Gentoo Archives: gentoo-hardened

From: "Anthony G. Basile" <basile@××××××××××××××.edu>
To: gentoo-hardened@l.g.o
Subject: [gentoo-hardened] Guinea pigs ... ehm ... testers required!
Date: Sun, 23 Oct 2011 16:51:27
Message-Id: 4EA445E5.4070101@opensource.dyc.edu
1 Hi everyone,
2
3 As you may know, I've been working on a set of utilities to use with a
4 PaX enabled kernel. These are installed with sys-app/elfix which
5 depends on dev-python/pypax. They're currently in the gentoo tree, but
6 masked. I need testers. The two utilities I needed tested are:
7
8
9 1. revdep-pax. Basically it will look at elf binaries and the libraries
10 they link against and see if there is a mismatch between the PaX
11 markings of the binary and the library. It does both forward and
12 reverse mappings, ie. you can start from an executable and find all the
13 libraries with mismatched markings, or you can start from a library and
14 find all the binaries that link against it and have different PaX
15 markings. If you want, you can forward or reverse migrate those markings.
16
17 I suspect it may have one issue: I get all the elf objects for the
18 forward mappings from /var/db/pkg/<cat>/<pkg>/NEEDED. However, since
19 some libraries link against other libraries, I'm not sure I've gotten
20 everything. I may have to switch to getting the elf objects out of some
21 predefined $PATH and $LD_PATH.
22
23
24 2. paxctl-ng. This will do the same thing that paxctl does, but it adds
25 support for doing pax markings in Extended Attributes if the filesystem
26 will support them. It has some important differences from paxctl, one
27 being that it will *never* try to edit the elf object, beyond just
28 changing the PT_PAX flags, which is always safe. ie, if an elf binary
29 lacks a PT_PAX program header, paxctl-ng will never try to create one,
30 so it is always safe to use even on self-checking elfs like skype. You
31 can also use paxctl-ng to create the XT_PAX (ie extended attribute)
32 markings and then it will use either PT_PAX or XT_PAX or both to keep
33 the PaX flag markings.
34
35 The only known issue here is that it doesn't do file globbing. I'll add
36 it in a later release.
37
38 NOTE: XT_PAX is NOT YET supported in the kernel. I'm working on that
39 now. Until then, we're just testing the userland utility. When the
40 kernel has XT_PAX support, I'll write some POC test which creates an elf
41 without a PT_PAX program header, and only XT_PAX markings and see if it
42 works. We'll then be able to cover binaries which cannot support PT_PAX
43 program headers with XT_PAX.
44
45
46 Please read the man pages! Make sure they read okay too.
47
48
49 Thanks.
50
51 --
52 Anthony G. Basile, Ph. D.
53 Chair of Information Technology
54 D'Youville College
55 Buffalo, NY 14201
56 (716) 829-8197