Gentoo Archives: gentoo-dev

From: Mike Frysinger <vapier@g.o>
To: gentoo-dev@l.g.o
Cc: "Anthony G. Basile" <blueness@g.o>, pageexec@××××××××.hu
Subject: Re: [gentoo-dev] Bleeding edge hardened-sources: move PaX markings from ELF to Extended Attributes
Date: Wed, 07 Dec 2011 22:12:55
In Reply to: [gentoo-dev] Bleeding edge hardened-sources: move PaX markings from ELF to Extended Attributes by "Anthony G. Basile"
1 On Thursday 01 December 2011 11:08:37 Anthony G. Basile wrote:
2 > 2) PT_PAX markings. This puts the flags in an ELF program header. On
3 > Gentoo systems, all binaries are compiled with a PT_PAX header ready to
4 > go because of a patch against binutils [2]. The problem is precompiled
5 > binaries which lack a PT_PAX header and cannot have one added without
6 > breaking. (eg. skype).
7 >
8 > 3) XT_PAX markings. This is the new experimental way of doing the
9 > markings using xattrs for PaX markings. Currently, I'm using the name
10 > space "user.pax" so as to allow users to mark their own binaries, but
11 > this may change to "security.pax" depending on what direction upstream
12 > (ie pipacs) wants to go. The advantage here is that the ELF binary is
13 > not mangled in any way since the xattrs live in the inodes not the
14 > blocks. The disadvantage is that xattrs is not supported on all
15 > filesystems and in all our utilities we need for portage to work. I'm
16 > working to get xattrs supported where we need it. This will also help
17 > with supporting other features like ACL and CAPS. To this end:
19 i happily look forward to the time where we can deprecate PT_PAX support in
20 binutils. it is, by far, the largest thorn in my side when it comes to
21 stabilization and false positive test failures in binutils.
23 > a) There is a patch against tar to support xattrs based on a Fedora's
24 > patch. [3]
26 sorry, now that i know this is a bit more important than "i've been playing
27 with this stuff", i'll try and get to it faster
28 -mike


File name MIME type
signature.asc application/pgp-signature