| 1 |
On 22 Dec 2012 at 12:13, Anthony G. Basile wrote: |
| 2 |
|
| 3 |
> http://dev.gentoo.org/~blueness/zzz/pax-quickstart.xml |
| 4 |
> |
| 5 |
> It describes pretty much anything. Give it a read and let me know what |
| 6 |
> you think should be added. |
| 7 |
|
| 8 |
some notes: |
| 9 |
|
| 10 |
> Note that if you enable both PT_PAX and XATTR_PAX, then the kernel expects |
| 11 |
> both fields to be identical, otherwise neither field is respected. |
| 12 |
|
| 13 |
this is almost true ;). what the kernel expects is that if *both* methods |
| 14 |
are enabled in the kernel config *and* set on the userland binaries then |
| 15 |
they have to be identical. notably this leaves the possibility to *not* |
| 16 |
specify the user.pax.flags xattrs at all on the binaries yet still enable |
| 17 |
XATTR_PAX support in the kernel safely: such binaries will simply run with |
| 18 |
the highest protection by default, much like in the old days of EI_PAX. |
| 19 |
|
| 20 |
this also means that there's no chicken and egg problem despite what this |
| 21 |
says: |
| 22 |
|
| 23 |
> [...]but now we have a chicken and the egg problem: we don't have XATTR_PAX |
| 24 |
> markings on our ELF objects, but we're asking the kernel to respect them. |
| 25 |
|
| 26 |
you can safely disable PT_PAX support in the kernel and enable only XATTR_PAX |
| 27 |
and the resulting system will run all your binaries with the most secure settings |
| 28 |
(i.e., with non-exec pages, mprotect and aslr enabled). you'll only have to |
| 29 |
set xattrs on the binaries where some of these have to be relaxed (mprotect |
| 30 |
on java, etc), i.e., all this migration should *not* blindly set user.pax.flags |
| 31 |
on all userland binaries but only on those that need something disabled (or |
| 32 |
in case of emutramp, enabled). i believe this makes the whole migration much |
| 33 |
easier. |
Archives