1 |
W dniu 30.03.2012 20:12, Ђорђе Тодоровић pisze: |
2 |
> On Thu, 29 Mar 2012, Sven Vermeulen wrote: |
3 |
> |
4 |
>> You can try to make it a valid ELF header first, and then paxmark it. |
5 |
>> |
6 |
>> I have the following for my Skype: |
7 |
>> paxctl -C /opt/skype/skype |
8 |
>> paxctl -me /opt/skype/skype |
9 |
> |
10 |
> I tried running paxctl -Cm on it (should be ran on install with |
11 |
> pax_kernel USE |
12 |
> flag), by it still reports an invalid ELF executable. |
13 |
> |
14 |
> This is listed in the ebuld: |
15 |
> |
16 |
> if use pax_kernel; then |
17 |
> pax-mark Cm "${D}"/opt/skype/skype || die |
18 |
> eqawarn "You have set USE=pax_kernel meaning that you intend to run" |
19 |
> eqawarn "skype under a PaX enabled kernel. To do so, we must modify" |
20 |
> eqawarn "the skype binary itself and this *may* lead to breakage! |
21 |
> If" |
22 |
> eqawarn "you suspect that skype is being broken by this |
23 |
> modification," |
24 |
> eqawarn "please open a bug." |
25 |
> fi |
26 |
> |
27 |
> BTW,I checked the skype changelog and this was added recently: |
28 |
> 29 Feb 2012; mthode <mthode@g.o> skype-2.2.0.35-r1.ebuild: |
29 |
> fix the paxmarking syntax |
30 |
> 28 Feb 2012; mthode <mthode@g.o> skype-2.2.0.35-r1.ebuild: |
31 |
> paxmarked m skype to work on hardened |
32 |
> |
33 |
> |
34 |
> But it somehow fails to complete on my machine when I try it manually. |
35 |
> I also just checked, my current profile is multilib (I said earlier |
36 |
> no-mulitlib) |
37 |
> |
38 |
> I seriously am not sure if it is of any help,but attached the ELF |
39 |
> header of the |
40 |
> skype executable (/opt/skype/skype) so maybe (IDK) someone can tell if |
41 |
> there is an obvious problem there. |
42 |
> file /opt/skype/skype says: |
43 |
> /opt/skype/skype: ELF 32-bit LSB executable, Intel 80386, version 1 |
44 |
> (SYSV), dynamically linked (uses shared libs), stripped |
45 |
> |
46 |
> |
47 |
|
48 |
Hi |
49 |
|
50 |
scanelf -x /opt/skype/skype |
51 |
TYPE PAX FILE |
52 |
ET_EXEC --mxe- /opt/skype/skype |
53 |
|
54 |
|
55 |
ls -l /opt/skype/skype |
56 |
-rwxr-xr-x 1 root root 21362552 03-01 11:22 /opt/skype/skype |
57 |
|
58 |
|
59 |
*Skype works fine on pax-kernel.* |
60 |
|
61 |
Linux localhost 3.3.0-gl1 #1 SMP PREEMPT Wed Mar 28 00:21:14 CEST |
62 |
2012 *x86_64* Intel(R) Core(TM)2 Duo CPU E6750 @ 2.66GHz |
63 |
GenuineIntel GNU/Linux |
64 |
|
65 |
|
66 |
My Pax configuration: |
67 |
|
68 |
* zgrep -i pax /proc/config.gz * |
69 |
# PaX |
70 |
CONFIG_PAX=y |
71 |
# PaX Control |
72 |
CONFIG_PAX_SOFTMODE=y |
73 |
CONFIG_PAX_EI_PAX=y |
74 |
CONFIG_PAX_PT_PAX_FLAGS=y |
75 |
# CONFIG_PAX_NO_ACL_FLAGS is not set |
76 |
CONFIG_PAX_HAVE_ACL_FLAGS=y |
77 |
# CONFIG_PAX_HOOK_ACL_FLAGS is not set |
78 |
CONFIG_PAX_NOEXEC=y |
79 |
CONFIG_PAX_PAGEEXEC=y |
80 |
CONFIG_PAX_EMUTRAMP=y |
81 |
CONFIG_PAX_MPROTECT=y |
82 |
CONFIG_PAX_MPROTECT_COMPAT=y |
83 |
CONFIG_PAX_ELFRELOCS=y |
84 |
CONFIG_PAX_KERNEXEC_PLUGIN_METHOD="" |
85 |
CONFIG_PAX_ASLR=y |
86 |
CONFIG_PAX_RANDKSTACK=y |
87 |
CONFIG_PAX_RANDUSTACK=y |
88 |
CONFIG_PAX_RANDMMAP=y |
89 |
CONFIG_PAX_MEMORY_STACKLEAK=y |
90 |
CONFIG_PAX_REFCOUNT=y |
91 |
CONFIG_PAX_USERCOPY=y |
92 |
|
93 |
|
94 |
*paxtest blackhat* |
95 |
PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@×××××××××.org> |
96 |
Released under the GNU Public Licence version 2 or later |
97 |
|
98 |
Writing output to paxtest.log |
99 |
It may take a while for the tests to complete |
100 |
Test results: |
101 |
PaXtest - Copyright(c) 2003,2004 by Peter Busser <peter@×××××××××.org> |
102 |
Released under the GNU Public Licence version 2 or later |
103 |
|
104 |
Mode: blackhat |
105 |
Linux localhost 3.3.0-gl1 #1 SMP PREEMPT Wed Mar 28 00:21:14 CEST |
106 |
2012 x86_64 Intel(R) Core(TM)2 Duo CPU E6750 @ 2.66GHz GenuineIntel |
107 |
GNU/Linux |
108 |
|
109 |
Executable anonymous mapping : Killed |
110 |
Executable bss : Killed |
111 |
Executable data : Killed |
112 |
Executable heap : Killed |
113 |
Executable stack : Killed |
114 |
Executable shared library bss : Killed |
115 |
Executable shared library data : Killed |
116 |
Executable anonymous mapping (mprotect) : Killed |
117 |
Executable bss (mprotect) : Killed |
118 |
Executable data (mprotect) : Killed |
119 |
Executable heap (mprotect) : Killed |
120 |
Executable stack (mprotect) : Killed |
121 |
Executable shared library bss (mprotect) : Killed |
122 |
Executable shared library data (mprotect): Killed |
123 |
Writable text segments : Killed |
124 |
Anonymous mapping randomisation test : 33 bits (guessed) |
125 |
Heap randomisation test (ET_EXEC) : 23 bits (guessed) |
126 |
Heap randomisation test (PIE) : 40 bits (guessed) |
127 |
Main executable randomisation (ET_EXEC) : No randomisation |
128 |
Main executable randomisation (PIE) : 32 bits (guessed) |
129 |
Shared library randomisation test : 33 bits (guessed) |
130 |
Stack randomisation test (SEGMEXEC) : 40 bits (guessed) |
131 |
Stack randomisation test (PAGEEXEC) : 40 bits (guessed) |
132 |
Return to function (strcpy) : paxtest: return address |
133 |
contains a NULL byte. |
134 |
Return to function (memcpy) : Killed |
135 |
Return to function (strcpy, PIE) : paxtest: return address |
136 |
contains a NULL byte. |
137 |
Return to function (memcpy, PIE) : Killed |
138 |
|
139 |
|
140 |
Cheers |
141 |
;) |