| 1 |
2014.December 24.(Sze) 11:38 időpontban PaX Team ezt írta: |
| 2 |
>> I have both PT and XT present in my make.conf for markings. I was told |
| 3 |
>> before, that I should rather opt for only one of the two possibilities - |
| 4 |
>> kernel-option wise and make.conf-marking-selection wise. Kinda both PT |
| 5 |
>> and |
| 6 |
>> XT are not supported at the same time using the current utilities. |
| 7 |
> |
| 8 |
> what particular issues do you still have? |
| 9 |
|
| 10 |
Things evolved, so I should test some combinations again. I missed as the |
| 11 |
problems of the past have passed by. |
| 12 |
|
| 13 |
>> Moreover: there is the question if PT marking is present and XATTR is |
| 14 |
>> missing at the same time: which one takes precedence? I suspect the |
| 15 |
>> system |
| 16 |
>> tries to interpret the missing XATTR, falling back to apply the default |
| 17 |
>> flags, while paying no attention to the PT flags present. Additionally, |
| 18 |
>> I |
| 19 |
>> haven't mentioned any policy defined PAX flags. |
| 20 |
> |
| 21 |
> the general rule is that if a marking is missing (either from the kernel |
| 22 |
> config or the executable) then it won't participate in the decision making |
| 23 |
> process. |
| 24 |
> |
| 25 |
> if both marks are present then they must be the same, otherwise the |
| 26 |
> existing |
| 27 |
> mark will be used as is. |
| 28 |
> |
| 29 |
> if neither mark exists then defaults will be used whose value depends on |
| 30 |
> softmode. in practice you'll get secure defaults in !softmode (this |
| 31 |
> hierarchy |
| 32 |
> was introduced earlier this year, the defaults used to be not secure |
| 33 |
> before |
| 34 |
> due to compatibility concerns for unmarked binaries, but i finally made |
| 35 |
> the |
| 36 |
> switch). |
| 37 |
> |
| 38 |
> for this reason these days you should really only set marks when you |
| 39 |
> actually |
| 40 |
> want to deviate from the (now) secure defaults. |
| 41 |
> |
| 42 |
> note that PT_PAX_FLAGS is special in that it's easier to create it at link |
| 43 |
> time than afterwards, so its presence is ok even if you don't change its |
| 44 |
> default value (which has always been secure for !softmode). |
| 45 |
|
| 46 |
As of 3.9.2 hardened applies a patch to make EMUTRAMP enabled by default. |
| 47 |
I know that it's needed for python to work. The comments of the patch also |
| 48 |
talks about the libffi library as a reason. |
| 49 |
|
| 50 |
Thanks for clarifying the situation. |
| 51 |
|
| 52 |
Boldog Karácsonyt: |
| 53 |
Dw. |
| 54 |
|
| 55 |
-- |
| 56 |
dr Tóth Attila, Radiológus, 06-20-825-8057 |
| 57 |
Attila Toth MD, Radiologist, +36-20-825-8057 |
Archives