| 1 |
> coredumps are subject to the usual rlimit, so it's under userland control. |
| 2 |
|
| 3 |
You're quite right, of course. I'd forgotten that this feature was tunable in |
| 4 |
userspace. (It seems I forget that about a lot of kernel features :) |
| 5 |
|
| 6 |
> problem with this is DoS (exhaustion of RLIMIT_NPROC, not to mention all |
| 7 |
> the memory and other resources used by the process). |
| 8 |
|
| 9 |
Hmm... what about a store-to-disk serialisation of the affected process and |
| 10 |
running dependencies? (I'm thinking along the lines of certain fault-tolerant |
| 11 |
kernels that do check-pointing of memory state here.) This is so that |
| 12 |
application state can be restored from disk if required by an administrator. |
| 13 |
That would shift the DoS from process count limitations (which are deadly to |
| 14 |
normal system operation if exceeded, I know), to disk size limitations, which |
| 15 |
is a lot easier to manage automatically in real-time. |
| 16 |
|
| 17 |
> probably not a problem |
| 18 |
> for a malicious local user as he'll just lock himself out but for a system |
| 19 |
> service (think apache or mysql) it is. |
| 20 |
|
| 21 |
Perhaps this store to disk feature I mentioned could be a per-application |
| 22 |
userspace-controlled configuration option, ala my previous rants about |
| 23 |
customisable access control management? |
| 24 |
|
| 25 |
Resource limitations could be part of the configuration. |
| 26 |
|
| 27 |
> this is not possible as the page fault that triggered PaX would just |
| 28 |
> occur again, ad infinitum. i.e., the userland process cannot make forward |
| 29 |
> progress (the non-executable or unmapped page where the fault occured will |
| 30 |
> stay so), the kernel must do something about it. |
| 31 |
|
| 32 |
I know I'm speaking from a position of ignorance of the inner workings of PaX |
| 33 |
here, but what if in the case of a non-executable page fault (this being the |
| 34 |
case I'm more concerned about) the non-executable marking could be overridden |
| 35 |
at the discrestion of the administrator (or preset new PaX marking) in order |
| 36 |
to allow the process to continue? I'm thinking about cases like Mono and |
| 37 |
Java, which seem (to my inexperienced eye) to be trying to execute data |
| 38 |
segments containing generated code, because they're compiling said code at |
| 39 |
run-time. |
| 40 |
|
| 41 |
If there could be a check so that the page being marked executable is one that |
| 42 |
belongs to the fault-triggering process, that would handle these cases in an |
| 43 |
admittedly less secure, but a more useable way. |
| 44 |
|
| 45 |
What do you think? |
| 46 |
|
| 47 |
> here's upstream ;-). |
| 48 |
|
| 49 |
Thank you for your time in answering my questions and critiquing my ideas for |
| 50 |
new features :) |
| 51 |
|
| 52 |
Kind regards, |
| 53 |
|
| 54 |
Geoff Kassel. |
| 55 |
|
| 56 |
On Thu, 14 Feb 2008, pageexec@××××××××.hu wrote: |
| 57 |
> On 13 Feb 2008 at 15:07, Geoff Kassel wrote: |
| 58 |
> > Speaking of PaX, another great, impossible thing would be to have a |
| 59 |
> > kernel-level feature for handling PaX violations in a less violent manner |
| 60 |
> > (core dumps are violent, in my mind) |
| 61 |
> |
| 62 |
> coredumps are subject to the usual rlimit, so it's under userland control. |
| 63 |
> |
| 64 |
> > - perhaps suspension of the process in question until investigated, |
| 65 |
> |
| 66 |
> problem with this is DoS (exhaustion of RLIMIT_NPROC, not to mention all |
| 67 |
> the memory and other resources used by the process). probably not a problem |
| 68 |
> for a malicious local user as he'll just lock himself out but for a system |
| 69 |
> service (think apache or mysql) it is. |
| 70 |
> |
| 71 |
> > with the possibility of resumption |
| 72 |
> |
| 73 |
> this is not possible as the page fault that triggered PaX would just |
| 74 |
> occur again, ad infinitum. i.e., the userland process cannot make forward |
| 75 |
> progress (the non-executable or unmapped page where the fault occured will |
| 76 |
> stay so), the kernel must do something about it. |
| 77 |
> |
| 78 |
> > (Perhaps I'm just unaware of an already existing feature.) Again, an |
| 79 |
> > upstream issue. |
| 80 |
> |
| 81 |
> here's upstream ;-). |
| 82 |
-- |
| 83 |
gentoo-hardened@l.g.o mailing list |
Archives