1 |
> Well, i was directed to asking here from the networking/security forums, which |
2 |
> seemed like a good idea for the question that i had: I was wondering what I |
3 |
> have to do to get all of the PaX options selected in the kernel to be in effect |
4 |
> for all programs. It seems like going through my entire system with paxctl |
5 |
> cannot be the correct way to do this. |
6 |
|
7 |
unless you enabled/use softmode, most of the PaX enforcements are enabled |
8 |
by default (in particular, PAGEEXEC or SEGMEXEC, MPROTECT and RANDMMAP). |
9 |
|
10 |
only EMUTRAMP and RANDEXEC have to be enabled explicitly as they either |
11 |
pose a security or reliability risk (a recent toolchain will handle |
12 |
EMUTRAMP automatically though). if you want to be sure, just run paxtest |
13 |
and see what it reports. |
14 |
|
15 |
> It did occur to me that this might be the default behavior, but it wouldn't |
16 |
> appear to be, as gcc has had no problems with compilations (and the trampoline |
17 |
> emuklation was not selected in the kernel, nor was gcc exempted from any of the |
18 |
> enabled restrictions) so it would appear that, at least for gcc, the PaX |
19 |
> protections aren't enabled, and hence i assume they aren't for anything else (I |
20 |
> actually couldn't confirm this after a few, probably misguided, attempts at |
21 |
> paxctl -PEMRXS *). |
22 |
|
23 |
you're confusing gcc nested function trampolines with gcc itself ;-), the |
24 |
latter doesn't use the former hence no need to enable emulation on it. you'd |
25 |
notice the lack of EMUTRAMP on apps that actually use nested functions (and |
26 |
are not marked by the toolchain properly). |
27 |
|
28 |
|
29 |
-- |
30 |
gentoo-hardened@g.o mailing list |