From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1R1njt-0003Fu-WE for garchives@archives.gentoo.org; Thu, 08 Sep 2011 23:10:34 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 760F421C09F; Thu, 8 Sep 2011 23:10:21 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 4362421C09F for ; Thu, 8 Sep 2011 23:10:21 +0000 (UTC) Received: from pelican.gentoo.org (unknown [66.219.59.40]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id AF5531B401E for ; Thu, 8 Sep 2011 23:10:20 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by pelican.gentoo.org (Postfix) with ESMTP id 16F5080042 for ; Thu, 8 Sep 2011 23:10:20 +0000 (UTC) From: "Anthony G. Basile" To: gentoo-commits@lists.gentoo.org Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Anthony G. Basile" Message-ID: <8452e2a1ce450503bd0c15f8dfd7bd08de7430dc.blueness@gentoo> Subject: [gentoo-commits] proj/elfix:master commit in: doc/ X-VCS-Repository: proj/elfix X-VCS-Files: doc/paxctl-ng-design.txt X-VCS-Directories: doc/ X-VCS-Committer: blueness X-VCS-Committer-Name: Anthony G. Basile X-VCS-Revision: 8452e2a1ce450503bd0c15f8dfd7bd08de7430dc Date: Thu, 8 Sep 2011 23:10:20 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: quoted-printable X-Archives-Salt: X-Archives-Hash: 67aded20021bb3d0f305bbb6a05798b1 commit: 8452e2a1ce450503bd0c15f8dfd7bd08de7430dc Author: Anthony G. Basile gentoo org> AuthorDate: Thu Sep 8 23:10:14 2011 +0000 Commit: Anthony G. Basile gentoo org> CommitDate: Thu Sep 8 23:10:14 2011 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=3Dproj/elfix.git;a=3D= commit;h=3D8452e2a1 doc/paxctl-ng-design.txt: first draft --- doc/paxctl-ng-design.txt | 43 ++++++++++++++++++++++++++++++++++++++++= +++ 1 files changed, 43 insertions(+), 0 deletions(-) diff --git a/doc/paxctl-ng-design.txt b/doc/paxctl-ng-design.txt new file mode 100644 index 0000000..18f59f4 --- /dev/null +++ b/doc/paxctl-ng-design.txt @@ -0,0 +1,43 @@ + +INTRODUCTION + +Currently there are two ways to perform pax markings, one is by EI_PAX a= nd +the other by PT_PAX. The former is a legacy marking which uses bytes 14 +and 15 of the ehdr.e_ident[] field. These are in a reserved area of the= ELF +header and could be allocated to a different official use by some future +standard [1]. For this reason, it is undesireable to continue using thi= s +marking scheme. The second method introduces a new program header calle= d +PAX_FLAGS which hosts the markings. While this avoids hijacking a reser= ved +area of an ELF binary, it introduces the problem of pre-compiled binarie= s +which do not have a PT_PAX program header. Binaries compiled on a Gento= o +system automatically have a PT_PAX header because of patched binutils. = However +binaries compiled on other systems do not necessarily have such a sectio= n. +This can be remedied by either adding a PT_PAX header or converting a GN= U_STACK +header. However both of these are problematic. In the case of self-che= cking +elf binaries, adding a PT_PAX header will cause a failure of the check. +Alternatively, converting a GNU_STACK header can cause the binary to fai= l +to execute correctly. + +A third possibility is being consider, but it is in its infancy as of th= is +writing. The pax markings can be put in the Extended File Attributes, m= uch +like selinux labels. This is not without its difficulties because not a= ll +filesystems are capable of supporting xattrs. However, work on making +filesystems, like tmpfs, and archiving tools, like tar, aware of xattrs +is maturing and migrating pax markings to xattrs is now a design possibi= lity. + + +PURPOSAL + +To avoid ambiguity in Hardened Gentoo and to smooth the transition to a +future, we propose the following standards to how pax markings are treat= ed: + +1) The kernel. + +2) Userland utility. + + + +REFERENCE + +[1] http://refspecs.freestandards.org/elf/ +