* [gentoo-hardened] Testing request for sys-apps/elfix-0.2.0
@ 2011-09-20 12:14 Anthony G. Basile
2011-09-20 19:52 ` "Tóth Attila"
0 siblings, 1 reply; 3+ messages in thread
From: Anthony G. Basile @ 2011-09-20 12:14 UTC (permalink / raw
To: gentoo-hardened
Hi everyone,
I'm working towards forcing a consistency in how we pax mark our
binaries. The RFC for the design is at
http://git.overlays.gentoo.org/gitweb/?p=proj/elfix.git;a=blob;f=doc/paxctl-ng-design.txt;h=9de06a0f9f1c426a7e129b7da53cc43760cd3976;hb=128c1408ba8db6be3f9ade3dc1420a3bf0cee0a0
I am trying to force consistency between two (and in the future, three)
ways of doing pax markings, EI_PAX (flags are in the elf header), PT_PAX
(flags are in an elf program header) and a new design we're working on,
putting the flags in an Extended Filesystem attribute. Each has
advantages and disadvantages, and all three will have to be employed to
cover the cases where the others don't work, so a utility which
consistently marks all three is useful.
There are two stages, the userland utility and kernel patching. The
kernel patching is effectively done as long as you choose any of the
gentoo predefined profiles:
Security options --->
Grsecurity --->
Security Level --->
Hardened Gentoo [server]
or Hardened Gentoo [workstation]
or Hardened Gentoo [virtualization]
The userland utility is callec paxctl-ng and its part of the
sys-apps/elfix-0.2.0 package which is currently masked pending testing.
That's where you come in. Please test the utility on binaries which
require pax marking and let me know if it works. Of particular interest
are self checking binaries (like skype) which don't have a PT_PAX
section and would break if one were added.
Current the only known issue with paxctl-ng is that it doesn't properly
do file globbing. I have not yet seen it break a binary, but please
don't use this on a production system until we have more confidence in it.
Thanks.
--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail : blueness@gentoo.org
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535
GnuPG ID : D0455535
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: [gentoo-hardened] Testing request for sys-apps/elfix-0.2.0
2011-09-20 12:14 [gentoo-hardened] Testing request for sys-apps/elfix-0.2.0 Anthony G. Basile
@ 2011-09-20 19:52 ` "Tóth Attila"
2011-09-21 1:07 ` Anthony G. Basile
0 siblings, 1 reply; 3+ messages in thread
From: "Tóth Attila" @ 2011-09-20 19:52 UTC (permalink / raw
To: gentoo-hardened
What if somebody uses a custom set of config options instead of the gentoo
predefined profiles?
Which kernel option is responsilbe to enable the new design?
Thanks:
Dw.
--
dr Tóth Attila, Radiológus, 06-20-825-8057
Attila Toth MD, Radiologist, +36-20-825-8057
2011.Szeptember 20.(K) 14:14 időpontban Anthony G. Basile ezt írta:
> Hi everyone,
>
> I'm working towards forcing a consistency in how we pax mark our
> binaries. The RFC for the design is at
>
> http://git.overlays.gentoo.org/gitweb/?p=proj/elfix.git;a=blob;f=doc/paxctl-ng-design.txt;h=9de06a0f9f1c426a7e129b7da53cc43760cd3976;hb=128c1408ba8db6be3f9ade3dc1420a3bf0cee0a0
>
> I am trying to force consistency between two (and in the future, three)
> ways of doing pax markings, EI_PAX (flags are in the elf header), PT_PAX
> (flags are in an elf program header) and a new design we're working on,
> putting the flags in an Extended Filesystem attribute. Each has
> advantages and disadvantages, and all three will have to be employed to
> cover the cases where the others don't work, so a utility which
> consistently marks all three is useful.
>
> There are two stages, the userland utility and kernel patching. The
> kernel patching is effectively done as long as you choose any of the
> gentoo predefined profiles:
>
> Security options --->
> Grsecurity --->
> Security Level --->
> Hardened Gentoo [server]
> or Hardened Gentoo [workstation]
> or Hardened Gentoo [virtualization]
>
> The userland utility is callec paxctl-ng and its part of the
> sys-apps/elfix-0.2.0 package which is currently masked pending testing.
> That's where you come in. Please test the utility on binaries which
> require pax marking and let me know if it works. Of particular interest
> are self checking binaries (like skype) which don't have a PT_PAX
> section and would break if one were added.
>
> Current the only known issue with paxctl-ng is that it doesn't properly
> do file globbing. I have not yet seen it break a binary, but please
> don't use this on a production system until we have more confidence in it.
>
> Thanks.
>
> --
> Anthony G. Basile, Ph.D.
> Gentoo Linux Developer [Hardened]
> E-Mail : blueness@gentoo.org
> GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535
> GnuPG ID : D0455535
>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [gentoo-hardened] Testing request for sys-apps/elfix-0.2.0
2011-09-20 19:52 ` "Tóth Attila"
@ 2011-09-21 1:07 ` Anthony G. Basile
0 siblings, 0 replies; 3+ messages in thread
From: Anthony G. Basile @ 2011-09-21 1:07 UTC (permalink / raw
To: gentoo-hardened
Both CONFIG_PAX_EI_PAX and CONFIG_PAX_PT_PAX_FLAGS must be set.
On 09/20/2011 03:52 PM, "Tóth Attila" wrote:
> What if somebody uses a custom set of config options instead of the gentoo
> predefined profiles?
> Which kernel option is responsilbe to enable the new design?
>
> Thanks:
> Dw.
--
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2011-09-21 2:03 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-09-20 12:14 [gentoo-hardened] Testing request for sys-apps/elfix-0.2.0 Anthony G. Basile
2011-09-20 19:52 ` "Tóth Attila"
2011-09-21 1:07 ` Anthony G. Basile
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox