1 |
Hi everyone, |
2 |
|
3 |
As you may know, I've been working on a set of utilities to use with a |
4 |
PaX enabled kernel. These are installed with sys-app/elfix which |
5 |
depends on dev-python/pypax. They're currently in the gentoo tree, but |
6 |
masked. I need testers. The two utilities I needed tested are: |
7 |
|
8 |
|
9 |
1. revdep-pax. Basically it will look at elf binaries and the libraries |
10 |
they link against and see if there is a mismatch between the PaX |
11 |
markings of the binary and the library. It does both forward and |
12 |
reverse mappings, ie. you can start from an executable and find all the |
13 |
libraries with mismatched markings, or you can start from a library and |
14 |
find all the binaries that link against it and have different PaX |
15 |
markings. If you want, you can forward or reverse migrate those markings. |
16 |
|
17 |
I suspect it may have one issue: I get all the elf objects for the |
18 |
forward mappings from /var/db/pkg/<cat>/<pkg>/NEEDED. However, since |
19 |
some libraries link against other libraries, I'm not sure I've gotten |
20 |
everything. I may have to switch to getting the elf objects out of some |
21 |
predefined $PATH and $LD_PATH. |
22 |
|
23 |
|
24 |
2. paxctl-ng. This will do the same thing that paxctl does, but it adds |
25 |
support for doing pax markings in Extended Attributes if the filesystem |
26 |
will support them. It has some important differences from paxctl, one |
27 |
being that it will *never* try to edit the elf object, beyond just |
28 |
changing the PT_PAX flags, which is always safe. ie, if an elf binary |
29 |
lacks a PT_PAX program header, paxctl-ng will never try to create one, |
30 |
so it is always safe to use even on self-checking elfs like skype. You |
31 |
can also use paxctl-ng to create the XT_PAX (ie extended attribute) |
32 |
markings and then it will use either PT_PAX or XT_PAX or both to keep |
33 |
the PaX flag markings. |
34 |
|
35 |
The only known issue here is that it doesn't do file globbing. I'll add |
36 |
it in a later release. |
37 |
|
38 |
NOTE: XT_PAX is NOT YET supported in the kernel. I'm working on that |
39 |
now. Until then, we're just testing the userland utility. When the |
40 |
kernel has XT_PAX support, I'll write some POC test which creates an elf |
41 |
without a PT_PAX program header, and only XT_PAX markings and see if it |
42 |
works. We'll then be able to cover binaries which cannot support PT_PAX |
43 |
program headers with XT_PAX. |
44 |
|
45 |
|
46 |
Please read the man pages! Make sure they read okay too. |
47 |
|
48 |
|
49 |
Thanks. |
50 |
|
51 |
-- |
52 |
Anthony G. Basile, Ph. D. |
53 |
Chair of Information Technology |
54 |
D'Youville College |
55 |
Buffalo, NY 14201 |
56 |
(716) 829-8197 |