From: Markus Oehme <oehme.markus@gmx.de>
To: gentoo-hardened@lists.gentoo.org
Cc: "Anthony G. Basile" <blueness@gentoo.org>
Subject: Re: [gentoo-hardened] mprotect question
Date: Thu, 14 Jul 2011 17:29:04 +0200 [thread overview]
Message-ID: <87ei1szxrz.wl%oehme.markus@gmx.de> (raw)
In-Reply-To: <4E1EF21C.1090505@gentoo.org>
Hi Anthony,
At Thu, 14 Jul 2011 09:41:48 -0400,
Anthony G. Basile wrote:
> It looks like you missed something in the process. The steps to
> converting are (skipping details):
>
> 1) switch profile
> 2) recompile the toolchain: emerge glibc gcc binutils
> 3) recompile system: emerge -e system
> 4) recompile world: emerge -e world
I did executed all steps in this order and rebuilt all packages. Just now I
did some tries and recompiled some of the packages which fail. However this
changed nothing.
One thing that should possibly be said: I'm using gcc-4.6.1. I was using gcc
4.6.0 for quite some time on ~amd64 ere I switched to hardened last week. I
didn't encounter any special problems during the transition.
> If you didn't do these, its possible you have some binaries left that
> will trigger pax violations.
>
> One way to quickly check if you got hardened binaries is to use a script
> called checksec.sh [1] and run it on /bin or /sbin. You should see that
> all your binaries have FULL RELRO, STACK CANARY, NX, PIE and ASLR.
I just executed the script for /bin and the result [1] was very mixed. Nearly all
binaries have FULL RELRO and PIE, but most have no STACK CANARY and NX. I
checked whether this could be changed and rebuilt coreutils twice, but the
output was the same every time.
However this seems not to be a big problem since the system is currently
running normal (Xfce desktop session) with my current list [2] of exceptions
to mprotect which contains only binaries under /usr.
Thanks for the advice.
Markus
[1]
RELRO STACK CANARY NX PIE FILE
Full RELRO Canary found NX enabled PIE enabled /bin/attr
Full RELRO No canary found NX disabled PIE enabled /bin/basename
Full RELRO Canary found NX enabled PIE enabled /bin/bash
Full RELRO No canary found NX disabled PIE enabled /bin/bsdcpio
Full RELRO No canary found NX disabled PIE enabled /bin/bsdtar
Full RELRO No canary found NX disabled PIE enabled /bin/btrfs-debug-tree
Partial RELRO No canary found NX disabled No PIE /bin/busybox
Full RELRO No canary found NX disabled PIE enabled /bin/bzip2
Full RELRO No canary found NX disabled PIE enabled /bin/cat
Full RELRO Canary found NX enabled PIE enabled /bin/chacl
Full RELRO No canary found NX disabled PIE enabled /bin/chgrp
Full RELRO No canary found NX disabled PIE enabled /bin/chmod
Full RELRO No canary found NX disabled PIE enabled /bin/chown
Full RELRO No canary found NX disabled PIE enabled /bin/chroot
Full RELRO No canary found NX disabled PIE enabled /bin/cp
Full RELRO No canary found NX disabled PIE enabled /bin/cpio
Full RELRO No canary found NX disabled PIE enabled /bin/cut
Full RELRO No canary found NX disabled PIE enabled /bin/date
Full RELRO No canary found NX disabled PIE enabled /bin/dd
Full RELRO No canary found NX disabled PIE enabled /bin/df
Full RELRO No canary found NX disabled PIE enabled /bin/dir
Full RELRO No canary found NX disabled PIE enabled /bin/dirname
Full RELRO No canary found NX disabled PIE enabled /bin/dmesg
Full RELRO No canary found NX disabled PIE enabled /bin/du
Full RELRO No canary found NX disabled PIE enabled /bin/echo
Full RELRO Canary found NX enabled PIE enabled /bin/ed
Full RELRO No canary found NX disabled PIE enabled /bin/egrep
Full RELRO No canary found NX disabled PIE enabled /bin/env
Full RELRO No canary found NX disabled PIE enabled /bin/expr
Full RELRO No canary found NX disabled PIE enabled /bin/false
Full RELRO No canary found NX disabled PIE enabled /bin/fgrep
Full RELRO No canary found NX disabled PIE enabled /bin/findmnt
Full RELRO No canary found NX disabled PIE enabled /bin/fuser
Full RELRO Canary found NX enabled PIE enabled /bin/gawk
Full RELRO Canary found NX enabled PIE enabled /bin/getfacl
Full RELRO Canary found NX enabled PIE enabled /bin/getfattr
Full RELRO No canary found NX disabled PIE enabled /bin/grep
Full RELRO No canary found NX disabled PIE enabled /bin/groups
Full RELRO No canary found NX disabled PIE enabled /bin/gzip
Full RELRO No canary found NX disabled PIE enabled /bin/head
Full RELRO Canary found NX enabled PIE enabled /bin/hostname
Full RELRO No canary found NX disabled PIE enabled /bin/kill
Full RELRO No canary found NX disabled PIE enabled /bin/ln
Full RELRO No canary found NX disabled PIE enabled /bin/login
Full RELRO No canary found NX disabled PIE enabled /bin/ls
Full RELRO No canary found NX disabled PIE enabled /bin/lsblk
Full RELRO No canary found NX disabled PIE enabled /bin/lsmod
Full RELRO Canary found NX enabled PIE enabled /bin/mail
Full RELRO Canary found NX enabled PIE enabled /bin/mbchk
Full RELRO No canary found NX disabled PIE enabled /bin/mkdir
Full RELRO No canary found NX disabled PIE enabled /bin/mkfifo
Full RELRO No canary found NX disabled PIE enabled /bin/mknod
Full RELRO No canary found NX disabled PIE enabled /bin/mktemp
Full RELRO No canary found NX disabled PIE enabled /bin/more
Full RELRO No canary found NX disabled PIE enabled /binmount
Full RELRO Canary found NX enabled PIE enabled /bin/mountpoint
Full RELRO No canary found NX disabled PIE enabled /bin/mv
Full RELRO No canary found NX disabled PIE enabled /bin/nano
Full RELRO Canary found NX enabled PIE enabled /bin/netstat
Full RELRO No canary found NX disabled PIE enabled /binpasswd
Full RELRO Canary found NX enabled PIE enabled /binping
Full RELRO Canary found NX enabled PIE enabled /binping6
Full RELRO No canary found NX disabled PIE enabled /bin/ps
Full RELRO No canary found NX disabled PIE enabled /bin/pwd
Full RELRO No canary found NX disabled PIE enabled /bin/readlink
Full RELRO No canary found NX disabled PIE enabled /bin/rm
Full RELRO No canary found NX disabled PIE enabled /bin/rmdir
Full RELRO No canary found NX disabled PIE enabled /bin/run-parts
Full RELRO No canary found NX disabled PIE enabled /bin/sed
Full RELRO No canary found NX disabled PIE enabled /bin/seq
Full RELRO Canary found NX enabled PIE enabled /bin/setfacl
Full RELRO Canary found NX enabled PIE enabled /bin/setfattr
Full RELRO No canary found NX disabled PIE enabled /bin/sleep
Full RELRO No canary found NX disabled PIE enabled /bin/sort
Full RELRO No canary found NX disabled PIE enabled /bin/stty
Full RELRO No canary found NX disabled PIE enabled /binsu
Full RELRO No canary found NX disabled PIE enabled /bin/sync
Full RELRO No canary found NX disabled PIE enabled /bin/tail
Full RELRO No canary found NX disabled PIE enabled /bin/tar
Full RELRO Canary found NX enabled PIE enabled /bin/tcsh
Full RELRO No canary found NX disabled PIE enabled /bin/tempfile
Full RELRO No canary found NX disabled PIE enabled /bin/touch
Full RELRO No canary found NX disabled PIE enabled /bin/tr
Full RELRO No canary found NX disabled PIE enabled /bin/true
Full RELRO No canary found NX disabled PIE enabled /bin/tty
Full RELRO No canary found NX disabled PIE enabled /binumount
Full RELRO No canary found NX disabled PIE enabled /bin/uname
Full RELRO No canary found NX disabled PIE enabled /bin/vdir
Full RELRO No canary found NX disabled PIE enabled /bin/wc
Full RELRO No canary found NX disabled PIE enabled /bin/yes
Full RELRO Canary found NX enabled PIE enabled /bin/zsh
Full RELRO Canary found NX enabled PIE enabled /bin/zsh-4.3.12
[2]
/usr/bin/emacs-23
/usr/bin/gkrellm
/usr/bin/perl
/usr/bin/python2.7
/usr/bin/spamc
/usr/bin/ssh
/usr/bin/sudo
/usr/bin/Terminal
/usr/bin/xchat
/usr/bin/xfce4-mixer
/usr/bin/xfce4-panel
/usr/bin/xfce4-session
/usr/bin/xfce4-session-logout
/usr/bin/xfconf-query
/usr/bin/xfdesktop
/usr/bin/Xorg
/usr/bin/xscreensaver
/usr/games/bin/enigma
/usr/lib64/courier/courier-authlib/authdaemond
/usr/lib64/xfce4/xfconf/xfconfd
/usr/libexec/gcc/x86_64-pc-linux-gnu/4.6.1/cc1
/usr/libexec/gcc/x86_64-pc-linux-gnu/4.6.1/cc1plus
/usr/libexec/gcc/x86_64-pc-linux-gnu/4.6.1/lto1
/usr/libexec/git-core/git
/usr/libexec/polkitd
/usr/libexec/udisks-daemon
/usr/libexec/xfce4/panel-plugins/xfce4-mixer-plugin
/usr/sbin/collectd
/usr/sbin/console-kit-daemon
--
Aoccdrnig to a threoy, it deosn't mttaer in waht oredr the ltteers in a wrod
are, the olny iprmoatnt tihng is taht the frist and lsat ltteer are in the
rghit pclae. The rset can be a taotl mses and you can sitll raed it in msot
csaes. Tihs is bcuseae the huamn mnid deos not raed ervey lteter by istlef,
but the wrod as a wlohe. And I awlyas thought slpeling was ipmorantt.
next prev parent reply other threads:[~2011-07-14 16:02 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-07-14 9:54 [gentoo-hardened] mprotect question Markus Oehme
2011-07-14 13:41 ` Anthony G. Basile
2011-07-14 14:39 ` Javier Juan Martínez Cabezón
2011-07-14 15:29 ` Markus Oehme [this message]
2011-07-14 21:46 ` Matthew Summers
[not found] ` <4E1F208F.8020801@gentoo.org>
[not found] ` <87bowwylhl.wl%veelai@jonglieren-jena.de>
2011-07-15 10:22 ` Anthony G. Basile
[not found] ` <87aacfzu8f.wl%veelai@jonglieren-jena.de>
2011-07-15 11:07 ` Anthony G. Basile
2011-07-14 21:49 ` Matthew Summers
2011-07-15 11:02 ` [solved] " Markus Oehme
2011-07-15 15:50 ` Fredric Johansson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87ei1szxrz.wl%oehme.markus@gmx.de \
--to=oehme.markus@gmx.de \
--cc=blueness@gentoo.org \
--cc=gentoo-hardened@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox