| 1 |
What if somebody uses a custom set of config options instead of the gentoo |
| 2 |
predefined profiles? |
| 3 |
Which kernel option is responsilbe to enable the new design? |
| 4 |
|
| 5 |
Thanks: |
| 6 |
Dw. |
| 7 |
-- |
| 8 |
dr Tóth Attila, Radiológus, 06-20-825-8057 |
| 9 |
Attila Toth MD, Radiologist, +36-20-825-8057 |
| 10 |
|
| 11 |
2011.Szeptember 20.(K) 14:14 időpontban Anthony G. Basile ezt írta: |
| 12 |
> Hi everyone, |
| 13 |
> |
| 14 |
> I'm working towards forcing a consistency in how we pax mark our |
| 15 |
> binaries. The RFC for the design is at |
| 16 |
> |
| 17 |
> http://git.overlays.gentoo.org/gitweb/?p=proj/elfix.git;a=blob;f=doc/paxctl-ng-design.txt;h=9de06a0f9f1c426a7e129b7da53cc43760cd3976;hb=128c1408ba8db6be3f9ade3dc1420a3bf0cee0a0 |
| 18 |
> |
| 19 |
> I am trying to force consistency between two (and in the future, three) |
| 20 |
> ways of doing pax markings, EI_PAX (flags are in the elf header), PT_PAX |
| 21 |
> (flags are in an elf program header) and a new design we're working on, |
| 22 |
> putting the flags in an Extended Filesystem attribute. Each has |
| 23 |
> advantages and disadvantages, and all three will have to be employed to |
| 24 |
> cover the cases where the others don't work, so a utility which |
| 25 |
> consistently marks all three is useful. |
| 26 |
> |
| 27 |
> There are two stages, the userland utility and kernel patching. The |
| 28 |
> kernel patching is effectively done as long as you choose any of the |
| 29 |
> gentoo predefined profiles: |
| 30 |
> |
| 31 |
> Security options ---> |
| 32 |
> Grsecurity ---> |
| 33 |
> Security Level ---> |
| 34 |
> Hardened Gentoo [server] |
| 35 |
> or Hardened Gentoo [workstation] |
| 36 |
> or Hardened Gentoo [virtualization] |
| 37 |
> |
| 38 |
> The userland utility is callec paxctl-ng and its part of the |
| 39 |
> sys-apps/elfix-0.2.0 package which is currently masked pending testing. |
| 40 |
> That's where you come in. Please test the utility on binaries which |
| 41 |
> require pax marking and let me know if it works. Of particular interest |
| 42 |
> are self checking binaries (like skype) which don't have a PT_PAX |
| 43 |
> section and would break if one were added. |
| 44 |
> |
| 45 |
> Current the only known issue with paxctl-ng is that it doesn't properly |
| 46 |
> do file globbing. I have not yet seen it break a binary, but please |
| 47 |
> don't use this on a production system until we have more confidence in it. |
| 48 |
> |
| 49 |
> Thanks. |
| 50 |
> |
| 51 |
> -- |
| 52 |
> Anthony G. Basile, Ph.D. |
| 53 |
> Gentoo Linux Developer [Hardened] |
| 54 |
> E-Mail : blueness@g.o |
| 55 |
> GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535 |
| 56 |
> GnuPG ID : D0455535 |
| 57 |
> |
Archives