1 |
On 01/04/2013 08:24 PM, PaX Team wrote: |
2 |
> On 22 Dec 2012 at 12:13, Anthony G. Basile wrote: |
3 |
> |
4 |
>> http://dev.gentoo.org/~blueness/zzz/pax-quickstart.xml |
5 |
>> |
6 |
>> It describes pretty much anything. Give it a read and let me know what |
7 |
>> you think should be added. |
8 |
> |
9 |
> some notes: |
10 |
> |
11 |
>> Note that if you enable both PT_PAX and XATTR_PAX, then the kernel expects |
12 |
>> both fields to be identical, otherwise neither field is respected. |
13 |
> |
14 |
> this is almost true ;). what the kernel expects is that if *both* methods |
15 |
> are enabled in the kernel config *and* set on the userland binaries then |
16 |
> they have to be identical. notably this leaves the possibility to *not* |
17 |
> specify the user.pax.flags xattrs at all on the binaries yet still enable |
18 |
> XATTR_PAX support in the kernel safely: such binaries will simply run with |
19 |
> the highest protection by default, much like in the old days of EI_PAX. |
20 |
> |
21 |
> this also means that there's no chicken and egg problem despite what this |
22 |
> says: |
23 |
|
24 |
Nice! I did not know that. |
25 |
|
26 |
> |
27 |
>> [...]but now we have a chicken and the egg problem: we don't have XATTR_PAX |
28 |
>> markings on our ELF objects, but we're asking the kernel to respect them. |
29 |
> |
30 |
> you can safely disable PT_PAX support in the kernel and enable only XATTR_PAX |
31 |
> and the resulting system will run all your binaries with the most secure settings |
32 |
> (i.e., with non-exec pages, mprotect and aslr enabled). you'll only have to |
33 |
> set xattrs on the binaries where some of these have to be relaxed (mprotect |
34 |
> on java, etc), i.e., all this migration should *not* blindly set user.pax.flags |
35 |
> on all userland binaries but only on those that need something disabled (or |
36 |
> in case of emutramp, enabled). i believe this makes the whole migration much |
37 |
> easier. |
38 |
> |
39 |
|
40 |
|
41 |
-- |
42 |
Anthony G. Basile, Ph. D. |
43 |
Chair of Information Technology |
44 |
D'Youville College |
45 |
Buffalo, NY 14201 |
46 |
(716) 829-8197 |