7 |
69 |
> /usr/libexec/git-core/git |
70 |
> /usr/libexec/gcc/x86_64-pc-linux-gnu/4.6.1/cc1 |
71 |
> |
72 |
> |
73 |
> -- |
74 |
> Aoccdrnig to a threoy, it deosn't mttaer in waht oredr the ltteers in a wrod |
75 |
> are, the olny iprmoatnt tihng is taht the frist and lsat ltteer are in the |
76 |
> rghit pclae. The rset can be a taotl mses and you can sitll raed it in msot |
77 |
> csaes. Tihs is bcuseae the huamn mnid deos not raed ervey lteter by istlef, |
78 |
> but the wrod as a wlohe. And I awlyas thought slpeling was ipmorantt. |
79 |
|
80 |
|
81 |
-- |
82 |
Anthony G. Basile, Ph.D. |
83 |
Gentoo Linux Developer [Hardened] |
84 |
E-Mail : blueness@g.o |
85 |
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535 |
86 |
GnuPG ID : D0455535 |