| 1 |
Hi Markus, |
| 2 |
|
| 3 |
It looks like you missed something in the process. The steps to |
| 4 |
converting are (skipping details): |
| 5 |
|
| 6 |
1) switch profile |
| 7 |
2) recompile the toolchain: emerge glibc gcc binutils |
| 8 |
3) recompile system: emerge -e system |
| 9 |
4) recompile world: emerge -e world |
| 10 |
|
| 11 |
If you didn't do these, its possible you have some binaries left that |
| 12 |
will trigger pax violations. |
| 13 |
|
| 14 |
One way to quickly check if you got hardened binaries is to use a script |
| 15 |
called checksec.sh [1] and run it on /bin or /sbin. You should see that |
| 16 |
all your binaries have FULL RELRO, STACK CANARY, NX, PIE and ASLR. |
| 17 |
|
| 18 |
|
| 19 |
Ref: |
| 20 |
|
| 21 |
[1] http://tk-blog.blogspot.com/2009/02/checksec.html |
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
On 07/14/2011 05:54 AM, Markus Oehme wrote: |
| 26 |
> Hi, |
| 27 |
> |
| 28 |
> I successfully switched to hardened profile during the last week and it was |
| 29 |
> quite painless. I think I can hand out some praise for the great work done |
| 30 |
> on Gentoo Hardened. :) |
| 31 |
> |
| 32 |
> Just one thing puzzles me a bit. I activated pax in hardened sources and |
| 33 |
> this resulted in quite some segfaulting processes due to mprotect. I found |
| 34 |
> lines like the following in the logs. |
| 35 |
> |
| 36 |
> Jul 13 17:09:41 localhost kernel: [ 286.180994] grsec: denied RWX mprotect of /lib64/ld-2.13.so by /usr/bin/python2.7[decibel-audio-p:6393] uid/euid:1000/1000 gid/egid:1005/1005, parent /sbin/init[init:1] uid/euid:0/0 gid/egid:0/0 |
| 37 |
> |
| 38 |
> I remedied this with paxctl -m /usr/bin/python2.7 and similar, but the list |
| 39 |
> [1] of binaries where I had to do this includes some stuff, where mprotect |
| 40 |
> would be quite useful (sudo, polkitd, etc.). Also I didn't see a note in the |
| 41 |
> docs (which otherwise are really helpful :) about what to expect for |
| 42 |
> excpetions from mprotect. Is this expected behaviour or have I made some |
| 43 |
> mistake in my configuration? |
| 44 |
> |
| 45 |
> |
| 46 |
> Markus |
| 47 |
> |
| 48 |
> [1] |
| 49 |
> /usr/lib64/courier/courier-authlib/authdaemond |
| 50 |
> /usr/sbin/console-kit-daemon |
| 51 |
> /usr/libexec/polkitd |
| 52 |
> /usr/bin/xfconf-query |
| 53 |
> /usr/lib64/xfce4/xfconf/xfconfd |
| 54 |
> /usr/bin/xscreensaver |
| 55 |
> /usr/bin/xfce4-session |
| 56 |
> /usr/bin/gkrellm |
| 57 |
> /usr/bin/Xorg |
| 58 |
> /usr/bin/xfdesktop |
| 59 |
> /usr/bin/xfce4-panel |
| 60 |
> /usr/bin/Terminal |
| 61 |
> /usr/libexec/udisks-daemon |
| 62 |
> /usr/bin/xfce4-session-logout |
| 63 |
> /usr/bin/emacs-23 |
| 64 |
> /usr/bin/sudo |
| 65 |
> /usr/bin/perl |
| 66 |
> /usr/libexec/xfce4/panel-plugins/xfce4-mixer-plugin |
| 67 |
> /usr/bin/xfce4-mixer |
| 68 |
> /usr/bin/python2.7 |
| 69 |
> /usr/libexec/git-core/git |
| 70 |
> /usr/libexec/gcc/x86_64-pc-linux-gnu/4.6.1/cc1 |
| 71 |
> |
| 72 |
> |
| 73 |
> -- |
| 74 |
> Aoccdrnig to a threoy, it deosn't mttaer in waht oredr the ltteers in a wrod |
| 75 |
> are, the olny iprmoatnt tihng is taht the frist and lsat ltteer are in the |
| 76 |
> rghit pclae. The rset can be a taotl mses and you can sitll raed it in msot |
| 77 |
> csaes. Tihs is bcuseae the huamn mnid deos not raed ervey lteter by istlef, |
| 78 |
> but the wrod as a wlohe. And I awlyas thought slpeling was ipmorantt. |
| 79 |
|
| 80 |
|
| 81 |
-- |
| 82 |
Anthony G. Basile, Ph.D. |
| 83 |
Gentoo Linux Developer [Hardened] |
| 84 |
E-Mail : blueness@g.o |
| 85 |
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535 |
| 86 |
GnuPG ID : D0455535 |
Archives