1 |
Hi everyone, |
2 |
|
3 |
I'm working towards forcing a consistency in how we pax mark our |
4 |
binaries. The RFC for the design is at |
5 |
|
6 |
http://git.overlays.gentoo.org/gitweb/?p=proj/elfix.git;a=blob;f=doc/paxctl-ng-design.txt;h=9de06a0f9f1c426a7e129b7da53cc43760cd3976;hb=128c1408ba8db6be3f9ade3dc1420a3bf0cee0a0 |
7 |
|
8 |
I am trying to force consistency between two (and in the future, three) |
9 |
ways of doing pax markings, EI_PAX (flags are in the elf header), PT_PAX |
10 |
(flags are in an elf program header) and a new design we're working on, |
11 |
putting the flags in an Extended Filesystem attribute. Each has |
12 |
advantages and disadvantages, and all three will have to be employed to |
13 |
cover the cases where the others don't work, so a utility which |
14 |
consistently marks all three is useful. |
15 |
|
16 |
There are two stages, the userland utility and kernel patching. The |
17 |
kernel patching is effectively done as long as you choose any of the |
18 |
gentoo predefined profiles: |
19 |
|
20 |
Security options ---> |
21 |
Grsecurity ---> |
22 |
Security Level ---> |
23 |
Hardened Gentoo [server] |
24 |
or Hardened Gentoo [workstation] |
25 |
or Hardened Gentoo [virtualization] |
26 |
|
27 |
The userland utility is callec paxctl-ng and its part of the |
28 |
sys-apps/elfix-0.2.0 package which is currently masked pending testing. |
29 |
That's where you come in. Please test the utility on binaries which |
30 |
require pax marking and let me know if it works. Of particular interest |
31 |
are self checking binaries (like skype) which don't have a PT_PAX |
32 |
section and would break if one were added. |
33 |
|
34 |
Current the only known issue with paxctl-ng is that it doesn't properly |
35 |
do file globbing. I have not yet seen it break a binary, but please |
36 |
don't use this on a production system until we have more confidence in it. |
37 |
|
38 |
Thanks. |
39 |
|
40 |
-- |
41 |
Anthony G. Basile, Ph.D. |
42 |
Gentoo Linux Developer [Hardened] |
43 |
E-Mail : blueness@g.o |
44 |
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535 |
45 |
GnuPG ID : D0455535 |