Gentoo Archives: gentoo-hardened

From: "Anthony G. Basile" <blueness@g.o>
To: gentoo-hardened@l.g.o
Subject: [gentoo-hardened] Testing request for sys-apps/elfix-0.2.0
Date: Tue, 20 Sep 2011 13:03:08
Message-Id: 4E7883B9.50403@gentoo.org
1 Hi everyone,
2
3 I'm working towards forcing a consistency in how we pax mark our
4 binaries. The RFC for the design is at
5
6 http://git.overlays.gentoo.org/gitweb/?p=proj/elfix.git;a=blob;f=doc/paxctl-ng-design.txt;h=9de06a0f9f1c426a7e129b7da53cc43760cd3976;hb=128c1408ba8db6be3f9ade3dc1420a3bf0cee0a0
7
8 I am trying to force consistency between two (and in the future, three)
9 ways of doing pax markings, EI_PAX (flags are in the elf header), PT_PAX
10 (flags are in an elf program header) and a new design we're working on,
11 putting the flags in an Extended Filesystem attribute. Each has
12 advantages and disadvantages, and all three will have to be employed to
13 cover the cases where the others don't work, so a utility which
14 consistently marks all three is useful.
15
16 There are two stages, the userland utility and kernel patching. The
17 kernel patching is effectively done as long as you choose any of the
18 gentoo predefined profiles:
19
20 Security options --->
21 Grsecurity --->
22 Security Level --->
23 Hardened Gentoo [server]
24 or Hardened Gentoo [workstation]
25 or Hardened Gentoo [virtualization]
26
27 The userland utility is callec paxctl-ng and its part of the
28 sys-apps/elfix-0.2.0 package which is currently masked pending testing.
29 That's where you come in. Please test the utility on binaries which
30 require pax marking and let me know if it works. Of particular interest
31 are self checking binaries (like skype) which don't have a PT_PAX
32 section and would break if one were added.
33
34 Current the only known issue with paxctl-ng is that it doesn't properly
35 do file globbing. I have not yet seen it break a binary, but please
36 don't use this on a production system until we have more confidence in it.
37
38 Thanks.
39
40 --
41 Anthony G. Basile, Ph.D.
42 Gentoo Linux Developer [Hardened]
43 E-Mail : blueness@g.o
44 GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535
45 GnuPG ID : D0455535

Replies

Subject Author
Re: [gentoo-hardened] Testing request for sys-apps/elfix-0.2.0 "Tóth Attila" <atoth@××××××××××.hu>