| 1 |
> that would work except writing something like that is very hard, definitely |
| 2 |
> beyond my time just for the sake to handle something that a coredump |
| 3 |
> accomplishes well sans resurrection ability. |
| 4 |
|
| 5 |
> on a sidenote, why would it be acceptable to store a process image on disk |
| 6 |
> whereas a coredump isn't? |
| 7 |
|
| 8 |
Hmm... I didn't know that you could restore a process fully from a core dump - |
| 9 |
hence the question. (My ignorance is showing again :) How interesting. In |
| 10 |
that case, there is no difference between the process image serialisation and |
| 11 |
the coredump, so I'm sorry for wasting your time on that hypothetical. |
| 12 |
|
| 13 |
Memory check-pointing to disk for quick recovery from critical faults (such as |
| 14 |
power failure or exploit attempts) is on my Linux wish list, so I idlely like |
| 15 |
to find other justifications for it that'll convince others to implement it |
| 16 |
for me :) (I clearly don't have the in-depth kernel knowledge to implement it |
| 17 |
myself - yet.) |
| 18 |
|
| 19 |
> uhm, but you already have such a control over per-process PaX features. |
| 20 |
> either paxctl (which marks the executable's ELF header) or MAC system |
| 21 |
> (both grsec and RSBAC provide controls). or i must be not getting your |
| 22 |
> problem ;-). |
| 23 |
|
| 24 |
Having read a little more deeply into the inner workings of PAGEEXEC, |
| 25 |
SEGMEXEC, and MPROTECT now, I see now what I was asking is already achievable |
| 26 |
by just by removing PAGEEXEC or SEGMEXEC protections for Java or Mono, but |
| 27 |
not MPROTECT. MPROTECT should stop any ill-behaved run-time compiled code |
| 28 |
from going out of bounds into other processes, while no execution limitations |
| 29 |
allows the run-time compiled code to execute normally. (If I understand |
| 30 |
correctly now.) Apologies for confusing you and wasting your time with a |
| 31 |
RTFM-type question. |
| 32 |
|
| 33 |
However - while I temporarily have your ear :) I'm interested about being able |
| 34 |
to remove PAGEEXEC/SEGMEXEC and/or MPROTECT protections for a process in |
| 35 |
real-time - while a process is running, or in the hypothetical 'suspended |
| 36 |
awaiting administrative approval to continue' state I keep talking about. |
| 37 |
|
| 38 |
Is such a real-time removal of protections possible with the way PaX is |
| 39 |
currently implemented? If not, I think it'd be an interesting feature in the |
| 40 |
eventuality of such a process suspension feature being developed. |
| 41 |
|
| 42 |
What are your thoughts on this? Am I just spinning more nonsense? :) |
| 43 |
|
| 44 |
On Fri, 15 Feb 2008, pageexec@××××××××.hu wrote: |
| 45 |
> On 15 Feb 2008 at 8:25, Geoff Kassel wrote: |
| 46 |
> > Hmm... what about a store-to-disk serialisation of the affected process |
| 47 |
> > and running dependencies? (I'm thinking along the lines of certain |
| 48 |
> > fault-tolerant kernels that do check-pointing of memory state here.) This |
| 49 |
> > is so that application state can be restored from disk if required by an |
| 50 |
> > administrator. |
| 51 |
> |
| 52 |
> that would work except writing something like that is very hard, definitely |
| 53 |
> beyond my time just for the sake to handle something that a coredump |
| 54 |
> accomplishes well sans resurrection ability. |
| 55 |
> |
| 56 |
> on a sidenote, why would it be acceptable to store a process image on disk |
| 57 |
> whereas a coredump isn't? |
| 58 |
> |
| 59 |
> > I know I'm speaking from a position of ignorance of the inner workings of |
| 60 |
> > PaX here, but what if in the case of a non-executable page fault (this |
| 61 |
> > being the case I'm more concerned about) the non-executable marking could |
| 62 |
> > be overridden at the discrestion of the administrator (or preset new PaX |
| 63 |
> > marking) in order to allow the process to continue? I'm thinking about |
| 64 |
> > cases like Mono and Java, which seem (to my inexperienced eye) to be |
| 65 |
> > trying to execute data segments containing generated code, because |
| 66 |
> > they're compiling said code at run-time. |
| 67 |
> > |
| 68 |
> > If there could be a check so that the page being marked executable is one |
| 69 |
> > that belongs to the fault-triggering process, that would handle these |
| 70 |
> > cases in an admittedly less secure, but a more useable way. |
| 71 |
> |
| 72 |
> uhm, but you already have such a control over per-process PaX features. |
| 73 |
> either paxctl (which marks the executable's ELF header) or MAC system |
| 74 |
> (both grsec and RSBAC provide controls). or i must be not getting your |
| 75 |
> problem ;-). |
| 76 |
-- |
| 77 |
gentoo-hardened@l.g.o mailing list |
Archives