Gentoo Archives: gentoo-dev

From: Mike Frysinger <vapier@g.o>
To: gentoo-dev@l.g.o
Cc: "Anthony G. Basile" <blueness@g.o>, pageexec@××××××××.hu
Subject: Re: [gentoo-dev] Bleeding edge hardened-sources: move PaX markings from ELF to Extended Attributes
Date: Wed, 07 Dec 2011 22:12:55
In Reply to: [gentoo-dev] Bleeding edge hardened-sources: move PaX markings from ELF to Extended Attributes by "Anthony G. Basile"
On Thursday 01 December 2011 11:08:37 Anthony G. Basile wrote:
> 2) PT_PAX markings. This puts the flags in an ELF program header. On > Gentoo systems, all binaries are compiled with a PT_PAX header ready to > go because of a patch against binutils [2]. The problem is precompiled > binaries which lack a PT_PAX header and cannot have one added without > breaking. (eg. skype). > > 3) XT_PAX markings. This is the new experimental way of doing the > markings using xattrs for PaX markings. Currently, I'm using the name > space "user.pax" so as to allow users to mark their own binaries, but > this may change to "security.pax" depending on what direction upstream > (ie pipacs) wants to go. The advantage here is that the ELF binary is > not mangled in any way since the xattrs live in the inodes not the > blocks. The disadvantage is that xattrs is not supported on all > filesystems and in all our utilities we need for portage to work. I'm > working to get xattrs supported where we need it. This will also help > with supporting other features like ACL and CAPS. To this end:
i happily look forward to the time where we can deprecate PT_PAX support in binutils. it is, by far, the largest thorn in my side when it comes to stabilization and false positive test failures in binutils.
> a) There is a patch against tar to support xattrs based on a Fedora's > patch. [3]
sorry, now that i know this is a bit more important than "i've been playing with this stuff", i'll try and get to it faster -mike


File name MIME type
signature.asc application/pgp-signature