| 1 |
> Well, i was directed to asking here from the networking/security forums, which |
| 2 |
> seemed like a good idea for the question that i had: I was wondering what I |
| 3 |
> have to do to get all of the PaX options selected in the kernel to be in effect |
| 4 |
> for all programs. It seems like going through my entire system with paxctl |
| 5 |
> cannot be the correct way to do this. |
| 6 |
|
| 7 |
unless you enabled/use softmode, most of the PaX enforcements are enabled |
| 8 |
by default (in particular, PAGEEXEC or SEGMEXEC, MPROTECT and RANDMMAP). |
| 9 |
|
| 10 |
only EMUTRAMP and RANDEXEC have to be enabled explicitly as they either |
| 11 |
pose a security or reliability risk (a recent toolchain will handle |
| 12 |
EMUTRAMP automatically though). if you want to be sure, just run paxtest |
| 13 |
and see what it reports. |
| 14 |
|
| 15 |
> It did occur to me that this might be the default behavior, but it wouldn't |
| 16 |
> appear to be, as gcc has had no problems with compilations (and the trampoline |
| 17 |
> emuklation was not selected in the kernel, nor was gcc exempted from any of the |
| 18 |
> enabled restrictions) so it would appear that, at least for gcc, the PaX |
| 19 |
> protections aren't enabled, and hence i assume they aren't for anything else (I |
| 20 |
> actually couldn't confirm this after a few, probably misguided, attempts at |
| 21 |
> paxctl -PEMRXS *). |
| 22 |
|
| 23 |
you're confusing gcc nested function trampolines with gcc itself ;-), the |
| 24 |
latter doesn't use the former hence no need to enable emulation on it. you'd |
| 25 |
notice the lack of EMUTRAMP on apps that actually use nested functions (and |
| 26 |
are not marked by the toolchain properly). |
| 27 |
|
| 28 |
|
| 29 |
-- |
| 30 |
gentoo-hardened@g.o mailing list |
Archives