1 |
> Here's some information regarding the applications I had to fix. |
2 |
> Most of the problems are related to the fact that the binaries |
3 |
> are not linked statically (which would presumably fix most problems). |
4 |
> Most of them don't generate logs, but I hope the information |
5 |
> I provided will be usefull anyway. |
6 |
|
7 |
thanks for the info, my comments follow inlined (i'm CC'ing the list |
8 |
as there's some work to do ;-): |
9 |
|
10 |
> ntpd: |
11 |
> - -------- |
12 |
> |
13 |
> [markus@biohazard] /sbin/chpax -v /usr/bin/ntpd |
14 |
> |
15 |
> - ----[ chpax 0.6.1 : Current flags for /usr/bin/ntpd (PeMRxs) ]---- |
16 |
> |
17 |
> [markus@biohazard] sudo /usr/bin/ntpd |
18 |
> /usr/bin/ntpd: error while loading shared libraries: /lib/libcap.so.1: |
19 |
> cannot make segment writable for relocation: Permission denied |
20 |
> |
21 |
> FIXED VIA |
22 |
> |
23 |
> [markus@biohazard] sudo /sbin/chpax -peMRxs /usr/bin/ntpd |
24 |
|
25 |
the 'cannot make segment writable...' message means that the |
26 |
given library has text relocations in it, that should be |
27 |
gotten rid of instead of disabling MPROTECT (actually, you |
28 |
were disabling more than that, SEGMEXEC itself). also static |
29 |
compilation won't solve the problem when using PIEs (whenever |
30 |
that becomes possible at all, that is), it'd just make the |
31 |
main executable non-relocatable. |
32 |
|
33 |
> acroread: |
34 |
> - --------------- |
35 |
> |
36 |
> The following works fine |
37 |
> |
38 |
> [markus@biohazard] /sbin/chpax -v |
39 |
> /opt/Acrobat5/Reader/intellinux/bin/acroread |
40 |
> |
41 |
> - ----[ chpax 0.6.1 : Current flags for |
42 |
> /opt/Acrobat5/Reader/intellinux/bin/acroread (pEmRxs) ]---- |
43 |
> |
44 |
> using "PEmRxs" also works but the binary loads very slowly; likely some |
45 |
> trouble loading the plugins. |
46 |
|
47 |
i guess the slowdown is due to using PAGEEXEC (and you probably |
48 |
have a P4). i take it that acroread has a gcc nested function |
49 |
trampoline and hence EMUTRAMP fixed it, in that case chpax -E |
50 |
is enough, i.e., you can keep SEGMEXEC, it should be back to |
51 |
its normal speed then. |
52 |
|
53 |
> mplayer/xine: |
54 |
> - --------------------- |
55 |
> |
56 |
> Both require |
57 |
> |
58 |
> [markus@biohazard] /sbin/chpax -v /usr/bin/mplayer |
59 |
> |
60 |
> - ----[ chpax 0.6.1 : Current flags for /usr/bin/mplayer (PemRxs) ]---- |
61 |
> |
62 |
> PeMRxs causes failure to load shared libraries |
63 |
|
64 |
same comments as for ntpd, although i guess fixing all these asm |
65 |
optimized libraries will take some coding (if at all possible |
66 |
without losing too much performance). |
67 |
|
68 |
> soffice |
69 |
> - ----------- |
70 |
> |
71 |
> The following works, |
72 |
> |
73 |
> [markus@biohazard] /sbin/chpax -v |
74 |
> /opt/Ximian-OpenOffice/program/soffice.bin |
75 |
> |
76 |
> - ----[ chpax 0.6.1 : Current flags for |
77 |
> /opt/Ximian-OpenOffice/program/soffice.bin (pemRxS) ]---- |
78 |
> |
79 |
> enabling everything else causes either libraries to fail loading or the |
80 |
> binary gets killed. |
81 |
|
82 |
the library issue is discussed above, as for the kills i guess |
83 |
that openoffice generates code at runtime (properly this time) |
84 |
and hence MPROTECT has to be disabled - fair enough. |
85 |
|
86 |
> wvdial |
87 |
> - ---------- |
88 |
> |
89 |
> The following works |
90 |
> |
91 |
> |
92 |
> [markus@biohazard] /sbin/chpax -v /usr/bin/wvdial |
93 |
> |
94 |
> - ----[ chpax 0.6.1 : Current flags for /usr/bin/wvdial (PemRxs) ]---- |
95 |
> |
96 |
> PeMRxs causes failure to load shared libraries. |
97 |
|
98 |
again, discussed above, for now disable MPROTECT and post the |
99 |
library names that have text relocations. |
100 |
|
101 |
|
102 |
-- |
103 |
gentoo-hardened@g.o mailing list |