Archives
Archives
| From: | "Anthony G. Basile" <blueness@g.o> |
|---|---|
| To: | Gentoo Development <gentoo-dev@l.g.o> |
| Subject: | [gentoo-dev] Proposed update to pax-utils.eclass |
| Date: | Sun, 17 Mar 2013 12:19:45 |
| Message-Id: | 5145B4B9.3070104@gentoo.org |
| 1 | Hi everyone, |
| 2 | |
| 3 | The hardened team has been working on getting PaX markings moved to |
| 4 | Extended Attributes rather then putting them in a program header of the |
| 5 | ELF binaries [1]. The motivation here is that this is a generally safer |
| 6 | way of doing PaX markings since mangling an ELF binary can break things [2]. |
| 7 | |
| 8 | The last step in the process is getting an eclass on the tree which does |
| 9 | both xattr as well as elf phdr based PaX markings. We've been testing |
| 10 | one for a while and we think we've clobbered all the bugs. The eclass |
| 11 | deviates significantly from the one on the tree, so a I'm not sure a |
| 12 | diff is the best way to present it. The current version is on the |
| 13 | hardened-dev overay [3]. It also makes use of a new utility called |
| 14 | paxctl-ng which does what paxctl did but also with xattr [4]. |
| 15 | |
| 16 | You may want to look at some documentation too. A updated discussion of |
| 17 | PaX which includes xattr stuff is at [5]. A migration guide is at [6]. |
| 18 | |
| 19 | Please review. We are in no rush to get this done, so if you find bugs |
| 20 | or have concerns, add blockers to the tracker [1]. |
| 21 | |
| 22 | |
| 23 | Ref. |
| 24 | |
| 25 | [1] https://bugs.gentoo.org/show_bug.cgi?id=427888 |
| 26 | |
| 27 | [2] eg skype, https://bugs.gentoo.org/show_bug.cgi?id=461668 |
| 28 | |
| 29 | [3] |
| 30 | http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=blob;f=eclass/pax-utils.eclass;h=b27d5e2f6e503cf47e9e321e441f1fe8c9c1dbd8;hb=646c49292c140491c3e1aee58a82f3c3b6a4e99f |
| 31 | |
| 32 | [4] This is part of the sys-apps/elfix package. The repo is at |
| 33 | http://git.overlays.gentoo.org/gitweb/?p=proj/elfix.git;a=summary |
| 34 | |
| 35 | [5] http://www.gentoo.org/proj/en/hardened/pax-quickstart.xml |
| 36 | |
| 37 | [6] http://www.gentoo.org/proj/en/hardened/pax-migrate-xattr.xml |
| 38 | |
| 39 | |
| 40 | -- |
| 41 | Anthony G. Basile, Ph.D. |
| 42 | Gentoo Linux Developer [Hardened] |
| 43 | E-Mail : blueness@g.o |
| 44 | GnuPG FP : 1FED FAD9 D82C 52A5 3BAB DC79 9384 FA6E F52D 4BBA |
| 45 | GnuPG ID : F52D4BBA |
| Subject | Author |
|---|---|
| Re: [gentoo-dev] Proposed update to pax-utils.eclass | "Anthony G. Basile" <blueness@g.o> |