| 1 |
On 14 Dec 2014 at 4:18, "Tóth Attila" wrote: |
| 2 |
|
| 3 |
> I've made an observation long before, that although PT_PAX flags are |
| 4 |
> properly handled on my systems, the installed binaries and libraries lack |
| 5 |
> XATTR_PAX markings. |
| 6 |
|
| 7 |
first, PaX flags don't matter on libraries at all as only the executable |
| 8 |
is used to determine the runtime flags. second, lack of xattrs means that |
| 9 |
the secure defaults will be used (modulo what other control methods are |
| 10 |
in play of course, see below). |
| 11 |
|
| 12 |
> I have both PT and XT present in my make.conf for markings. I was told |
| 13 |
> before, that I should rather opt for only one of the two possibilities - |
| 14 |
> kernel-option wise and make.conf-marking-selection wise. Kinda both PT and |
| 15 |
> XT are not supported at the same time using the current utilities. |
| 16 |
|
| 17 |
what particular issues do you still have? |
| 18 |
|
| 19 |
> Moreover: there is the question if PT marking is present and XATTR is |
| 20 |
> missing at the same time: which one takes precedence? I suspect the system |
| 21 |
> tries to interpret the missing XATTR, falling back to apply the default |
| 22 |
> flags, while paying no attention to the PT flags present. Additionally, I |
| 23 |
> haven't mentioned any policy defined PAX flags. |
| 24 |
|
| 25 |
the general rule is that if a marking is missing (either from the kernel |
| 26 |
config or the executable) then it won't participate in the decision making |
| 27 |
process. |
| 28 |
|
| 29 |
if both marks are present then they must be the same, otherwise the existing |
| 30 |
mark will be used as is. |
| 31 |
|
| 32 |
if neither mark exists then defaults will be used whose value depends on |
| 33 |
softmode. in practice you'll get secure defaults in !softmode (this hierarchy |
| 34 |
was introduced earlier this year, the defaults used to be not secure before |
| 35 |
due to compatibility concerns for unmarked binaries, but i finally made the |
| 36 |
switch). |
| 37 |
|
| 38 |
for this reason these days you should really only set marks when you actually |
| 39 |
want to deviate from the (now) secure defaults. |
| 40 |
|
| 41 |
note that PT_PAX_FLAGS is special in that it's easier to create it at link |
| 42 |
time than afterwards, so its presence is ok even if you don't change its |
| 43 |
default value (which has always been secure for !softmode). |
Archives