Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-hardened

From: "Anthony G. Basile" <basile@××××××××××××××.edu>
To: gentoo-hardened@l.g.o
Subject: Re: [gentoo-hardened] Progress towards XATTR_PAX in Gentoo.
Date: Sat, 05 Jan 2013 19:32:20
Message-Id: 50E878DF.3050708@opensource.dyc.edu
In Reply to: Re: [gentoo-hardened] Progress towards XATTR_PAX in Gentoo. by PaX Team
1 On 01/04/2013 08:24 PM, PaX Team wrote:
2 > On 22 Dec 2012 at 12:13, Anthony G. Basile wrote:
3 >
4 >> http://dev.gentoo.org/~blueness/zzz/pax-quickstart.xml
5 >>
6 >> It describes pretty much anything. Give it a read and let me know what
7 >> you think should be added.
8 >
9 > some notes:
10 >
11 >> Note that if you enable both PT_PAX and XATTR_PAX, then the kernel expects
12 >> both fields to be identical, otherwise neither field is respected.
13 >
14 > this is almost true ;). what the kernel expects is that if *both* methods
15 > are enabled in the kernel config *and* set on the userland binaries then
16 > they have to be identical. notably this leaves the possibility to *not*
17 > specify the user.pax.flags xattrs at all on the binaries yet still enable
18 > XATTR_PAX support in the kernel safely: such binaries will simply run with
19 > the highest protection by default, much like in the old days of EI_PAX.
20 >
21 > this also means that there's no chicken and egg problem despite what this
22 > says:
23
24 Nice! I did not know that.
25
26 >
27 >> [...]but now we have a chicken and the egg problem: we don't have XATTR_PAX
28 >> markings on our ELF objects, but we're asking the kernel to respect them.
29 >
30 > you can safely disable PT_PAX support in the kernel and enable only XATTR_PAX
31 > and the resulting system will run all your binaries with the most secure settings
32 > (i.e., with non-exec pages, mprotect and aslr enabled). you'll only have to
33 > set xattrs on the binaries where some of these have to be relaxed (mprotect
34 > on java, etc), i.e., all this migration should *not* blindly set user.pax.flags
35 > on all userland binaries but only on those that need something disabled (or
36 > in case of emutramp, enabled). i believe this makes the whole migration much
37 > easier.
38 >
39
40
41 --
42 Anthony G. Basile, Ph. D.
43 Chair of Information Technology
44 D'Youville College
45 Buffalo, NY 14201
46 (716) 829-8197
Report Message
Find on MARC Find on Google Groups