1 |
On 14 Dec 2014 at 4:18, "Tóth Attila" wrote: |
2 |
|
3 |
> I've made an observation long before, that although PT_PAX flags are |
4 |
> properly handled on my systems, the installed binaries and libraries lack |
5 |
> XATTR_PAX markings. |
6 |
|
7 |
first, PaX flags don't matter on libraries at all as only the executable |
8 |
is used to determine the runtime flags. second, lack of xattrs means that |
9 |
the secure defaults will be used (modulo what other control methods are |
10 |
in play of course, see below). |
11 |
|
12 |
> I have both PT and XT present in my make.conf for markings. I was told |
13 |
> before, that I should rather opt for only one of the two possibilities - |
14 |
> kernel-option wise and make.conf-marking-selection wise. Kinda both PT and |
15 |
> XT are not supported at the same time using the current utilities. |
16 |
|
17 |
what particular issues do you still have? |
18 |
|
19 |
> Moreover: there is the question if PT marking is present and XATTR is |
20 |
> missing at the same time: which one takes precedence? I suspect the system |
21 |
> tries to interpret the missing XATTR, falling back to apply the default |
22 |
> flags, while paying no attention to the PT flags present. Additionally, I |
23 |
> haven't mentioned any policy defined PAX flags. |
24 |
|
25 |
the general rule is that if a marking is missing (either from the kernel |
26 |
config or the executable) then it won't participate in the decision making |
27 |
process. |
28 |
|
29 |
if both marks are present then they must be the same, otherwise the existing |
30 |
mark will be used as is. |
31 |
|
32 |
if neither mark exists then defaults will be used whose value depends on |
33 |
softmode. in practice you'll get secure defaults in !softmode (this hierarchy |
34 |
was introduced earlier this year, the defaults used to be not secure before |
35 |
due to compatibility concerns for unmarked binaries, but i finally made the |
36 |
switch). |
37 |
|
38 |
for this reason these days you should really only set marks when you actually |
39 |
want to deviate from the (now) secure defaults. |
40 |
|
41 |
note that PT_PAX_FLAGS is special in that it's easier to create it at link |
42 |
time than afterwards, so its presence is ok even if you don't change its |
43 |
default value (which has always been secure for !softmode). |