1 |
> that would work except writing something like that is very hard, definitely |
2 |
> beyond my time just for the sake to handle something that a coredump |
3 |
> accomplishes well sans resurrection ability. |
4 |
|
5 |
> on a sidenote, why would it be acceptable to store a process image on disk |
6 |
> whereas a coredump isn't? |
7 |
|
8 |
Hmm... I didn't know that you could restore a process fully from a core dump - |
9 |
hence the question. (My ignorance is showing again :) How interesting. In |
10 |
that case, there is no difference between the process image serialisation and |
11 |
the coredump, so I'm sorry for wasting your time on that hypothetical. |
12 |
|
13 |
Memory check-pointing to disk for quick recovery from critical faults (such as |
14 |
power failure or exploit attempts) is on my Linux wish list, so I idlely like |
15 |
to find other justifications for it that'll convince others to implement it |
16 |
for me :) (I clearly don't have the in-depth kernel knowledge to implement it |
17 |
myself - yet.) |
18 |
|
19 |
> uhm, but you already have such a control over per-process PaX features. |
20 |
> either paxctl (which marks the executable's ELF header) or MAC system |
21 |
> (both grsec and RSBAC provide controls). or i must be not getting your |
22 |
> problem ;-). |
23 |
|
24 |
Having read a little more deeply into the inner workings of PAGEEXEC, |
25 |
SEGMEXEC, and MPROTECT now, I see now what I was asking is already achievable |
26 |
by just by removing PAGEEXEC or SEGMEXEC protections for Java or Mono, but |
27 |
not MPROTECT. MPROTECT should stop any ill-behaved run-time compiled code |
28 |
from going out of bounds into other processes, while no execution limitations |
29 |
allows the run-time compiled code to execute normally. (If I understand |
30 |
correctly now.) Apologies for confusing you and wasting your time with a |
31 |
RTFM-type question. |
32 |
|
33 |
However - while I temporarily have your ear :) I'm interested about being able |
34 |
to remove PAGEEXEC/SEGMEXEC and/or MPROTECT protections for a process in |
35 |
real-time - while a process is running, or in the hypothetical 'suspended |
36 |
awaiting administrative approval to continue' state I keep talking about. |
37 |
|
38 |
Is such a real-time removal of protections possible with the way PaX is |
39 |
currently implemented? If not, I think it'd be an interesting feature in the |
40 |
eventuality of such a process suspension feature being developed. |
41 |
|
42 |
What are your thoughts on this? Am I just spinning more nonsense? :) |
43 |
|
44 |
On Fri, 15 Feb 2008, pageexec@××××××××.hu wrote: |
45 |
> On 15 Feb 2008 at 8:25, Geoff Kassel wrote: |
46 |
> > Hmm... what about a store-to-disk serialisation of the affected process |
47 |
> > and running dependencies? (I'm thinking along the lines of certain |
48 |
> > fault-tolerant kernels that do check-pointing of memory state here.) This |
49 |
> > is so that application state can be restored from disk if required by an |
50 |
> > administrator. |
51 |
> |
52 |
> that would work except writing something like that is very hard, definitely |
53 |
> beyond my time just for the sake to handle something that a coredump |
54 |
> accomplishes well sans resurrection ability. |
55 |
> |
56 |
> on a sidenote, why would it be acceptable to store a process image on disk |
57 |
> whereas a coredump isn't? |
58 |
> |
59 |
> > I know I'm speaking from a position of ignorance of the inner workings of |
60 |
> > PaX here, but what if in the case of a non-executable page fault (this |
61 |
> > being the case I'm more concerned about) the non-executable marking could |
62 |
> > be overridden at the discrestion of the administrator (or preset new PaX |
63 |
> > marking) in order to allow the process to continue? I'm thinking about |
64 |
> > cases like Mono and Java, which seem (to my inexperienced eye) to be |
65 |
> > trying to execute data segments containing generated code, because |
66 |
> > they're compiling said code at run-time. |
67 |
> > |
68 |
> > If there could be a check so that the page being marked executable is one |
69 |
> > that belongs to the fault-triggering process, that would handle these |
70 |
> > cases in an admittedly less secure, but a more useable way. |
71 |
> |
72 |
> uhm, but you already have such a control over per-process PaX features. |
73 |
> either paxctl (which marks the executable's ELF header) or MAC system |
74 |
> (both grsec and RSBAC provide controls). or i must be not getting your |
75 |
> problem ;-). |
76 |
-- |
77 |
gentoo-hardened@l.g.o mailing list |