1 |
> coredumps are subject to the usual rlimit, so it's under userland control. |
2 |
|
3 |
You're quite right, of course. I'd forgotten that this feature was tunable in |
4 |
userspace. (It seems I forget that about a lot of kernel features :) |
5 |
|
6 |
> problem with this is DoS (exhaustion of RLIMIT_NPROC, not to mention all |
7 |
> the memory and other resources used by the process). |
8 |
|
9 |
Hmm... what about a store-to-disk serialisation of the affected process and |
10 |
running dependencies? (I'm thinking along the lines of certain fault-tolerant |
11 |
kernels that do check-pointing of memory state here.) This is so that |
12 |
application state can be restored from disk if required by an administrator. |
13 |
That would shift the DoS from process count limitations (which are deadly to |
14 |
normal system operation if exceeded, I know), to disk size limitations, which |
15 |
is a lot easier to manage automatically in real-time. |
16 |
|
17 |
> probably not a problem |
18 |
> for a malicious local user as he'll just lock himself out but for a system |
19 |
> service (think apache or mysql) it is. |
20 |
|
21 |
Perhaps this store to disk feature I mentioned could be a per-application |
22 |
userspace-controlled configuration option, ala my previous rants about |
23 |
customisable access control management? |
24 |
|
25 |
Resource limitations could be part of the configuration. |
26 |
|
27 |
> this is not possible as the page fault that triggered PaX would just |
28 |
> occur again, ad infinitum. i.e., the userland process cannot make forward |
29 |
> progress (the non-executable or unmapped page where the fault occured will |
30 |
> stay so), the kernel must do something about it. |
31 |
|
32 |
I know I'm speaking from a position of ignorance of the inner workings of PaX |
33 |
here, but what if in the case of a non-executable page fault (this being the |
34 |
case I'm more concerned about) the non-executable marking could be overridden |
35 |
at the discrestion of the administrator (or preset new PaX marking) in order |
36 |
to allow the process to continue? I'm thinking about cases like Mono and |
37 |
Java, which seem (to my inexperienced eye) to be trying to execute data |
38 |
segments containing generated code, because they're compiling said code at |
39 |
run-time. |
40 |
|
41 |
If there could be a check so that the page being marked executable is one that |
42 |
belongs to the fault-triggering process, that would handle these cases in an |
43 |
admittedly less secure, but a more useable way. |
44 |
|
45 |
What do you think? |
46 |
|
47 |
> here's upstream ;-). |
48 |
|
49 |
Thank you for your time in answering my questions and critiquing my ideas for |
50 |
new features :) |
51 |
|
52 |
Kind regards, |
53 |
|
54 |
Geoff Kassel. |
55 |
|
56 |
On Thu, 14 Feb 2008, pageexec@××××××××.hu wrote: |
57 |
> On 13 Feb 2008 at 15:07, Geoff Kassel wrote: |
58 |
> > Speaking of PaX, another great, impossible thing would be to have a |
59 |
> > kernel-level feature for handling PaX violations in a less violent manner |
60 |
> > (core dumps are violent, in my mind) |
61 |
> |
62 |
> coredumps are subject to the usual rlimit, so it's under userland control. |
63 |
> |
64 |
> > - perhaps suspension of the process in question until investigated, |
65 |
> |
66 |
> problem with this is DoS (exhaustion of RLIMIT_NPROC, not to mention all |
67 |
> the memory and other resources used by the process). probably not a problem |
68 |
> for a malicious local user as he'll just lock himself out but for a system |
69 |
> service (think apache or mysql) it is. |
70 |
> |
71 |
> > with the possibility of resumption |
72 |
> |
73 |
> this is not possible as the page fault that triggered PaX would just |
74 |
> occur again, ad infinitum. i.e., the userland process cannot make forward |
75 |
> progress (the non-executable or unmapped page where the fault occured will |
76 |
> stay so), the kernel must do something about it. |
77 |
> |
78 |
> > (Perhaps I'm just unaware of an already existing feature.) Again, an |
79 |
> > upstream issue. |
80 |
> |
81 |
> here's upstream ;-). |
82 |
-- |
83 |
gentoo-hardened@l.g.o mailing list |