1 |
I've made an observation long before, that although PT_PAX flags are |
2 |
properly handled on my systems, the installed binaries and libraries lack |
3 |
XATTR_PAX markings. This has been the situation for a long time now. I've |
4 |
made a script scanning the system for inconsistent markings and issuing |
5 |
paxctl-ng -F for those files, where it's necessary. |
6 |
I have both PT and XT present in my make.conf for markings. I was told |
7 |
before, that I should rather opt for only one of the two possibilities - |
8 |
kernel-option wise and make.conf-marking-selection wise. Kinda both PT and |
9 |
XT are not supported at the same time using the current utilities. |
10 |
Moreover: there is the question if PT marking is present and XATTR is |
11 |
missing at the same time: which one takes precedence? I suspect the system |
12 |
tries to interpret the missing XATTR, falling back to apply the default |
13 |
flags, while paying no attention to the PT flags present. Additionally, I |
14 |
haven't mentioned any policy defined PAX flags. |
15 |
Elfutils, paxutils and all other relevant packages are keyworded on my |
16 |
systems. |
17 |
So ordinary executables are installed with an inconsistent marking by |
18 |
default. The new install mechanism is working on my systems. Strangely |
19 |
enough, I see how html files are processed during install. Ordinary |
20 |
binaries somehow slip through the mechanism. |
21 |
|
22 |
It would be so good to see consistent markings on a system having both PT |
23 |
and XT enabled. The kernel could also behave a bit differently. These |
24 |
possibilities can potentially confuse some users, while I'm still fine |
25 |
with my scripts and have some understanding of the background. |
26 |
|
27 |
In the mean time I see some progress as well! Compile time markings |
28 |
definitely seem to work fine on my systems for awhile. Emerging icedtea |
29 |
goes flawlessly, since markings are performed in a proper fashion - even |
30 |
for PT & XT combo setup. I understand that compile time marking in an |
31 |
ebuild is a separate mechanism compared to normal ebuild file install, but |
32 |
I still see some room for improvements. And possibly fix this scenario. |
33 |
Not for me, because I think I understand the situation and I believe I |
34 |
know what I'm doing (just like when trying to change the multcount value |
35 |
for a hard drive in smartctl). But n00bs or newcomers might have a benefit |
36 |
from. |
37 |
|
38 |
Thanks: |
39 |
Dw. |
40 |
-- |
41 |
dr Tóth Attila, Radiológus, 06-20-825-8057 |
42 |
Attila Toth MD, Radiologist, +36-20-825-8057 |
43 |
|
44 |
2014.December 14.(V) 00:52 időpontban Karl-Johan Karlsson ezt írta: |
45 |
> Hi list, |
46 |
> |
47 |
> I seem to have at least three problems related to PaX markings |
48 |
> simultaneously, |
49 |
> and since it's after midnight here and I need to write down some notes |
50 |
> anyway |
51 |
> so I know how to continue tomorrow, I might as well send them out to the |
52 |
> world |
53 |
> and see if someone else solves my problems for me while I'm asleep. |
54 |
> |
55 |
> It all started when I couldn't upgrade from my existing dev- |
56 |
> java/icedtea-7.2.4.5. Building dev-java/icedtea-7.2.5.3 failed, with the |
57 |
> following messages at the bottom of the log: |
58 |
> |
59 |
> |
60 |
> if [ -x /usr/sbin/paxmark.sh ] ; then \ |
61 |
> if [ -w /export/portage/portage/dev- |
62 |
> java/icedtea-7.2.5.3/work/icedtea-2.5.3/openjdk.build-boot/bin/java ] ; |
63 |
> then \ |
64 |
> /usr/sbin/paxmark.sh -m /export/portage/portage/dev- |
65 |
> java/icedtea-7.2.5.3/work/icedtea-2.5.3/openjdk.build-boot/bin/java ; \ |
66 |
> fi ; \ |
67 |
> fi |
68 |
> /usr/sbin/paxmark.sh: line 82: elog: command not found |
69 |
> Makefile:124: recipe for target '/export/portage/portage/dev- |
70 |
> java/icedtea-7.2.5.3/work/icedtea-2.5.3/openjdk.build- |
71 |
> boot/classes/javax/management/ |
72 |
> remote/rmi/RMIConnectionImpl_Stub.class' failed |
73 |
> |
74 |
> |
75 |
> That's problem number one: paxmark.sh (from sys-apps/elfix-0.9.0) tries to |
76 |
> call elog and fails. |
77 |
> |
78 |
> That code was introduced in 0.9.0 (actually, commit 41a91c04), but I've |
79 |
> obviously managed to build icedtea before, so let's downgrade to 0.8.4 and |
80 |
> try |
81 |
> again. The build dies in the same location, but without the line |
82 |
> complaining |
83 |
> about elog. So paxmark.sh from 0.8.4 still fails, it's just silent about |
84 |
> it: |
85 |
> |
86 |
> |
87 |
> # /usr/sbin/paxmark.sh -m /export/portage/portage/dev- |
88 |
> java/icedtea-7.2.5.3/work/icedtea-2.5.3/openjdk.build-boot/bin/java |
89 |
> |
90 |
> # echo $? |
91 |
> 1 |
92 |
> |
93 |
> # paxctl-ng -v /export/portage/portage/dev- |
94 |
> java/icedtea-7.2.5.3/work/icedtea-2.5.3/openjdk.build-boot/bin/java |
95 |
> /export/portage/portage/dev- |
96 |
> java/icedtea-7.2.5.3/work/icedtea-2.5.3/openjdk.build-boot/bin/java: |
97 |
> PT_PAX : -em-- |
98 |
> XATTR_PAX : not found |
99 |
> |
100 |
> |
101 |
> So it's managed to set PT_PAX flags, but not XATTR_PAX. Looking at the |
102 |
> code, |
103 |
> paxmark.sh first tries to set PT_PAX, then XATTR_PAX, and if either fails, |
104 |
> the |
105 |
> entire thing returns failure. Unless PAX_MARKINGS is set, in which case |
106 |
> that |
107 |
> controls which type of markings is used. It isn't set on this machine. |
108 |
> |
109 |
> Problem number two: that's not what the docs say should happen. Acording |
110 |
> to |
111 |
> https://wiki.gentoo.org/wiki/Hardened/PaX_Quickstart: |
112 |
> |
113 |
> "If you decide on PaX marking method, you should adjust PAX_MARKINGS |
114 |
> variable |
115 |
> in your /etc/portage/make.conf with either XT (for extended attributes) or |
116 |
> PT |
117 |
> (for program header marking). You can set both XT PT if you wish. Default |
118 |
> is |
119 |
> PT." |
120 |
> |
121 |
> But why isn't XATTR_PAX working? I thought I completed that transition |
122 |
> ages |
123 |
> ago. |
124 |
> |
125 |
> |
126 |
> # paxctl-ng -v /bin/ls |
127 |
> /bin/ls: |
128 |
> PT_PAX : -e--- |
129 |
> XATTR_PAX : not found |
130 |
> |
131 |
> |
132 |
> Obviously not. Maybe I forgot this machine. Would it work? |
133 |
> |
134 |
> |
135 |
> # paxctl-ng -F /bin/ls |
136 |
> |
137 |
> # paxctl-ng -v /bin/ls |
138 |
> /bin/ls: |
139 |
> PT_PAX : -e--- |
140 |
> XATTR_PAX : -e--- |
141 |
> |
142 |
> |
143 |
> Yes. So why couldn't paxmark.sh set XATTR_PAX? |
144 |
> |
145 |
> |
146 |
> # paxctl-ng -d /bin/ls |
147 |
> |
148 |
> # paxctl-ng -v /bin/ls |
149 |
> /bin/ls: |
150 |
> PT_PAX : -e--- |
151 |
> XATTR_PAX : not found |
152 |
> |
153 |
> # cp /bin/ls $PORTAGE_TMPDIR |
154 |
> |
155 |
> # paxctl-ng -v $PORTAGE_TMPDIR/ls |
156 |
> /export/portage/ls: |
157 |
> PT_PAX : -e--- |
158 |
> XATTR_PAX : not found |
159 |
> |
160 |
> # paxctl-ng -F $PORTAGE_TMPDIR/ls |
161 |
> |
162 |
> # echo $? |
163 |
> 1 |
164 |
> |
165 |
> # paxctl-ng -v $PORTAGE_TMPDIR/ls |
166 |
> /export/portage/ls: |
167 |
> PT_PAX : -e--- |
168 |
> XATTR_PAX : not found |
169 |
> |
170 |
> # strace paxctl-ng -F $PORTAGE_TMPDIR/ls 2>&1 | grep user.pax |
171 |
> fsetxattr(3, "user.pax.flags", "e", 1, 0) = -1 EOPNOTSUPP (Operation not |
172 |
> supported) |
173 |
> |
174 |
> |
175 |
> OK, so XATTR_PAX works in /bin, but gets EOPNOTSUPP in $PORTAGE_TMPDIR. |
176 |
> They're on different mounts, so that's not unreasonable. But where do they |
177 |
> differ? |
178 |
> |
179 |
> |
180 |
> # di -h /bin |
181 |
> Filesystem Mount Size Used Avail %Used fs |
182 |
> Type |
183 |
> /dev/root / 75,0G 56,7G 14,5G 81% ext4 |
184 |
> |
185 |
> # di -h $PORTAGE_TMPDIR |
186 |
> Filesystem Mount Size Used Avail %Used fs |
187 |
> Type |
188 |
> /dev/mapper/crypt- /export 2,5T 2,2T 258,8G 90% ext3 |
189 |
> |
190 |
> # grep -E ' (/|/export) ' /proc/mounts |
191 |
> rootfs / rootfs rw 0 0 |
192 |
> /dev/root / ext4 rw,relatime,data=ordered 0 0 |
193 |
> /dev/mapper/crypt-export /export ext3 |
194 |
> rw,noatime,errors=continue,barrier=1,data=ordered 0 0 |
195 |
> |
196 |
> # tune2fs -l /dev/root | grep ext_attr |
197 |
> Filesystem features: has_journal ext_attr resize_inode dir_index |
198 |
> filetype |
199 |
> needs_recovery extent sparse_super large_file uninit_bg |
200 |
> |
201 |
> # tune2fs -l /dev/mapper/crypt-export | grep ext_attr |
202 |
> Filesystem features: has_journal ext_attr resize_inode dir_index |
203 |
> filetype |
204 |
> needs_recovery sparse_super large_file |
205 |
> |
206 |
> |
207 |
> So it works on ext4, but not ext3, even though both have the ext_attr flag |
208 |
> on |
209 |
> disk. Any difference in kernel support? |
210 |
> |
211 |
> |
212 |
> # uname -r |
213 |
> 3.16.5-hardened |
214 |
> |
215 |
> # gunzip -c /proc/config.gz | grep XATTR |
216 |
> CONFIG_EXT3_FS_XATTR=y |
217 |
> CONFIG_TMPFS_XATTR=y |
218 |
> CONFIG_PAX_XATTR_PAX_FLAGS=y |
219 |
> |
220 |
> # gunzip -c /proc/config.gz | grep EXT[34] |
221 |
> CONFIG_EXT3_FS=y |
222 |
> CONFIG_EXT3_DEFAULTS_TO_ORDERED=y |
223 |
> CONFIG_EXT3_FS_XATTR=y |
224 |
> # CONFIG_EXT3_FS_POSIX_ACL is not set |
225 |
> CONFIG_EXT3_FS_SECURITY=y |
226 |
> CONFIG_EXT4_FS=y |
227 |
> CONFIG_EXT4_USE_FOR_EXT23=y |
228 |
> # CONFIG_EXT4_FS_POSIX_ACL is not set |
229 |
> CONFIG_EXT4_FS_SECURITY=y |
230 |
> # CONFIG_EXT4_DEBUG is not set |
231 |
> |
232 |
> |
233 |
> Not that I can see, especially with CONFIG_EXT4_USE_FOR_EXT23=y. And it |
234 |
> should |
235 |
> be an automatic dependency anyway, since PAX_XATTR_PAX_FLAGS is set. |
236 |
> |
237 |
> Which brings us to problem number three: why aren't xattrs working in |
238 |
> $PORTAGE_TMPDIR on ext3 when they are in /bin on ext4? |
239 |
> |
240 |
> Problems one and two are clearly bugs, one in sys-apps/elfix and two in |
241 |
> sys- |
242 |
> apps/elfix or the documentation. Should I file them in Bugzilla, or is |
243 |
> this |
244 |
> mail enough? |
245 |
> |
246 |
> Problem three seems to be unique to this machine. Does anyone know what's |
247 |
> going on? |
248 |
> |
249 |
> -- |
250 |
> Karl-Johan Karlsson |