* Re: [gentoo-dev] Bleeding edge hardened-sources: move PaX markings from ELF to Extended Attributes
@ 2011-12-07 22:11 99% ` Mike Frysinger
0 siblings, 0 replies; 1+ results
From: Mike Frysinger @ 2011-12-07 22:11 UTC (permalink / raw
To: gentoo-dev; +Cc: Anthony G. Basile, pageexec
[-- Attachment #1: Type: Text/Plain, Size: 1551 bytes --]
On Thursday 01 December 2011 11:08:37 Anthony G. Basile wrote:
> 2) PT_PAX markings. This puts the flags in an ELF program header. On
> Gentoo systems, all binaries are compiled with a PT_PAX header ready to
> go because of a patch against binutils [2]. The problem is precompiled
> binaries which lack a PT_PAX header and cannot have one added without
> breaking. (eg. skype).
>
> 3) XT_PAX markings. This is the new experimental way of doing the
> markings using xattrs for PaX markings. Currently, I'm using the name
> space "user.pax" so as to allow users to mark their own binaries, but
> this may change to "security.pax" depending on what direction upstream
> (ie pipacs) wants to go. The advantage here is that the ELF binary is
> not mangled in any way since the xattrs live in the inodes not the
> blocks. The disadvantage is that xattrs is not supported on all
> filesystems and in all our utilities we need for portage to work. I'm
> working to get xattrs supported where we need it. This will also help
> with supporting other features like ACL and CAPS. To this end:
i happily look forward to the time where we can deprecate PT_PAX support in
binutils. it is, by far, the largest thorn in my side when it comes to
stabilization and false positive test failures in binutils.
> a) There is a patch against tar to support xattrs based on a Fedora's
> patch. [3]
sorry, now that i know this is a bit more important than "i've been playing
with this stuff", i'll try and get to it faster
-mike
[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 836 bytes --]
^ permalink raw reply [relevance 99%]
Results 1-1 of 1 | reverse | options above
-- pct% links below jump to the message on this page, permalinks otherwise --
2011-12-01 16:08 [gentoo-dev] Bleeding edge hardened-sources: move PaX markings from ELF to Extended Attributes Anthony G. Basile
2011-12-07 22:11 99% ` Mike Frysinger
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox