1 |
What if somebody uses a custom set of config options instead of the gentoo |
2 |
predefined profiles? |
3 |
Which kernel option is responsilbe to enable the new design? |
4 |
|
5 |
Thanks: |
6 |
Dw. |
7 |
-- |
8 |
dr Tóth Attila, Radiológus, 06-20-825-8057 |
9 |
Attila Toth MD, Radiologist, +36-20-825-8057 |
10 |
|
11 |
2011.Szeptember 20.(K) 14:14 időpontban Anthony G. Basile ezt írta: |
12 |
> Hi everyone, |
13 |
> |
14 |
> I'm working towards forcing a consistency in how we pax mark our |
15 |
> binaries. The RFC for the design is at |
16 |
> |
17 |
> http://git.overlays.gentoo.org/gitweb/?p=proj/elfix.git;a=blob;f=doc/paxctl-ng-design.txt;h=9de06a0f9f1c426a7e129b7da53cc43760cd3976;hb=128c1408ba8db6be3f9ade3dc1420a3bf0cee0a0 |
18 |
> |
19 |
> I am trying to force consistency between two (and in the future, three) |
20 |
> ways of doing pax markings, EI_PAX (flags are in the elf header), PT_PAX |
21 |
> (flags are in an elf program header) and a new design we're working on, |
22 |
> putting the flags in an Extended Filesystem attribute. Each has |
23 |
> advantages and disadvantages, and all three will have to be employed to |
24 |
> cover the cases where the others don't work, so a utility which |
25 |
> consistently marks all three is useful. |
26 |
> |
27 |
> There are two stages, the userland utility and kernel patching. The |
28 |
> kernel patching is effectively done as long as you choose any of the |
29 |
> gentoo predefined profiles: |
30 |
> |
31 |
> Security options ---> |
32 |
> Grsecurity ---> |
33 |
> Security Level ---> |
34 |
> Hardened Gentoo [server] |
35 |
> or Hardened Gentoo [workstation] |
36 |
> or Hardened Gentoo [virtualization] |
37 |
> |
38 |
> The userland utility is callec paxctl-ng and its part of the |
39 |
> sys-apps/elfix-0.2.0 package which is currently masked pending testing. |
40 |
> That's where you come in. Please test the utility on binaries which |
41 |
> require pax marking and let me know if it works. Of particular interest |
42 |
> are self checking binaries (like skype) which don't have a PT_PAX |
43 |
> section and would break if one were added. |
44 |
> |
45 |
> Current the only known issue with paxctl-ng is that it doesn't properly |
46 |
> do file globbing. I have not yet seen it break a binary, but please |
47 |
> don't use this on a production system until we have more confidence in it. |
48 |
> |
49 |
> Thanks. |
50 |
> |
51 |
> -- |
52 |
> Anthony G. Basile, Ph.D. |
53 |
> Gentoo Linux Developer [Hardened] |
54 |
> E-Mail : blueness@g.o |
55 |
> GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535 |
56 |
> GnuPG ID : D0455535 |
57 |
> |