1 |
zorry 11/01/25 23:07:38 |
2 |
|
3 |
Modified: hardenedfaq.xml |
4 |
Log: |
5 |
added the new hardenedfaq.xml for hardened proj |
6 |
|
7 |
Revision Changes Path |
8 |
1.25 xml/htdocs/proj/en/hardened/hardenedfaq.xml |
9 |
|
10 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/hardenedfaq.xml?rev=1.25&view=markup |
11 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/hardenedfaq.xml?rev=1.25&content-type=text/plain |
12 |
diff : http://sources.gentoo.org/viewvc.cgi/gentoo/xml/htdocs/proj/en/hardened/hardenedfaq.xml?r1=1.24&r2=1.25 |
13 |
|
14 |
Index: hardenedfaq.xml |
15 |
=================================================================== |
16 |
RCS file: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/hardenedfaq.xml,v |
17 |
retrieving revision 1.24 |
18 |
retrieving revision 1.25 |
19 |
diff -u -r1.24 -r1.25 |
20 |
--- hardenedfaq.xml 17 Aug 2010 22:35:05 -0000 1.24 |
21 |
+++ hardenedfaq.xml 25 Jan 2011 23:07:38 -0000 1.25 |
22 |
@@ -1,5 +1,6 @@ |
23 |
<?xml version="1.0" encoding="UTF-8"?> |
24 |
<!DOCTYPE guide SYSTEM "/dtd/guide.dtd"> |
25 |
+<!-- $Header: /var/cvsroot/gentoo/xml/htdocs/proj/en/hardened/hardenedfaq.xml,v 1.25 2011/01/25 23:07:38 zorry Exp $ --> |
26 |
|
27 |
<guide link="/proj/en/hardened/hardenedfaq.xml" lang="en"> |
28 |
<title>Gentoo Hardened Frequently Asked Questions</title> |
29 |
@@ -15,148 +16,42 @@ |
30 |
<author title="Contributor"> |
31 |
<mail link="pageexec@××××××××.hu">The PaX Team</mail> |
32 |
</author> |
33 |
+<author title="Contributor"> |
34 |
+ <mail link="klondike@×××××××××.es">klondike</mail> |
35 |
+</author> |
36 |
+<author title="Contributor"> |
37 |
+ <mail link="zorry@g.o">Magnus Granberg</mail> |
38 |
+</author> |
39 |
+<author title="Contributor"> |
40 |
+ <mail link="blueness@g.o">Anthony G. Basile</mail> |
41 |
+</author> |
42 |
|
43 |
<abstract> |
44 |
Frequently Asked Questions that arise on the #gentoo-hardened IRC channel and |
45 |
the gentoo-hardened mailing list. |
46 |
</abstract> |
47 |
|
48 |
-<version>1.9</version> |
49 |
-<date>2006-02-18</date> |
50 |
+<version>3.2</version> |
51 |
+<date>2011-1-19</date> |
52 |
|
53 |
-<chapter> |
54 |
+<faqindex> |
55 |
<title>Questions</title> |
56 |
<section> |
57 |
-<title>General</title> |
58 |
-<body> |
59 |
- |
60 |
-<ul> |
61 |
- <li> |
62 |
- <uri link="#toolchain">What exactly is the "toolchain"?</uri> |
63 |
- </li> |
64 |
- <li> |
65 |
- <uri link="#whichisbetter">What should I use: grsecurity, RSBAC or |
66 |
- SELinux?</uri> |
67 |
- </li> |
68 |
- <li> |
69 |
- <uri link="#aclall">Is it possible to use grsecurity, RSBAC, SELinux and |
70 |
- PaX all at the same time?</uri> |
71 |
- </li> |
72 |
- <li> |
73 |
- <uri link="#hardenedcflags">Do I need to pass any flags to LDFLAGS/CFLAGS in |
74 |
- order to turn on PIE/SSP building?</uri> |
75 |
- </li> |
76 |
- <li> |
77 |
- <uri link="#hardenedcflagsoff">How do I turn off PIE/SSP building?</uri> |
78 |
- </li> |
79 |
- <li> |
80 |
- <uri link="#fsexec">My kernel compilation fails with the error "error: |
81 |
- structure has no member named `curr_ip'", how do I fix that?</uri> |
82 |
- </li> |
83 |
- <li> |
84 |
- <uri link="#hardenedproject">I just found out about the hardened project; do |
85 |
- I have to install everything on the project page in order to install |
86 |
- Hardened Gentoo?</uri> |
87 |
- </li> |
88 |
- <li> |
89 |
- <uri link="#Othreessp">Why don't my programs work when I use CFLAGS="-O3" |
90 |
- and hardened gcc?</uri> |
91 |
- </li> |
92 |
- <li> |
93 |
- <uri link="#cascadebootstrap">What happened to bootstrap-cascade.sh?</uri> |
94 |
- </li> |
95 |
- <li> |
96 |
- <uri link="#hardenedprofile">How do I switch to the hardened profile?</uri> |
97 |
- </li> |
98 |
- <li> |
99 |
- <uri link="#hardeneddebug">How do I debug with gdb?</uri> |
100 |
- </li> |
101 |
-</ul> |
102 |
- |
103 |
-</body> |
104 |
-</section> |
105 |
- |
106 |
-<section> |
107 |
-<title>PaX</title> |
108 |
-<body> |
109 |
- |
110 |
-<ul> |
111 |
- <li> |
112 |
- <uri link="#paxinformation">What is the homepage for PaX?</uri> |
113 |
- </li> |
114 |
- <li> |
115 |
- <uri link="#paxgentoodoc">What Gentoo documentation exists about PaX?</uri> |
116 |
- </li> |
117 |
- <li> |
118 |
- <uri link="#paxnoelf">I keep getting the message: "error while loading |
119 |
- shared libraries: cannot make segment writable for relocation: Permission |
120 |
- denied." What does this mean? </uri> |
121 |
- </li> |
122 |
- <li> |
123 |
- <uri link="#paxjava">Ever since I started using PaX I can't get Java |
124 |
- working, why?</uri> |
125 |
- </li> |
126 |
-</ul> |
127 |
- |
128 |
-</body> |
129 |
-</section> |
130 |
- |
131 |
-<section> |
132 |
-<title>grsecurity</title> |
133 |
+<title>Introduction</title> |
134 |
<body> |
135 |
|
136 |
-<ul> |
137 |
- <li> |
138 |
- <uri link="#grsecinformation">What is the homepage for grsecurity?</uri> |
139 |
- </li> |
140 |
- <li> |
141 |
- <uri link="#grsecgentoodoc">What Gentoo documentation exists about |
142 |
- grsecurity?</uri> |
143 |
- </li> |
144 |
- <li> |
145 |
- <uri link="#grsec2681">Can I use grsecurity with a 2.6.8, 2.6.8.1, or 2.6.9 |
146 |
- kernel?</uri> |
147 |
- </li> |
148 |
-</ul> |
149 |
- |
150 |
-</body> |
151 |
-</section> |
152 |
- |
153 |
-<section> |
154 |
-<title>RSBAC</title> |
155 |
-<body> |
156 |
- |
157 |
-<ul> |
158 |
- <li> |
159 |
- <uri link="#rsbacinformation">What is the homepage for RSBAC?</uri> |
160 |
- </li> |
161 |
- <li> |
162 |
- <uri link="#rsbacgentoodoc">What Gentoo documentation exists about |
163 |
- RSBAC?</uri> |
164 |
- </li> |
165 |
- <li> |
166 |
- <uri link="#rsbacinitrd">How do I use an initial ramdisk with a RSBAC |
167 |
- enabled kernel?</uri> |
168 |
- </li> |
169 |
-</ul> |
170 |
- |
171 |
-</body> |
172 |
-</section> |
173 |
- |
174 |
-<section> |
175 |
-<title>SELinux</title> |
176 |
-<body> |
177 |
- |
178 |
-<ul> |
179 |
- <li> |
180 |
- <uri link="#selinuxfaq">Where can I find SELinux related frequently asked |
181 |
- questions?</uri> |
182 |
- </li> |
183 |
-</ul> |
184 |
+<p> |
185 |
+The following is a collection of questions collected from #gentoo-hardened IRC |
186 |
+channel and the gentoo-hardened mailing list. As such, is geared towards |
187 |
+answering fast and concisely rather than providing a whole insight on the |
188 |
+technologies behind Gentoo Hardened. It is advisable reading the rest of the |
189 |
+documentation on the Gentoo Hardened Project page and that on the projects' |
190 |
+home pages in order to get a better insight. |
191 |
+</p> |
192 |
|
193 |
</body> |
194 |
</section> |
195 |
-</chapter> |
196 |
+</faqindex> |
197 |
|
198 |
<chapter> |
199 |
<title>General Questions</title> |
200 |
@@ -175,96 +70,125 @@ |
201 |
</section> |
202 |
|
203 |
<section id="whichisbetter"> |
204 |
-<title>What should I use: grsecurity, RSBAC or SELinux?</title> |
205 |
+<title>What should I use: Grsecurity's RBAC or SELinux?</title> |
206 |
<body> |
207 |
|
208 |
<p> |
209 |
-The answer to this question is highly subjective, so the hardened Gentoo project |
210 |
-simply tries to lay out each technology and leave the choice up to the user. |
211 |
-This decision requires a lot of research that we have hopefully provided clearly |
212 |
-in the hardened documentation. However, if you have any specific questions |
213 |
-about the security model that each provides, feel free to question the relevant |
214 |
-developer in our IRC channel or on the mailing list. |
215 |
+The answer to this question is highly subjective, and very dependent on your |
216 |
+requisites so the hardened Gentoo project simply tries to lay out each |
217 |
+technology and leave the choice up to the user. This decision requires a lot of |
218 |
+research that we have hopefully provided clearly in the hardened documentation. |
219 |
+However, if you have any specific questions about the security model that each |
220 |
+provides, feel free to question the relevant developer in our IRC channel or on |
221 |
+the mailing list. |
222 |
</p> |
223 |
|
224 |
</body> |
225 |
</section> |
226 |
|
227 |
<section id="aclall"> |
228 |
-<title>Is it possible to use grsecurity, RSBAC, SELinux and PaX all at the same |
229 |
+<title>Is it possible to use Grsecurity, SELinux and PaX all at the same |
230 |
time?</title> |
231 |
<body> |
232 |
|
233 |
<p> |
234 |
-Yes, this combination is quite possible as PaX works with grsecurity, RSBAC |
235 |
-and SELinux. The only conflict that arises is you can only use one access |
236 |
-control system. |
237 |
+Yes, this combination is quite possible as PaX and some of Grsecurity's features |
238 |
+work with Grsecurity's RBAC and SELinux. The only conflict that arises is you |
239 |
+can only use one access control system (be it RBAC or SELinux). |
240 |
</p> |
241 |
|
242 |
</body> |
243 |
</section> |
244 |
|
245 |
<section id="hardenedcflags"> |
246 |
-<title>Do I need to pass any flags to LDFLAGS/CFLAGS in order to turn on PIE/SSP |
247 |
-building?</title> |
248 |
+<title>Do I need to pass any flags to LDFLAGS/CFLAGS in order to turn on |
249 |
+hardened building?</title> |
250 |
<body> |
251 |
|
252 |
<p> |
253 |
No, the current toolchain implements the equivalent of <c>CFLAGS="-fPIE |
254 |
--fstack-protector-all" LDFLAGS="-Wl,-z,now -Wl,-z,relro"</c> automatically |
255 |
-through GCC's specfile which is a more proper solution. For older hardened-gcc |
256 |
-users, add <c>USE="hardened pic"</c> to your <path>/etc/make.conf</path> and |
257 |
-then upgrade with the following commands: |
258 |
+-fstack-protector-all -D_FORTIFY_SOURCE=2" LDFLAGS="-Wl,-z,now -Wl,-z,relro"</c> |
259 |
+automatically through GCC's built-in spec and using the specfiles to disable |
260 |
+them which is a more proper solution. For older hardened-gcc users the best |
261 |
+approach is switch to the hardened profile and then upgrade following the steps |
262 |
+on the <uri link="#hardenedprofile">How to switch to Gentoo Hardened question |
263 |
+</uri> |
264 |
</p> |
265 |
|
266 |
-<pre caption="Hardened Toolchain Installation"> |
267 |
-# <i>emerge --oneshot binutils gcc virtual/libc</i> |
268 |
-# <i>emerge -e world</i> |
269 |
-</pre> |
270 |
+<note> |
271 |
+Manually enabling the hardening flags it is not recommended at all. |
272 |
+</note> |
273 |
+ |
274 |
+<note> |
275 |
+Sending a -fno... flag will disable the flag, also -fstack-protector-all and |
276 |
+-fstack-protector may interfere when passed directly. |
277 |
+</note> |
278 |
|
279 |
<note> |
280 |
-Gentoo patches its GCCs to allow specfiles to be passed |
281 |
-through an environment variable. Currently several sets of specfiles are |
282 |
-installed on Gentoo systems that allow users on supported architectures |
283 |
-to easily switch the functionality off and on of the toolchain. |
284 |
-To access the specs as the end user you can use the gcc-config utility. |
285 |
+Gentoo patches its GCCs to allow specfiles to be passed through an environment |
286 |
+variable. Currently several sets of specfiles are installed on Gentoo systems |
287 |
+that allow users on supported architectures to easily switch the functionality |
288 |
+off and on of the toolchain. To access the specs as the end user you can use the |
289 |
+<c>gcc-config</c> utility. |
290 |
</note> |
291 |
|
292 |
</body> |
293 |
</section> |
294 |
|
295 |
<section id="hardenedcflagsoff"> |
296 |
-<title>How do I turn off PIE/SSP building?</title> |
297 |
+<title>How do I turn off hardened building?</title> |
298 |
<body> |
299 |
|
300 |
<p> |
301 |
You can use <c>gcc-config</c> to accomplish this: |
302 |
</p> |
303 |
- |
304 |
<pre caption="Example gcc-config output"> |
305 |
-# gcc-config -l |
306 |
- [1] i686-pc-linux-gnu-3.4.4 * |
307 |
- [2] i686-pc-linux-gnu-3.4.4-hardenednopie |
308 |
- [3] i686-pc-linux-gnu-3.4.4-hardenednopiessp |
309 |
- [4] i686-pc-linux-gnu-3.4.4-hardenednossp |
310 |
- [5] i686-pc-linux-gnu-3.4.4-vanilla |
311 |
+# gcc-config -l |
312 |
+ [1] x86_64-pc-linux-gnu-4.4.4 * |
313 |
+ [2] x86_64-pc-linux-gnu-4.4.4-hardenednopie |
314 |
+ [3] x86_64-pc-linux-gnu-4.4.4-hardenednopiessp |
315 |
+ [4] x86_64-pc-linux-gnu-4.4.4-hardenednossp |
316 |
+ [5] x86_64-pc-linux-gnu-4.4.4-vanilla |
317 |
|
318 |
+<comment>To turn off PIE building switch to the hardenednopie profile:</comment> |
319 |
+# gcc-config x86_64-pc-linux-gnu-4.4.4-hardenednopie |
320 |
<comment>To turn off SSP building switch to the hardenednossp profile:</comment> |
321 |
-# gcc-config i686-pc-linux-gnu-3.4.4-hardenednossp |
322 |
+# gcc-config x86_64-pc-linux-gnu-4.4.4-hardenednossp |
323 |
+<comment>To turn off SSP and PIE building switch to the hardenednopiessp profile:</comment> |
324 |
+# gcc-config x86_64-pc-linux-gnu-4.4.4-hardenednopiessp |
325 |
+<comment>To turn off all hardened building switch to the vanilla profile:</comment> |
326 |
+# gcc-config x86_64-pc-linux-gnu-4.4.4-vanilla |
327 |
</pre> |
328 |
|
329 |
+<note> |
330 |
+The previous output will vary according to the gcc version and architecture you |
331 |
+use, also the commands required to disable things will vary depending on the |
332 |
+output of the first command. |
333 |
+</note> |
334 |
+ |
335 |
<p> |
336 |
Alternatively you can achieve the same by changing your CFLAGS: |
337 |
</p> |
338 |
|
339 |
+<impo> |
340 |
+Disabling flags manually is not recommended by the team and thus an unsupported |
341 |
+option, do this at your own risk. |
342 |
+</impo> |
343 |
+ |
344 |
+ |
345 |
<p> |
346 |
To turn off default SSP building when using the hardened toolchain, append |
347 |
-<c>-fno-stack-protector-all -fno-stack-protector</c> to your CFLAGS. |
348 |
+<c>-fno-stack-protector</c> to your CFLAGS. |
349 |
</p> |
350 |
+<note> |
351 |
+On gcc 3.4 releases you need to use <c>-fno-stack-protector-all |
352 |
+-fno-stack-protector</c> |
353 |
+</note> |
354 |
|
355 |
<p> |
356 |
If you want to turn off default PIE building then append <c>-nopie</c> to your |
357 |
-<c>CFLAGS</c>. |
358 |
+<c>CFLAGS</c> and your <c>LDFLAGS</c> (as LDFLAGS is used with no CFLAGS when |
359 |
+using gcc to link thre object files). |
360 |
</p> |
361 |
|
362 |
<impo> |
363 |
@@ -273,25 +197,28 @@ |
364 |
behavior which should be the intended result. |
365 |
</impo> |
366 |
|
367 |
-<note> |
368 |
-If you are interested in using per-package CFLAGS with Portage currently then |
369 |
-you may be interested in reading about the script solar has developed to deal |
370 |
-with this: <uri>http://article.gmane.org/gmane.linux.gentoo.hardened/1204</uri> |
371 |
-</note> |
372 |
- |
373 |
-</body> |
374 |
-</section> |
375 |
- |
376 |
-<section id="fsexec"> |
377 |
-<title>My kernel compilation fails with the error "error: structure has no |
378 |
-member named `curr_ip'", how do I fix that?</title> |
379 |
-<body> |
380 |
+<p> |
381 |
+If you want to turn off default now binding append <c>-z,lazy</c> to your |
382 |
+<c>LDFLAGS</c>. |
383 |
+</p> |
384 |
|
385 |
<p> |
386 |
-In order to use PaX on hardened-sources, you must enable grsecurity as well in |
387 |
-your kernel config. This should be fixed in a future kernels. |
388 |
+If you want to turn off default relro binding append <c>-z,norelro</c> to your |
389 |
+<c>LDFLAGS</c>. |
390 |
</p> |
391 |
|
392 |
+<note> |
393 |
+Relro is default on binutils so be sure that you want to disable it before doing |
394 |
+so. |
395 |
+</note> |
396 |
+ |
397 |
+<note> |
398 |
+If you are interested in using per-package CFLAGS with Portage currently then |
399 |
+you may be interested in reading about <uri |
400 |
+link="http://article.gmane.org/gmane.linux.gentoo.hardened/1204">the script |
401 |
+solar has developed to deal with this</uri> |
402 |
+</note> |
403 |
+ |
404 |
</body> |
405 |
</section> |
406 |
|
407 |
@@ -317,30 +244,27 @@ |
408 |
|
409 |
<p> |
410 |
Using the gcc optimization flag <c>-O3</c> has been known to be problematic with |
411 |
-stack-smashing protector (SSP) in some situations. This optimization flag is not |
412 |
-officially supported and therefore discouraged by the hardened team. Compile |
413 |
-issues where a user uses <c>CFLAGS="-O3"</c> will be closed as INVALID/CANTFIX |
414 |
-and or ignored. |
415 |
+stack-smashing protector (SSP) and on vanilla builds in some situations. This |
416 |
+optimization flag is not officially supported and is, therefore, discouraged by |
417 |
+the hardened team. Compile issues where a user uses <c>CFLAGS="-O3"</c> may be |
418 |
+closed as INVALID/CANTFIX and/or ignored. |
419 |
</p> |
420 |
|
421 |
</body> |
422 |
</section> |
423 |
|
424 |
-<section id="cascadebootstrap"> |
425 |
-<title>What happened to bootstrap-cascade.sh?</title> |
426 |
+<section id="hardenedprofile"> |
427 |
+<title>How do I switch to the hardened profile?</title> |
428 |
<body> |
429 |
- |
430 |
<p> |
431 |
-Recently, the old bootstrap.sh and bootstrap-2.6.sh were deprecated. In their |
432 |
-place, bootstrap-cascade.sh has been renamed to bootstrap.sh. |
433 |
+To change your profile use eselect to choose it. |
434 |
</p> |
435 |
|
436 |
-</body> |
437 |
-</section> |
438 |
- |
439 |
-<section id="hardenedprofile"> |
440 |
-<title>How do I switch to the hardened profile?</title> |
441 |
-<body> |
442 |
+<note> |
443 |
+Reading part 1 chapter 6 "Installing the Gentoo BaseSystem" on the |
444 |
+<uri link="/doc/en/handbook/">Gentoo Handbook</uri> is recommended for better |
445 |
+instructions on how to change your profile. |
446 |
+</note> |
447 |
|
448 |
<pre caption="Set make.profile"> |
449 |
# <i>eselect profile list</i> |
450 |
@@ -351,8 +275,8 @@ |
451 |
[5] default/linux/amd64/10.0/developer |
452 |
[6] default/linux/amd64/10.0/no-multilib |
453 |
[7] default/linux/amd64/10.0/server |
454 |
-[8] hardened/linux/amd64/10.0 |
455 |
-[9] hardened/linux/amd64/10.0/no-multilib |
456 |
+[8] hardened/linux/amd64 |
457 |
+[9] hardened/linux/amd64/no-multilib |
458 |
[10] selinux/2007.0/amd64 |
459 |
[11] selinux/2007.0/amd64/hardened |
460 |
[12] selinux/v2refpolicy/amd64 |
461 |
@@ -363,66 +287,124 @@ |
462 |
# <i>eselect profile set 8</i> <comment>(replace 8 with the desired hardened profile)</comment> |
463 |
</pre> |
464 |
|
465 |
+<note> |
466 |
+The previous output will vary according to the architecture you use, also the |
467 |
+commands required to choose the profile will vary depending on the output of the |
468 |
+first command. |
469 |
+</note> |
470 |
+ |
471 |
<p> |
472 |
-After setting up your profile, you should recompile your system using a |
473 |
-hardened toolchain so that you have a consistent base: |
474 |
+After setting up your profile, you should recompile your system using a hardened |
475 |
+toolchain so that you have a consistent base: |
476 |
</p> |
477 |
|
478 |
<pre caption="Switch to hardened toolchain"> |
479 |
# <i>emerge --oneshot binutils gcc virtual/libc</i> |
480 |
-# <i>emerge -e world</i> |
481 |
+# <i>emerge -e --keep-going system</i> |
482 |
+# <i>emerge -e --keep-going world</i> |
483 |
</pre> |
484 |
|
485 |
+<p> |
486 |
+The <c>--keep-going</c> option is added to ensure emerge won't stop in case any |
487 |
+package fails to build. |
488 |
+</p> |
489 |
+ |
490 |
</body> |
491 |
</section> |
492 |
|
493 |
<section id="hardeneddebug"> |
494 |
<title>How do I debug with gdb?</title> |
495 |
<body> |
496 |
+ |
497 |
<p> |
498 |
-First gotcha is that GDB can't resolve symbols in PIEs; it doesn't realise that |
499 |
-the addresses are relative in PIEs not absolute. This shows up when you try to |
500 |
-get a backtrace for example, and see a stream of lines with '??' where the |
501 |
-symbol should be. |
502 |
+We have written a <uri link="/proj/en/hardened/hardened-debugging.xml">document |
503 |
+on how to debug with Gentoo Hardened</uri>, so following the recommendations |
504 |
+there should fix your problem. |
505 |
</p> |
506 |
+ |
507 |
+</body> |
508 |
+</section> |
509 |
+ |
510 |
+<section id="jitflag"> |
511 |
+<title>Why is the jit flag disabled in the hardened profile?</title> |
512 |
+<body> |
513 |
+ |
514 |
<p> |
515 |
-To get around this, do the final link stage with <c>-nopie</c> - all the |
516 |
-preceding object compilations can still be with <c>-fPIE</c> as normal (i.e. the |
517 |
-default with the hardened compiler) so that your executable is as close as |
518 |
-possible to the real thing, but the final link must create a regular executable. |
519 |
-Try adding <c>-nopie</c> to LDFLAGS if you're building with emerge. |
520 |
+JIT means Just In Time Compilation and consist on taking some code meant to be |
521 |
+interpreted (like Java bytecode or JavaScript code) compile it into native |
522 |
+binary code in memory and then executing the compiled code. This means that the |
523 |
+program need a section of memory which has write and execution permissions to |
524 |
+write and then execute the code which is denied by PaX, unless the mprotect flag |
525 |
+is unset for the executable. As a result, we disabled the JIT use flag by |
526 |
+default to avoid complaints and security problems. |
527 |
</p> |
528 |
+ |
529 |
<p> |
530 |
-Another way of accomplishing this, it to emerge >=sys-devel/gdb-7.1, which contains |
531 |
-a special patch that makes it able to debug executeables linked with -pie. |
532 |
+You should bear in mind that having a section which is written and then executed |
533 |
+can be a serious security problem as the attacker needs to be able to exploit a |
534 |
+bug between the write and execute stages to write in that section in order to |
535 |
+execute any code it wants to. |
536 |
</p> |
537 |
+</body> |
538 |
+</section> |
539 |
+ |
540 |
+<section id="enablejit"> |
541 |
+<title>How do I enable the jit flag?</title> |
542 |
+<body> |
543 |
+ |
544 |
<p> |
545 |
-The second gotcha is that PaX may prevent GDB from setting breakpoints, |
546 |
-depending on how the kernel is configured. This includes the breakpoint at main |
547 |
-which you need to get started. To stop PaX doing this, the executable being |
548 |
-debugged needs the <c>m</c> and <c>x</c> flags. The <c>x</c> flag is set by |
549 |
-default, so it is enough to do: |
550 |
+If you need it, we recommend enabling the flag in a per package basis using |
551 |
+<c>/etc/portage/package.use</c> |
552 |
</p> |
553 |
-<pre caption="Relax PaX for debug"> |
554 |
-# <i>/sbin/paxctl -m foo</i> |
555 |
+ |
556 |
+<pre caption="Example /etc/portage/package.use enabling JIT in some libraries"> |
557 |
+x11-libs/qt-core jit |
558 |
+x11-libs/qt-script jit |
559 |
+x11-libs/qt-webkit jit |
560 |
</pre> |
561 |
+ |
562 |
<p> |
563 |
-At this point, you should be good to go! Fire up gdb in the usual way. Good |
564 |
-luck! |
565 |
+Anyway, you can enable the use flag globally using <c>/etc/make.conf</c> |
566 |
</p> |
567 |
+ |
568 |
+<pre caption="Example /etc/make.conf with JIT enabled"> |
569 |
+CFLAGS="-O2 -pipe -fomit-frame-pointer -march=native" |
570 |
+CXXFLAGS="${CFLAGS}" |
571 |
+# WARNING: Changing your CHOST is not something that should be done lightly. |
572 |
+# Please consult http://www.gentoo.org/doc/en/change-chost.xml before changing. |
573 |
+CHOST="x86_64-pc-linux-gnu" |
574 |
+# These are the USE flags that were used in addition to what is provided by the |
575 |
+# profile used for building. |
576 |
+<comment>#If you have more uses adding jit to the end should suffice</comment> |
577 |
+USE="jit" |
578 |
+ |
579 |
+MAKEOPTS="-j2" |
580 |
+ |
581 |
+GENTOO_MIRRORS="ftp://ftp.udc.es/gentoo/" |
582 |
+ |
583 |
+SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" |
584 |
+</pre> |
585 |
+ |
586 |
+<impo> |
587 |
+Remember that if you enable JIT code on PaX you may need to disable mprotect on |
588 |
+the binaries using such code, either by them selves or through libraries. Check |
589 |
+the <uri link="#paxjavajit">PaX question on Java and JIT to see how to do this |
590 |
+</uri> |
591 |
+</impo> |
592 |
+ |
593 |
</body> |
594 |
</section> |
595 |
- |
596 |
+ |
597 |
</chapter> |
598 |
|
599 |
<chapter> |
600 |
<title>PaX Questions</title> |
601 |
<section id="paxinformation"> |
602 |
-<title>What is the homepage for PaX?</title> |
603 |
+<title>Where is the homepage for PaX?</title> |
604 |
<body> |
605 |
|
606 |
<p> |
607 |
-The homepage for PaX is located at <uri>http://pax.grsecurity.net</uri>. |
608 |
+That is <uri link="http://pax.grsecurity.net">the homepage for PaX</uri>. |
609 |
</p> |
610 |
|
611 |
</body> |
612 |
@@ -433,14 +415,45 @@ |
613 |
<body> |
614 |
|
615 |
<p> |
616 |
-Currently the only Gentoo documentation that exists about PaX is a PaX |
617 |
-quickstart guide located at the |
618 |
-<uri>http://www.gentoo.org/proj/en/hardened/pax-quickstart.xml</uri> website. |
619 |
+Currently the only Gentoo documentation that exists about PaX is a <uri |
620 |
+link="http://www.gentoo.org/proj/en/hardened/pax-quickstart.xml"> PaX quickstart |
621 |
+guide</uri>. |
622 |
</p> |
623 |
|
624 |
</body> |
625 |
</section> |
626 |
|
627 |
+<section id="paxmarkings"> |
628 |
+<title>How do PaX markings work?</title> |
629 |
+<body> |
630 |
+ |
631 |
+<p> |
632 |
+PaX markings are a way to tell PaX which features should enable (or disable) for |
633 |
+a certain binary. |
634 |
+</p> |
635 |
+ |
636 |
+<p> |
637 |
+Features can either be enabled, disabled or not set. Enabling or disabling them |
638 |
+will supersede the kernel action, so a binary with a feature enabled will |
639 |
+always use the feature and one with a feature disabled won't ever used it. |
640 |
+</p> |
641 |
+ |
642 |
+<p> |
643 |
+When the feature status is not set the kernel will choose whether to enable or |
644 |
+disable it. By default, the hardened kernel will enable those features with only |
645 |
+two exceptions, the feature is not supported by the architecture/kernel or PaX |
646 |
+is running in Soft Mode. In those two cases, it will be disabled. |
647 |
+</p> |
648 |
+ |
649 |
+<note> |
650 |
+In order to have Soft Mode, your kernel should have that feature enabled and |
651 |
+you should enable it either passing <c>pax_softmode=1</c> in the kernel cmdline |
652 |
+or setting to 1 the option in <c>/proc/sys/kernel/pax/softmode</c>. |
653 |
+</note> |
654 |
+ |
655 |
+</body> |
656 |
+</section> |
657 |
+ |
658 |
<section id="paxnoelf"> |
659 |
<title>I keep getting the message: "error while loading shared libraries: cannot |
660 |
make segment writable for relocation: Permission denied." What does this |
661 |
@@ -448,13 +461,29 @@ |
662 |
<body> |
663 |
|
664 |
<p> |
665 |
-This error occurs when you enable CONFIG_PAX_NOELFRELOCS as such: |
666 |
+Text relocations are a way in which references in the executable code to |
667 |
+addresses not known at link time are solved. Basically they just write the |
668 |
+appropriate address at runtime marking the code segment writable in order to |
669 |
+change the address then unmarking it. This can be a problem as an attacker could |
670 |
+try to exploit a bug when the text relocation happens in order to be able to |
671 |
+write arbitrary code in the text segment which would be executed. As this also |
672 |
+means that code will be loaded on fixed addresses (not be position independent) |
673 |
+this can also be exploited to pass over the randomization features provided by |
674 |
+PaX.</p> |
675 |
+ |
676 |
+<p> |
677 |
+As this can be triggered for example by adding a library with text |
678 |
+relocations to the ones loaded by the executable, PaX offers the option |
679 |
+CONFIG_PAX_NOELFRELOCS in order to avoid them. This option is enabled like this: |
680 |
</p> |
681 |
|
682 |
<pre caption="Menuconfig Options"> |
683 |
-Non-executable page -> |
684 |
- |
685 |
- [*] Disallow ELF text relocations |
686 |
+-> Security options |
687 |
+ -> PaX |
688 |
+ -> Enable various PaX features |
689 |
+ -> Non-executable pages |
690 |
+ [*] Restrict mprotect() |
691 |
+ [*] Allow ELF text relocations |
692 |
</pre> |
693 |
|
694 |
<p> |
695 |
@@ -490,87 +519,87 @@ |
696 |
</body> |
697 |
</section> |
698 |
|
699 |
-<section id="paxjava"> |
700 |
-<title>Ever since I started using PaX I can't get Java working, why?</title> |
701 |
+<section id="paxjavajit"> |
702 |
+<title>Ever since I started using PaX I can't get Java/JIT code working, |
703 |
+why?</title> |
704 |
<body> |
705 |
|
706 |
<p> |
707 |
As part of its design, the Java virtual machine creates a considerable amount of |
708 |
-code at runtime which does not make PaX happy. There are two ways to correct |
709 |
-this problem: |
710 |
+code at runtime which does not make PaX happy. Although, with current versions |
711 |
+of portage and java, portage will mark the binaries automatically, you still |
712 |
+need to enable PaX marking so PaX can do an exception with them and have paxctl |
713 |
+installed so the markings can be applied to the binaries (an reemerge them so |
714 |
+they are applied). |
715 |
</p> |
716 |
|
717 |
-<pre caption="Install Chpax"> |
718 |
-# <i>emerge chpax</i> |
719 |
-# <i>/etc/init.d/chpax start</i> |
720 |
+<p> |
721 |
+This of course can't be applied to all packages linking with libraries with JIT |
722 |
+code, so if it doesn't, there are two ways to correct this problem: |
723 |
+</p> |
724 |
+ |
725 |
+<pre caption="Enable the marking on your kernel"> |
726 |
+-> Security options |
727 |
+ -> PaX |
728 |
+ -> Enable various PaX features |
729 |
+ -> PaX Control |
730 |
+ [*] Use ELF program header marking |
731 |
+</pre> |
732 |
+ |
733 |
+<pre caption="Install paxctl"> |
734 |
+# <i>emerge paxctl</i> |
735 |
</pre> |
736 |
|
737 |
<p> |
738 |
-Or if you already have <c>chpax</c> emerged then you can do: |
739 |
+When you already have <c>paxctl</c> emerged you can do: |
740 |
</p> |
741 |
|
742 |
-<pre caption="Java Chpax Options"> |
743 |
-# <i>chpax -pemrxs /opt/*-jdk-*/{jre,}/bin/*</i> |
744 |
+<pre caption="Disable PaX for the binary"> |
745 |
+# <i>paxctl -pemrxs /path/to/binary</i> |
746 |
</pre> |
747 |
|
748 |
<p> |
749 |
-Both of these options will slightly modify the ELF eheader in order to correctly |
750 |
+This option will slightly modify the ELF header in order to correctly |
751 |
set the PAX flags on the binaries. |
752 |
</p> |
753 |
|
754 |
<note> |
755 |
If you are running PaX in conjunction with an additional security implementation |
756 |
-such as RSBAC, grsecurity, or SELinux you should manage PaX using the kernel |
757 |
+such as Grsecurity's RBAC, or SELinux you should manage PaX using the kernel |
758 |
hooks provided for each implementation. |
759 |
</note> |
760 |
|
761 |
<p> |
762 |
-On RSBAC, you can label all Java files with the following command. |
763 |
+The other way is using your security implementation to do this using the kernel |
764 |
+hooks. |
765 |
</p> |
766 |
|
767 |
-<pre caption="Java PaX options with RSBAC"> |
768 |
-# <i>for i in $(ls /opt/*(jdk|sdk)*/{jre,}/bin/*);do attr_set_file_dir FILE $i pax_flags pmerxs;done</i> |
769 |
-</pre> |
770 |
- |
771 |
</body> |
772 |
</section> |
773 |
-</chapter> |
774 |
|
775 |
-<chapter> |
776 |
-<title>grsecurity Questions</title> |
777 |
-<section id="grsecinformation"> |
778 |
-<title>What is the homepage for grsecurity?</title> |
779 |
+<section id="paxbootparams"> |
780 |
+<title>Can I disable PaX features at boot?</title> |
781 |
<body> |
782 |
|
783 |
<p> |
784 |
-The homepage for grsecurity is located at <uri>http://www.grsecurity.net</uri>. |
785 |
+Although this is not advised except when used to rescue the system or for |
786 |
+debugging purposes, it is possible to change a few of PaX behaviours on boot via |
787 |
+the kernel command line. |
788 |
</p> |
789 |
|
790 |
-</body> |
791 |
-</section> |
792 |
- |
793 |
-<section id="grsecgentoodoc"> |
794 |
-<title>What Gentoo documentation exists about grsecurity?</title> |
795 |
-<body> |
796 |
- |
797 |
<p> |
798 |
-The most current documentation for grsecurity is a Grsecurity2 quickstart guide |
799 |
-located at <uri>http://www.gentoo.org/proj/en/hardened/grsecurity.xml</uri>. |
800 |
+Passing <c>pax_nouderef</c> in the kernel cmdline will disable uderef which can |
801 |
+cause problems on certain virtualization environments and cause some bugs (at |
802 |
+times) at the expense leaving the kernel unprotected against unwanted userspace |
803 |
+dereferences. |
804 |
</p> |
805 |
|
806 |
-</body> |
807 |
-</section> |
808 |
- |
809 |
-<section id="grsec2681"> |
810 |
-<title>Can I use grsecurity with a 2.6.8, 2.6.8.1, or 2.6.9 kernel?</title> |
811 |
-<body> |
812 |
- |
813 |
<p> |
814 |
-Due to significant changes in the 2.6.8 kernel that broke PaX, neither a PaX nor |
815 |
-a grsecurity patch are available for kernels 2.6.8, 2.6.8.1, or 2.6.9. Although |
816 |
-an experimental patch is available for 2.6.10, the official stance of the PaX |
817 |
-Team regarding 2.6 kernels should be noted and taken into consideration before |
818 |
-use: <uri> http://forums.grsecurity.net./viewtopic.php?t=968</uri>. |
819 |
+Passing <c>pax_softmode=1</c> in the kernel cmdline will enable the softmode |
820 |
+which can be useful when booting a not prepared system with a PaX kernel. In |
821 |
+soft mode PaX will disable most features by default unless told otherwise via |
822 |
+the markings. In a similar way, <c>pax_softmode=0</c> will disable the softmode |
823 |
+if it was enabled in the config. |
824 |
</p> |
825 |
|
826 |
</body> |
827 |
@@ -578,49 +607,43 @@ |
828 |
</chapter> |
829 |
|
830 |
<chapter> |
831 |
-<title>RSBAC Questions</title> |
832 |
-<section id="rsbacinformation"> |
833 |
-<title>What is the homepage for RSBAC?</title> |
834 |
+<title>Grsecurity Questions</title> |
835 |
+<section id="grsecinformation"> |
836 |
+<title>Where is the homepage for Grsecurity?</title> |
837 |
<body> |
838 |
|
839 |
<p> |
840 |
-The homepage for RSBAC is located at <uri>http://www.rsbac.org</uri>. |
841 |
+That is the <uri link="http://www.grsecurity.net">homepage for Grsecurity</uri>. |
842 |
</p> |
843 |
|
844 |
</body> |
845 |
</section> |
846 |
|
847 |
-<section id="rsbacgentoodoc"> |
848 |
-<title>What Gentoo documentation exists about RSBAC?</title> |
849 |
+<section id="grsecgentoodoc"> |
850 |
+<title>What Gentoo documentation exists about Grsecurity?</title> |
851 |
<body> |
852 |
|
853 |
<p> |
854 |
-All Gentoo RSBAC documentation is located at the RSBAC subproject page found at: |
855 |
-<uri>http://www.gentoo.org/proj/en/hardened/rsbac/index.xml</uri> |
856 |
-</p> |
857 |
- |
858 |
-<p> |
859 |
-Moreover, non-Gentoo RSBAC documentation can be found in the RSBAC handbook, |
860 |
-found at: <uri>http://www.rsbac.org/documentation/rsbac_handbook</uri> |
861 |
+The most current documentation for Grsecurity is a <uri |
862 |
+link="http://www.gentoo.org/proj/en/hardened/grsecurity.xml">Grsecurity2 |
863 |
+quickstart guide</uri>. |
864 |
</p> |
865 |
|
866 |
</body> |
867 |
</section> |
868 |
|
869 |
-<section id="rsbacinitrd"> |
870 |
-<title>How do I use an initial ramdisk with a RSBAC enabled kernel?</title> |
871 |
+<section id="grsecnew"> |
872 |
+<title>Can I use Grsecurity with a recent kernel not on the portage tree |
873 |
+</title> |
874 |
<body> |
875 |
|
876 |
<p> |
877 |
-To use an initial ramdisk with a RSBAC enabled kernel, a special kernel option |
878 |
-must be enabled or else RSBAC will treat the initrd as the root device: |
879 |
+Usually we release a new version of hardened sources not long after a new |
880 |
+PaX/Grsecurity patch is released, so the best option is just waiting a bit for |
881 |
+the kernel team to adapt the patches and then test them. Remind that we won't |
882 |
+support kernel sources not coming from the portage tree. |
883 |
</p> |
884 |
|
885 |
-<pre caption="Menuconfig Options"> |
886 |
-General RSBAC options ---> |
887 |
- [*] Delayed init for initial ramdisk |
888 |
-</pre> |
889 |
- |
890 |
</body> |
891 |
</section> |
892 |
</chapter> |
893 |
@@ -632,8 +655,9 @@ |
894 |
<body> |
895 |
|
896 |
<p> |
897 |
-A SELinux specific FAQ can be found at <uri> |
898 |
-http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=3&chap=3</uri>. |
899 |
+There is a <uri |
900 |
+link="http://www.gentoo.org/proj/en/hardened/selinux/selinux-handbook.xml?part=3&chap=3"> |
901 |
+SELinux specific FAQ</uri>. |
902 |
</p> |
903 |
|
904 |
</body> |