Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: "Magnus Granberg (zorry)" <zorry@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] gentoo commit in xml/htdocs/proj/en/hardened: hardenedfaq.xml
Date: Tue, 25 Jan 2011 23:07:58
Message-Id: 20110125230738.2E0CE20054@flycatcher.gentoo.org
1 zorry 11/01/25 23:07:38
2
3 Modified: hardenedfaq.xml
4 Log:
5 added the new hardenedfaq.xml for hardened proj
6
7 Revision Changes Path
8 1.25 xml/htdocs/proj/en/hardened/hardenedfaq.xml
9
10 file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/hardenedfaq.xml?rev=1.25&view=markup
11 plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/hardenedfaq.xml?rev=1.25&content-type=text/plain
12 diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/hardenedfaq.xml?r1=1.24&r2=1.25
13
14 Index: hardenedfaq.xml
15 ===================================================================
16 RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/hardenedfaq.xml,v
17 retrieving revision 1.24
18 retrieving revision 1.25
19 diff -u -r1.24 -r1.25
20 --- hardenedfaq.xml 17 Aug 2010 22:35:05 -0000 1.24
21 +++ hardenedfaq.xml 25 Jan 2011 23:07:38 -0000 1.25
22 @@ -1,5 +1,6 @@
23 <?xml version="1.0" encoding="UTF-8"?>
24 <!DOCTYPE guide SYSTEM "/dtd/guide.dtd">
25 +<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/hardenedfaq.xml,v 1.25 2011/01/25 23:07:38 zorry Exp $ -->
26
27 <guide link="/proj/en/hardened/hardenedfaq.xml" lang="en">
28 <title>Gentoo Hardened Frequently Asked Questions</title>
29 @@ -15,148 +16,42 @@
30 <author title="Contributor">
31 <mail link="pageexec@××××××××.hu">The PaX Team</mail>
32 </author>
33 +<author title="Contributor">
34 + <mail link="klondike@×××××××××.es">klondike</mail>
35 +</author>
36 +<author title="Contributor">
37 + <mail link="zorry@g.o">Magnus Granberg</mail>
38 +</author>
39 +<author title="Contributor">
40 + <mail link="blueness@g.o">Anthony G. Basile</mail>
41 +</author>
42
43 <abstract>
44 Frequently Asked Questions that arise on the #gentoo-hardened IRC channel and
45 the gentoo-hardened mailing list.
46 </abstract>
47
48 -<version>1.9</version>
49 -<date>2006-02-18</date>
50 +<version>3.2</version>
51 +<date>2011-1-19</date>
52
53 -<chapter>
54 +<faqindex>
55 <title>Questions</title>
56 <section>
57 -<title>General</title>
58 -<body>
59 -
60 -<ul>
61 - <li>
62 - <uri link="#toolchain">What exactly is the "toolchain"?</uri>
63 - </li>
64 - <li>
65 - <uri link="#whichisbetter">What should I use: grsecurity, RSBAC or
66 - SELinux?</uri>
67 - </li>
68 - <li>
69 - <uri link="#aclall">Is it possible to use grsecurity, RSBAC, SELinux and
70 - PaX all at the same time?</uri>
71 - </li>
72 - <li>
73 - <uri link="#hardenedcflags">Do I need to pass any flags to LDFLAGS/CFLAGS in
74 - order to turn on PIE/SSP building?</uri>
75 - </li>
76 - <li>
77 - <uri link="#hardenedcflagsoff">How do I turn off PIE/SSP building?</uri>
78 - </li>
79 - <li>
80 - <uri link="#fsexec">My kernel compilation fails with the error "error:
81 - structure has no member named `curr_ip'", how do I fix that?</uri>
82 - </li>
83 - <li>
84 - <uri link="#hardenedproject">I just found out about the hardened project; do
85 - I have to install everything on the project page in order to install
86 - Hardened Gentoo?</uri>
87 - </li>
88 - <li>
89 - <uri link="#Othreessp">Why don't my programs work when I use CFLAGS="-O3"
90 - and hardened gcc?</uri>
91 - </li>
92 - <li>
93 - <uri link="#cascadebootstrap">What happened to bootstrap-cascade.sh?</uri>
94 - </li>
95 - <li>
96 - <uri link="#hardenedprofile">How do I switch to the hardened profile?</uri>
97 - </li>
98 - <li>
99 - <uri link="#hardeneddebug">How do I debug with gdb?</uri>
100 - </li>
101 -</ul>
102 -
103 -</body>
104 -</section>
105 -
106 -<section>
107 -<title>PaX</title>
108 -<body>
109 -
110 -<ul>
111 - <li>
112 - <uri link="#paxinformation">What is the homepage for PaX?</uri>
113 - </li>
114 - <li>
115 - <uri link="#paxgentoodoc">What Gentoo documentation exists about PaX?</uri>
116 - </li>
117 - <li>
118 - <uri link="#paxnoelf">I keep getting the message: "error while loading
119 - shared libraries: cannot make segment writable for relocation: Permission
120 - denied." What does this mean? </uri>
121 - </li>
122 - <li>
123 - <uri link="#paxjava">Ever since I started using PaX I can't get Java
124 - working, why?</uri>
125 - </li>
126 -</ul>
127 -
128 -</body>
129 -</section>
130 -
131 -<section>
132 -<title>grsecurity</title>
133 +<title>Introduction</title>
134 <body>
135
136 -<ul>
137 - <li>
138 - <uri link="#grsecinformation">What is the homepage for grsecurity?</uri>
139 - </li>
140 - <li>
141 - <uri link="#grsecgentoodoc">What Gentoo documentation exists about
142 - grsecurity?</uri>
143 - </li>
144 - <li>
145 - <uri link="#grsec2681">Can I use grsecurity with a 2.6.8, 2.6.8.1, or 2.6.9
146 - kernel?</uri>
147 - </li>
148 -</ul>
149 -
150 -</body>
151 -</section>
152 -
153 -<section>
154 -<title>RSBAC</title>
155 -<body>
156 -
157 -<ul>
158 - <li>
159 - <uri link="#rsbacinformation">What is the homepage for RSBAC?</uri>
160 - </li>
161 - <li>
162 - <uri link="#rsbacgentoodoc">What Gentoo documentation exists about
163 - RSBAC?</uri>
164 - </li>
165 - <li>
166 - <uri link="#rsbacinitrd">How do I use an initial ramdisk with a RSBAC
167 - enabled kernel?</uri>
168 - </li>
169 -</ul>
170 -
171 -</body>
172 -</section>
173 -
174 -<section>
175 -<title>SELinux</title>
176 -<body>
177 -
178 -<ul>
179 - <li>
180 - <uri link="#selinuxfaq">Where can I find SELinux related frequently asked
181 - questions?</uri>
182 - </li>
183 -</ul>
184 +<p>
185 +The following is a collection of questions collected from #gentoo-hardened IRC
186 +channel and the gentoo-hardened mailing list. As such, is geared towards
187 +answering fast and concisely rather than providing a whole insight on the
188 +technologies behind Gentoo Hardened. It is advisable reading the rest of the
189 +documentation on the Gentoo Hardened Project page and that on the projects'
190 +home pages in order to get a better insight.
191 +</p>
192
193 </body>
194 </section>
195 -</chapter>
196 +</faqindex>
197
198 <chapter>
199 <title>General Questions</title>
200 @@ -175,96 +70,125 @@
201 </section>
202
203 <section id="whichisbetter">
204 -<title>What should I use: grsecurity, RSBAC or SELinux?</title>
205 +<title>What should I use: Grsecurity's RBAC or SELinux?</title>
206 <body>
207
208 <p>
209 -The answer to this question is highly subjective, so the hardened Gentoo project
210 -simply tries to lay out each technology and leave the choice up to the user.
211 -This decision requires a lot of research that we have hopefully provided clearly
212 -in the hardened documentation. However, if you have any specific questions
213 -about the security model that each provides, feel free to question the relevant
214 -developer in our IRC channel or on the mailing list.
215 +The answer to this question is highly subjective, and very dependent on your
216 +requisites so the hardened Gentoo project simply tries to lay out each
217 +technology and leave the choice up to the user. This decision requires a lot of
218 +research that we have hopefully provided clearly in the hardened documentation.
219 +However, if you have any specific questions about the security model that each
220 +provides, feel free to question the relevant developer in our IRC channel or on
221 +the mailing list.
222 </p>
223
224 </body>
225 </section>
226
227 <section id="aclall">
228 -<title>Is it possible to use grsecurity, RSBAC, SELinux and PaX all at the same
229 +<title>Is it possible to use Grsecurity, SELinux and PaX all at the same
230 time?</title>
231 <body>
232
233 <p>
234 -Yes, this combination is quite possible as PaX works with grsecurity, RSBAC
235 -and SELinux. The only conflict that arises is you can only use one access
236 -control system.
237 +Yes, this combination is quite possible as PaX and some of Grsecurity's features
238 +work with Grsecurity's RBAC and SELinux. The only conflict that arises is you
239 +can only use one access control system (be it RBAC or SELinux).
240 </p>
241
242 </body>
243 </section>
244
245 <section id="hardenedcflags">
246 -<title>Do I need to pass any flags to LDFLAGS/CFLAGS in order to turn on PIE/SSP
247 -building?</title>
248 +<title>Do I need to pass any flags to LDFLAGS/CFLAGS in order to turn on
249 +hardened building?</title>
250 <body>
251
252 <p>
253 No, the current toolchain implements the equivalent of <c>CFLAGS="-fPIE
254 --fstack-protector-all" LDFLAGS="-Wl,-z,now -Wl,-z,relro"</c> automatically
255 -through GCC's specfile which is a more proper solution. For older hardened-gcc
256 -users, add <c>USE="hardened pic"</c> to your <path>/etc/make.conf</path> and
257 -then upgrade with the following commands:
258 +-fstack-protector-all -D_FORTIFY_SOURCE=2" LDFLAGS="-Wl,-z,now -Wl,-z,relro"</c>
259 +automatically through GCC's built-in spec and using the specfiles to disable
260 +them which is a more proper solution. For older hardened-gcc users the best
261 +approach is switch to the hardened profile and then upgrade following the steps
262 +on the <uri link="#hardenedprofile">How to switch to Gentoo Hardened question
263 +</uri>
264 </p>
265
266 -<pre caption="Hardened Toolchain Installation">
267 -# <i>emerge --oneshot binutils gcc virtual/libc</i>
268 -# <i>emerge -e world</i>
269 -</pre>
270 +<note>
271 +Manually enabling the hardening flags it is not recommended at all.
272 +</note>
273 +
274 +<note>
275 +Sending a -fno... flag will disable the flag, also -fstack-protector-all and
276 +-fstack-protector may interfere when passed directly.
277 +</note>
278
279 <note>
280 -Gentoo patches its GCCs to allow specfiles to be passed
281 -through an environment variable. Currently several sets of specfiles are
282 -installed on Gentoo systems that allow users on supported architectures
283 -to easily switch the functionality off and on of the toolchain.
284 -To access the specs as the end user you can use the gcc-config utility.
285 +Gentoo patches its GCCs to allow specfiles to be passed through an environment
286 +variable. Currently several sets of specfiles are installed on Gentoo systems
287 +that allow users on supported architectures to easily switch the functionality
288 +off and on of the toolchain. To access the specs as the end user you can use the
289 +<c>gcc-config</c> utility.
290 </note>
291
292 </body>
293 </section>
294
295 <section id="hardenedcflagsoff">
296 -<title>How do I turn off PIE/SSP building?</title>
297 +<title>How do I turn off hardened building?</title>
298 <body>
299
300 <p>
301 You can use <c>gcc-config</c> to accomplish this:
302 </p>
303 -
304 <pre caption="Example gcc-config output">
305 -# gcc-config -l
306 - [1] i686-pc-linux-gnu-3.4.4 *
307 - [2] i686-pc-linux-gnu-3.4.4-hardenednopie
308 - [3] i686-pc-linux-gnu-3.4.4-hardenednopiessp
309 - [4] i686-pc-linux-gnu-3.4.4-hardenednossp
310 - [5] i686-pc-linux-gnu-3.4.4-vanilla
311 +# gcc-config -l
312 + [1] x86_64-pc-linux-gnu-4.4.4 *
313 + [2] x86_64-pc-linux-gnu-4.4.4-hardenednopie
314 + [3] x86_64-pc-linux-gnu-4.4.4-hardenednopiessp
315 + [4] x86_64-pc-linux-gnu-4.4.4-hardenednossp
316 + [5] x86_64-pc-linux-gnu-4.4.4-vanilla
317
318 +<comment>To turn off PIE building switch to the hardenednopie profile:</comment>
319 +# gcc-config x86_64-pc-linux-gnu-4.4.4-hardenednopie
320 <comment>To turn off SSP building switch to the hardenednossp profile:</comment>
321 -# gcc-config i686-pc-linux-gnu-3.4.4-hardenednossp
322 +# gcc-config x86_64-pc-linux-gnu-4.4.4-hardenednossp
323 +<comment>To turn off SSP and PIE building switch to the hardenednopiessp profile:</comment>
324 +# gcc-config x86_64-pc-linux-gnu-4.4.4-hardenednopiessp
325 +<comment>To turn off all hardened building switch to the vanilla profile:</comment>
326 +# gcc-config x86_64-pc-linux-gnu-4.4.4-vanilla
327 </pre>
328
329 +<note>
330 +The previous output will vary according to the gcc version and architecture you
331 +use, also the commands required to disable things will vary depending on the
332 +output of the first command.
333 +</note>
334 +
335 <p>
336 Alternatively you can achieve the same by changing your CFLAGS:
337 </p>
338
339 +<impo>
340 +Disabling flags manually is not recommended by the team and thus an unsupported
341 +option, do this at your own risk.
342 +</impo>
343 +
344 +
345 <p>
346 To turn off default SSP building when using the hardened toolchain, append
347 -<c>-fno-stack-protector-all -fno-stack-protector</c> to your CFLAGS.
348 +<c>-fno-stack-protector</c> to your CFLAGS.
349 </p>
350 +<note>
351 +On gcc 3.4 releases you need to use <c>-fno-stack-protector-all
352 +-fno-stack-protector</c>
353 +</note>
354
355 <p>
356 If you want to turn off default PIE building then append <c>-nopie</c> to your
357 -<c>CFLAGS</c>.
358 +<c>CFLAGS</c> and your <c>LDFLAGS</c> (as LDFLAGS is used with no CFLAGS when
359 +using gcc to link thre object files).
360 </p>
361
362 <impo>
363 @@ -273,25 +197,28 @@
364 behavior which should be the intended result.
365 </impo>
366
367 -<note>
368 -If you are interested in using per-package CFLAGS with Portage currently then
369 -you may be interested in reading about the script solar has developed to deal
370 -with this: <uri>http://article.gmane.org/gmane.linux.gentoo.hardened/1204</uri>
371 -</note>
372 -
373 -</body>
374 -</section>
375 -
376 -<section id="fsexec">
377 -<title>My kernel compilation fails with the error "error: structure has no
378 -member named `curr_ip'", how do I fix that?</title>
379 -<body>
380 +<p>
381 +If you want to turn off default now binding append <c>-z,lazy</c> to your
382 +<c>LDFLAGS</c>.
383 +</p>
384
385 <p>
386 -In order to use PaX on hardened-sources, you must enable grsecurity as well in
387 -your kernel config. This should be fixed in a future kernels.
388 +If you want to turn off default relro binding append <c>-z,norelro</c> to your
389 +<c>LDFLAGS</c>.
390 </p>
391
392 +<note>
393 +Relro is default on binutils so be sure that you want to disable it before doing
394 +so.
395 +</note>
396 +
397 +<note>
398 +If you are interested in using per-package CFLAGS with Portage currently then
399 +you may be interested in reading about <uri
400 +link="http://article.gmane.org/gmane.linux.gentoo.hardened/1204">the script
401 +solar has developed to deal with this</uri>
402 +</note>
403 +
404 </body>
405 </section>
406
407 @@ -317,30 +244,27 @@
408
409 <p>
410 Using the gcc optimization flag <c>-O3</c> has been known to be problematic with
411 -stack-smashing protector (SSP) in some situations. This optimization flag is not
412 -officially supported and therefore discouraged by the hardened team. Compile
413 -issues where a user uses <c>CFLAGS="-O3"</c> will be closed as INVALID/CANTFIX
414 -and or ignored.
415 +stack-smashing protector (SSP) and on vanilla builds in some situations. This
416 +optimization flag is not officially supported and is, therefore, discouraged by
417 +the hardened team. Compile issues where a user uses <c>CFLAGS="-O3"</c> may be
418 +closed as INVALID/CANTFIX and/or ignored.
419 </p>
420
421 </body>
422 </section>
423
424 -<section id="cascadebootstrap">
425 -<title>What happened to bootstrap-cascade.sh?</title>
426 +<section id="hardenedprofile">
427 +<title>How do I switch to the hardened profile?</title>
428 <body>
429 -
430 <p>
431 -Recently, the old bootstrap.sh and bootstrap-2.6.sh were deprecated. In their
432 -place, bootstrap-cascade.sh has been renamed to bootstrap.sh.
433 +To change your profile use eselect to choose it.
434 </p>
435
436 -</body>
437 -</section>
438 -
439 -<section id="hardenedprofile">
440 -<title>How do I switch to the hardened profile?</title>
441 -<body>
442 +<note>
443 +Reading part 1 chapter 6 "Installing the Gentoo BaseSystem" on the
444 +<uri link="/doc/en/handbook/">Gentoo Handbook</uri> is recommended for better
445 +instructions on how to change your profile.
446 +</note>
447
448 <pre caption="Set make.profile">
449 # <i>eselect profile list</i>
450 @@ -351,8 +275,8 @@
451 [5] default/linux/amd64/10.0/developer
452 [6] default/linux/amd64/10.0/no-multilib
453 [7] default/linux/amd64/10.0/server
454 -[8] hardened/linux/amd64/10.0
455 -[9] hardened/linux/amd64/10.0/no-multilib
456 +[8] hardened/linux/amd64
457 +[9] hardened/linux/amd64/no-multilib
458 [10] selinux/2007.0/amd64
459 [11] selinux/2007.0/amd64/hardened
460 [12] selinux/v2refpolicy/amd64
461 @@ -363,66 +287,124 @@
462 # <i>eselect profile set 8</i> <comment>(replace 8 with the desired hardened profile)</comment>
463 </pre>
464
465 +<note>
466 +The previous output will vary according to the architecture you use, also the
467 +commands required to choose the profile will vary depending on the output of the
468 +first command.
469 +</note>
470 +
471 <p>
472 -After setting up your profile, you should recompile your system using a
473 -hardened toolchain so that you have a consistent base:
474 +After setting up your profile, you should recompile your system using a hardened
475 +toolchain so that you have a consistent base:
476 </p>
477
478 <pre caption="Switch to hardened toolchain">
479 # <i>emerge --oneshot binutils gcc virtual/libc</i>
480 -# <i>emerge -e world</i>
481 +# <i>emerge -e --keep-going system</i>
482 +# <i>emerge -e --keep-going world</i>
483 </pre>
484
485 +<p>
486 +The <c>--keep-going</c> option is added to ensure emerge won't stop in case any
487 +package fails to build.
488 +</p>
489 +
490 </body>
491 </section>
492
493 <section id="hardeneddebug">
494 <title>How do I debug with gdb?</title>
495 <body>
496 +
497 <p>
498 -First gotcha is that GDB can't resolve symbols in PIEs; it doesn't realise that
499 -the addresses are relative in PIEs not absolute. This shows up when you try to
500 -get a backtrace for example, and see a stream of lines with '??' where the
501 -symbol should be.
502 +We have written a <uri link="/proj/en/hardened/hardened-debugging.xml">document
503 +on how to debug with Gentoo Hardened</uri>, so following the recommendations
504 +there should fix your problem.
505 </p>
506 +
507 +</body>
508 +</section>
509 +
510 +<section id="jitflag">
511 +<title>Why is the jit flag disabled in the hardened profile?</title>
512 +<body>
513 +
514 <p>
515 -To get around this, do the final link stage with <c>-nopie</c> - all the
516 -preceding object compilations can still be with <c>-fPIE</c> as normal (i.e. the
517 -default with the hardened compiler) so that your executable is as close as
518 -possible to the real thing, but the final link must create a regular executable.
519 -Try adding <c>-nopie</c> to LDFLAGS if you're building with emerge.
520 +JIT means Just In Time Compilation and consist on taking some code meant to be
521 +interpreted (like Java bytecode or JavaScript code) compile it into native
522 +binary code in memory and then executing the compiled code. This means that the
523 +program need a section of memory which has write and execution permissions to
524 +write and then execute the code which is denied by PaX, unless the mprotect flag
525 +is unset for the executable. As a result, we disabled the JIT use flag by
526 +default to avoid complaints and security problems.
527 </p>
528 +
529 <p>
530 -Another way of accomplishing this, it to emerge >=sys-devel/gdb-7.1, which contains
531 -a special patch that makes it able to debug executeables linked with -pie.
532 +You should bear in mind that having a section which is written and then executed
533 +can be a serious security problem as the attacker needs to be able to exploit a
534 +bug between the write and execute stages to write in that section in order to
535 +execute any code it wants to.
536 </p>
537 +</body>
538 +</section>
539 +
540 +<section id="enablejit">
541 +<title>How do I enable the jit flag?</title>
542 +<body>
543 +
544 <p>
545 -The second gotcha is that PaX may prevent GDB from setting breakpoints,
546 -depending on how the kernel is configured. This includes the breakpoint at main
547 -which you need to get started. To stop PaX doing this, the executable being
548 -debugged needs the <c>m</c> and <c>x</c> flags. The <c>x</c> flag is set by
549 -default, so it is enough to do:
550 +If you need it, we recommend enabling the flag in a per package basis using
551 +<c>/etc/portage/package.use</c>
552 </p>
553 -<pre caption="Relax PaX for debug">
554 -# <i>/sbin/paxctl -m foo</i>
555 +
556 +<pre caption="Example /etc/portage/package.use enabling JIT in some libraries">
557 +x11-libs/qt-core jit
558 +x11-libs/qt-script jit
559 +x11-libs/qt-webkit jit
560 </pre>
561 +
562 <p>
563 -At this point, you should be good to go! Fire up gdb in the usual way. Good
564 -luck!
565 +Anyway, you can enable the use flag globally using <c>/etc/make.conf</c>
566 </p>
567 +
568 +<pre caption="Example /etc/make.conf with JIT enabled">
569 +CFLAGS="-O2 -pipe -fomit-frame-pointer -march=native"
570 +CXXFLAGS="${CFLAGS}"
571 +# WARNING: Changing your CHOST is not something that should be done lightly.
572 +# Please consult http://www.gentoo.org/doc/en/change-chost.xml before changing.
573 +CHOST="x86_64-pc-linux-gnu"
574 +# These are the USE flags that were used in addition to what is provided by the
575 +# profile used for building.
576 +<comment>#If you have more uses adding jit to the end should suffice</comment>
577 +USE="jit"
578 +
579 +MAKEOPTS="-j2"
580 +
581 +GENTOO_MIRRORS="ftp://ftp.udc.es/gentoo/"
582 +
583 +SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
584 +</pre>
585 +
586 +<impo>
587 +Remember that if you enable JIT code on PaX you may need to disable mprotect on
588 +the binaries using such code, either by them selves or through libraries. Check
589 +the <uri link="#paxjavajit">PaX question on Java and JIT to see how to do this
590 +</uri>
591 +</impo>
592 +
593 </body>
594 </section>
595 -
596 +
597 </chapter>
598
599 <chapter>
600 <title>PaX Questions</title>
601 <section id="paxinformation">
602 -<title>What is the homepage for PaX?</title>
603 +<title>Where is the homepage for PaX?</title>
604 <body>
605
606 <p>
607 -The homepage for PaX is located at <uri>http://pax.grsecurity.net</uri>.
608 +That is <uri link="http://pax.grsecurity.net">the homepage for PaX</uri>.
609 </p>
610
611 </body>
612 @@ -433,14 +415,45 @@
613 <body>
614
615 <p>
616 -Currently the only Gentoo documentation that exists about PaX is a PaX
617 -quickstart guide located at the
618 -<uri>http://www.gentoo.org/proj/en/hardened/pax-quickstart.xml</uri> website.
619 +Currently the only Gentoo documentation that exists about PaX is a <uri
620 +link="http://www.gentoo.org/proj/en/hardened/pax-quickstart.xml"> PaX quickstart
621 +guide</uri>.
622 </p>
623
624 </body>
625 </section>
626
627 +<section id="paxmarkings">
628 +<title>How do PaX markings work?</title>
629 +<body>
630 +
631 +<p>
632 +PaX markings are a way to tell PaX which features should enable (or disable) for
633 +a certain binary.
634 +</p>
635 +
636 +<p>
637 +Features can either be enabled, disabled or not set. Enabling or disabling them
638 +will supersede the kernel action, so a binary with a feature enabled will
639 +always use the feature and one with a feature disabled won't ever used it.
640 +</p>
641 +
642 +<p>
643 +When the feature status is not set the kernel will choose whether to enable or
644 +disable it. By default, the hardened kernel will enable those features with only
645 +two exceptions, the feature is not supported by the architecture/kernel or PaX
646 +is running in Soft Mode. In those two cases, it will be disabled.
647 +</p>
648 +
649 +<note>
650 +In order to have Soft Mode, your kernel should have that feature enabled and
651 +you should enable it either passing <c>pax_softmode=1</c> in the kernel cmdline
652 +or setting to 1 the option in <c>/proc/sys/kernel/pax/softmode</c>.
653 +</note>
654 +
655 +</body>
656 +</section>
657 +
658 <section id="paxnoelf">
659 <title>I keep getting the message: "error while loading shared libraries: cannot
660 make segment writable for relocation: Permission denied." What does this
661 @@ -448,13 +461,29 @@
662 <body>
663
664 <p>
665 -This error occurs when you enable CONFIG_PAX_NOELFRELOCS as such:
666 +Text relocations are a way in which references in the executable code to
667 +addresses not known at link time are solved. Basically they just write the
668 +appropriate address at runtime marking the code segment writable in order to
669 +change the address then unmarking it. This can be a problem as an attacker could
670 +try to exploit a bug when the text relocation happens in order to be able to
671 +write arbitrary code in the text segment which would be executed. As this also
672 +means that code will be loaded on fixed addresses (not be position independent)
673 +this can also be exploited to pass over the randomization features provided by
674 +PaX.</p>
675 +
676 +<p>
677 +As this can be triggered for example by adding a library with text
678 +relocations to the ones loaded by the executable, PaX offers the option
679 +CONFIG_PAX_NOELFRELOCS in order to avoid them. This option is enabled like this:
680 </p>
681
682 <pre caption="Menuconfig Options">
683 -Non-executable page ->
684 -
685 - [*] Disallow ELF text relocations
686 +-&gt; Security options
687 + -&gt; PaX
688 + -&gt; Enable various PaX features
689 + -&gt; Non-executable pages
690 + [*] Restrict mprotect()
691 + [*] Allow ELF text relocations
692 </pre>
693
694 <p>
695 @@ -490,87 +519,87 @@
696 </body>
697 </section>
698
699 -<section id="paxjava">
700 -<title>Ever since I started using PaX I can't get Java working, why?</title>
701 +<section id="paxjavajit">
702 +<title>Ever since I started using PaX I can't get Java/JIT code working,
703 +why?</title>
704 <body>
705
706 <p>
707 As part of its design, the Java virtual machine creates a considerable amount of
708 -code at runtime which does not make PaX happy. There are two ways to correct
709 -this problem:
710 +code at runtime which does not make PaX happy. Although, with current versions
711 +of portage and java, portage will mark the binaries automatically, you still
712 +need to enable PaX marking so PaX can do an exception with them and have paxctl
713 +installed so the markings can be applied to the binaries (an reemerge them so
714 +they are applied).
715 </p>
716
717 -<pre caption="Install Chpax">
718 -# <i>emerge chpax</i>
719 -# <i>/etc/init.d/chpax start</i>
720 +<p>
721 +This of course can't be applied to all packages linking with libraries with JIT
722 +code, so if it doesn't, there are two ways to correct this problem:
723 +</p>
724 +
725 +<pre caption="Enable the marking on your kernel">
726 +-&gt; Security options
727 + -&gt; PaX
728 + -&gt; Enable various PaX features
729 + -&gt; PaX Control
730 + [*] Use ELF program header marking
731 +</pre>
732 +
733 +<pre caption="Install paxctl">
734 +# <i>emerge paxctl</i>
735 </pre>
736
737 <p>
738 -Or if you already have <c>chpax</c> emerged then you can do:
739 +When you already have <c>paxctl</c> emerged you can do:
740 </p>
741
742 -<pre caption="Java Chpax Options">
743 -# <i>chpax -pemrxs /opt/*-jdk-*/{jre,}/bin/*</i>
744 +<pre caption="Disable PaX for the binary">
745 +# <i>paxctl -pemrxs /path/to/binary</i>
746 </pre>
747
748 <p>
749 -Both of these options will slightly modify the ELF eheader in order to correctly
750 +This option will slightly modify the ELF header in order to correctly
751 set the PAX flags on the binaries.
752 </p>
753
754 <note>
755 If you are running PaX in conjunction with an additional security implementation
756 -such as RSBAC, grsecurity, or SELinux you should manage PaX using the kernel
757 +such as Grsecurity's RBAC, or SELinux you should manage PaX using the kernel
758 hooks provided for each implementation.
759 </note>
760
761 <p>
762 -On RSBAC, you can label all Java files with the following command.
763 +The other way is using your security implementation to do this using the kernel
764 +hooks.
765 </p>
766
767 -<pre caption="Java PaX options with RSBAC">
768 -# <i>for i in $(ls /opt/*(jdk|sdk)*/{jre,}/bin/*);do attr_set_file_dir FILE $i pax_flags pmerxs;done</i>
769 -</pre>
770 -
771 </body>
772 </section>
773 -</chapter>
774
775 -<chapter>
776 -<title>grsecurity Questions</title>
777 -<section id="grsecinformation">
778 -<title>What is the homepage for grsecurity?</title>
779 +<section id="paxbootparams">
780 +<title>Can I disable PaX features at boot?</title>
781 <body>
782
783 <p>
784 -The homepage for grsecurity is located at <uri>http://www.grsecurity.net</uri>.
785 +Although this is not advised except when used to rescue the system or for
786 +debugging purposes, it is possible to change a few of PaX behaviours on boot via
787 +the kernel command line.
788 </p>
789
790 -</body>
791 -</section>
792 -
793 -<section id="grsecgentoodoc">
794 -<title>What Gentoo documentation exists about grsecurity?</title>
795 -<body>
796 -
797 <p>
798 -The most current documentation for grsecurity is a Grsecurity2 quickstart guide
799 -located at <uri>http://www.gentoo.org/proj/en/hardened/grsecurity.xml</uri>.
800 +Passing <c>pax_nouderef</c> in the kernel cmdline will disable uderef which can
801 +cause problems on certain virtualization environments and cause some bugs (at
802 +times) at the expense leaving the kernel unprotected against unwanted userspace
803 +dereferences.
804 </p>
805
806 -</body>
807 -</section>
808 -
809 -<section id="grsec2681">
810 -<title>Can I use grsecurity with a 2.6.8, 2.6.8.1, or 2.6.9 kernel?</title>
811 -<body>
812 -
813 <p>
814 -Due to significant changes in the 2.6.8 kernel that broke PaX, neither a PaX nor
815 -a grsecurity patch are available for kernels 2.6.8, 2.6.8.1, or 2.6.9. Although
816 -an experimental patch is available for 2.6.10, the official stance of the PaX
817 -Team regarding 2.6 kernels should be noted and taken into consideration before
818 -use: <uri> http://forums.grsecurity.net./viewtopic.php?t=968</uri>.
819 +Passing <c>pax_softmode=1</c> in the kernel cmdline will enable the softmode
820 +which can be useful when booting a not prepared system with a PaX kernel. In
821 +soft mode PaX will disable most features by default unless told otherwise via
822 +the markings. In a similar way, <c>pax_softmode=0</c> will disable the softmode
823 +if it was enabled in the config.
824 </p>
825
826 </body>
827 @@ -578,49 +607,43 @@
828 </chapter>
829
830 <chapter>
831 -<title>RSBAC Questions</title>
832 -<section id="rsbacinformation">
833 -<title>What is the homepage for RSBAC?</title>
834 +<title>Grsecurity Questions</title>
835 +<section id="grsecinformation">
836 +<title>Where is the homepage for Grsecurity?</title>
837 <body>
838
839 <p>
840 -The homepage for RSBAC is located at <uri>http://www.rsbac.org</uri>.
841 +That is the <uri link="http://www.grsecurity.net">homepage for Grsecurity</uri>.
842 </p>
843
844 </body>
845 </section>
846
847 -<section id="rsbacgentoodoc">
848 -<title>What Gentoo documentation exists about RSBAC?</title>
849 +<section id="grsecgentoodoc">
850 +<title>What Gentoo documentation exists about Grsecurity?</title>
851 <body>
852
853 <p>
854 -All Gentoo RSBAC documentation is located at the RSBAC subproject page found at:
855 -<uri>http://www.gentoo.org/proj/en/hardened/rsbac/index.xml</uri>
856 -</p>
857 -
858 -<p>
859 -Moreover, non-Gentoo RSBAC documentation can be found in the RSBAC handbook,
860 -found at: <uri>http://www.rsbac.org/documentation/rsbac_handbook</uri>
861 +The most current documentation for Grsecurity is a <uri
862 +link="http://www.gentoo.org/proj/en/hardened/grsecurity.xml">Grsecurity2
863 +quickstart guide</uri>.
864 </p>
865
866 </body>
867 </section>
868
869 -<section id="rsbacinitrd">
870 -<title>How do I use an initial ramdisk with a RSBAC enabled kernel?</title>
871 +<section id="grsecnew">
872 +<title>Can I use Grsecurity with a recent kernel not on the portage tree
873 +</title>
874 <body>
875
876 <p>
877 -To use an initial ramdisk with a RSBAC enabled kernel, a special kernel option
878 -must be enabled or else RSBAC will treat the initrd as the root device:
879 +Usually we release a new version of hardened sources not long after a new
880 +PaX/Grsecurity patch is released, so the best option is just waiting a bit for
881 +the kernel team to adapt the patches and then test them. Remind that we won't
882 +support kernel sources not coming from the portage tree.
883 </p>
884
885 -<pre caption="Menuconfig Options">
886 -General RSBAC options --->
887 - [*] Delayed init for initial ramdisk
888 -</pre>
889 -
890 </body>
891 </section>
892 </chapter>
893 @@ -632,8 +655,9 @@
894 <body>
895
896 <p>
897 -A SELinux specific FAQ can be found at <uri>
898 -http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=3&amp;chap=3</uri>.
899 +There is a <uri
900 +link="http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=3&amp;chap=3">
901 +SELinux specific FAQ</uri>.
902 </p>
903
904 </body>
Report Message
Find on MARC Find on Google Groups