Gentoo Logo

About | Projects | Docs | Forums | Lists | Bugs | Get Gentoo! | Support | Planet | Wiki

Gentoo Spaceship
Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-hardened
Navigation:
Lists: gentoo-hardened: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-hardened@g.o
From: "Anthony G. Basile" <basile@...>
Subject: Guinea pigs ... ehm ... testers required!
Date: Sun, 23 Oct 2011 12:50:45 -0400 
Hi everyone,

As you may know, I've been working on a set of utilities to use with a
PaX enabled kernel.  These are installed with sys-app/elfix which
depends on dev-python/pypax.  They're currently in the gentoo tree, but
masked.  I need testers.  The two utilities I needed tested are:


1. revdep-pax.  Basically it will look at elf binaries and the libraries
they link against and see if there is a mismatch between the PaX
markings of the binary and the library.  It does both forward and
reverse mappings, ie. you can start from an executable and find all the
libraries with mismatched markings, or you can start from a library and
find all the binaries that link against it and have different PaX
markings.  If you want, you can forward or reverse migrate those markings.

I suspect it may have one issue: I get all the elf objects for the
forward mappings from /var/db/pkg/<cat>/<pkg>/NEEDED.  However, since
some libraries link against other libraries, I'm not sure I've gotten
everything.  I may have to switch to getting the elf objects out of some
predefined $PATH and $LD_PATH.


2. paxctl-ng.  This will do the same thing that paxctl does, but it adds
support for doing pax markings in Extended Attributes if the filesystem
will support them.  It has some important differences from paxctl, one
being that it will *never* try to edit the elf object, beyond just
changing the PT_PAX flags, which is always safe.  ie, if an elf binary
lacks a PT_PAX program header, paxctl-ng will never try to create one,
so it is always safe to use even on self-checking elfs like skype.  You
can also use paxctl-ng to create the XT_PAX (ie extended attribute)
markings and then it will use either PT_PAX or XT_PAX or both to keep
the PaX flag markings.

The only known issue here is that it doesn't do file globbing.  I'll add
it in a later release.

NOTE: XT_PAX is NOT YET supported in the kernel.  I'm working on that
now.  Until then, we're just testing the userland utility.  When the
kernel has XT_PAX support, I'll write some POC test which creates an elf
without a PT_PAX program header, and only XT_PAX markings and see if it
works.  We'll then be able to cover binaries which cannot support PT_PAX
program headers with XT_PAX.


Please read the man pages!  Make sure they read okay too.


Thanks.

-- 
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197
Navigation:
Lists: gentoo-hardened: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
"/usr/bin/install: cannot stat `id.mo': No such file or directory" when installing policycoreutils
Next by thread:
I'd like to deprecate some older stabilize hardened-sources
Previous by date:
Re: Updated SELinux handbook
Next by date:
I'd like to deprecate some older stabilize hardened-sources


Updated Jun 28, 2012

Summary: Archive of the gentoo-hardened mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.