| 1 |
> Here's some information regarding the applications I had to fix. |
| 2 |
> Most of the problems are related to the fact that the binaries |
| 3 |
> are not linked statically (which would presumably fix most problems). |
| 4 |
> Most of them don't generate logs, but I hope the information |
| 5 |
> I provided will be usefull anyway. |
| 6 |
|
| 7 |
thanks for the info, my comments follow inlined (i'm CC'ing the list |
| 8 |
as there's some work to do ;-): |
| 9 |
|
| 10 |
> ntpd: |
| 11 |
> - -------- |
| 12 |
> |
| 13 |
> [markus@biohazard] /sbin/chpax -v /usr/bin/ntpd |
| 14 |
> |
| 15 |
> - ----[ chpax 0.6.1 : Current flags for /usr/bin/ntpd (PeMRxs) ]---- |
| 16 |
> |
| 17 |
> [markus@biohazard] sudo /usr/bin/ntpd |
| 18 |
> /usr/bin/ntpd: error while loading shared libraries: /lib/libcap.so.1: |
| 19 |
> cannot make segment writable for relocation: Permission denied |
| 20 |
> |
| 21 |
> FIXED VIA |
| 22 |
> |
| 23 |
> [markus@biohazard] sudo /sbin/chpax -peMRxs /usr/bin/ntpd |
| 24 |
|
| 25 |
the 'cannot make segment writable...' message means that the |
| 26 |
given library has text relocations in it, that should be |
| 27 |
gotten rid of instead of disabling MPROTECT (actually, you |
| 28 |
were disabling more than that, SEGMEXEC itself). also static |
| 29 |
compilation won't solve the problem when using PIEs (whenever |
| 30 |
that becomes possible at all, that is), it'd just make the |
| 31 |
main executable non-relocatable. |
| 32 |
|
| 33 |
> acroread: |
| 34 |
> - --------------- |
| 35 |
> |
| 36 |
> The following works fine |
| 37 |
> |
| 38 |
> [markus@biohazard] /sbin/chpax -v |
| 39 |
> /opt/Acrobat5/Reader/intellinux/bin/acroread |
| 40 |
> |
| 41 |
> - ----[ chpax 0.6.1 : Current flags for |
| 42 |
> /opt/Acrobat5/Reader/intellinux/bin/acroread (pEmRxs) ]---- |
| 43 |
> |
| 44 |
> using "PEmRxs" also works but the binary loads very slowly; likely some |
| 45 |
> trouble loading the plugins. |
| 46 |
|
| 47 |
i guess the slowdown is due to using PAGEEXEC (and you probably |
| 48 |
have a P4). i take it that acroread has a gcc nested function |
| 49 |
trampoline and hence EMUTRAMP fixed it, in that case chpax -E |
| 50 |
is enough, i.e., you can keep SEGMEXEC, it should be back to |
| 51 |
its normal speed then. |
| 52 |
|
| 53 |
> mplayer/xine: |
| 54 |
> - --------------------- |
| 55 |
> |
| 56 |
> Both require |
| 57 |
> |
| 58 |
> [markus@biohazard] /sbin/chpax -v /usr/bin/mplayer |
| 59 |
> |
| 60 |
> - ----[ chpax 0.6.1 : Current flags for /usr/bin/mplayer (PemRxs) ]---- |
| 61 |
> |
| 62 |
> PeMRxs causes failure to load shared libraries |
| 63 |
|
| 64 |
same comments as for ntpd, although i guess fixing all these asm |
| 65 |
optimized libraries will take some coding (if at all possible |
| 66 |
without losing too much performance). |
| 67 |
|
| 68 |
> soffice |
| 69 |
> - ----------- |
| 70 |
> |
| 71 |
> The following works, |
| 72 |
> |
| 73 |
> [markus@biohazard] /sbin/chpax -v |
| 74 |
> /opt/Ximian-OpenOffice/program/soffice.bin |
| 75 |
> |
| 76 |
> - ----[ chpax 0.6.1 : Current flags for |
| 77 |
> /opt/Ximian-OpenOffice/program/soffice.bin (pemRxS) ]---- |
| 78 |
> |
| 79 |
> enabling everything else causes either libraries to fail loading or the |
| 80 |
> binary gets killed. |
| 81 |
|
| 82 |
the library issue is discussed above, as for the kills i guess |
| 83 |
that openoffice generates code at runtime (properly this time) |
| 84 |
and hence MPROTECT has to be disabled - fair enough. |
| 85 |
|
| 86 |
> wvdial |
| 87 |
> - ---------- |
| 88 |
> |
| 89 |
> The following works |
| 90 |
> |
| 91 |
> |
| 92 |
> [markus@biohazard] /sbin/chpax -v /usr/bin/wvdial |
| 93 |
> |
| 94 |
> - ----[ chpax 0.6.1 : Current flags for /usr/bin/wvdial (PemRxs) ]---- |
| 95 |
> |
| 96 |
> PeMRxs causes failure to load shared libraries. |
| 97 |
|
| 98 |
again, discussed above, for now disable MPROTECT and post the |
| 99 |
library names that have text relocations. |
| 100 |
|
| 101 |
|
| 102 |
-- |
| 103 |
gentoo-hardened@g.o mailing list |
Archives