FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo Hardened

 
 
LinkBack Thread Tools
 
Old 09-20-2011, 12:14 PM
"Anthony G. Basile"
 
Default Testing request for sys-apps/elfix-0.2.0

Hi everyone,

I'm working towards forcing a consistency in how we pax mark our
binaries. The RFC for the design is at

http://git.overlays.gentoo.org/gitweb/?p=proj/elfix.git;a=blob;f=doc/paxctl-ng-design.txt;h=9de06a0f9f1c426a7e129b7da53cc43760cd3 976;hb=128c1408ba8db6be3f9ade3dc1420a3bf0cee0a0

I am trying to force consistency between two (and in the future, three)
ways of doing pax markings, EI_PAX (flags are in the elf header), PT_PAX
(flags are in an elf program header) and a new design we're working on,
putting the flags in an Extended Filesystem attribute. Each has
advantages and disadvantages, and all three will have to be employed to
cover the cases where the others don't work, so a utility which
consistently marks all three is useful.

There are two stages, the userland utility and kernel patching. The
kernel patching is effectively done as long as you choose any of the
gentoo predefined profiles:

Security options --->
Grsecurity --->
Security Level --->
Hardened Gentoo [server]
or Hardened Gentoo [workstation]
or Hardened Gentoo [virtualization]

The userland utility is callec paxctl-ng and its part of the
sys-apps/elfix-0.2.0 package which is currently masked pending testing.
That's where you come in. Please test the utility on binaries which
require pax marking and let me know if it works. Of particular interest
are self checking binaries (like skype) which don't have a PT_PAX
section and would break if one were added.

Current the only known issue with paxctl-ng is that it doesn't properly
do file globbing. I have not yet seen it break a binary, but please
don't use this on a production system until we have more confidence in it.

Thanks.

--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail : blueness@gentoo.org
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535
GnuPG ID : D0455535
 
Old 09-20-2011, 07:52 PM
"Tóth Attila"
 
Default Testing request for sys-apps/elfix-0.2.0

What if somebody uses a custom set of config options instead of the gentoo
predefined profiles?
Which kernel option is responsilbe to enable the new design?

Thanks:
Dw.
--
dr Tóth Attila, Radiológus, 06-20-825-8057
Attila Toth MD, Radiologist, +36-20-825-8057

2011.Szeptember 20.(K) 14:14 időpontban Anthony G. Basile ezt *rta:
> Hi everyone,
>
> I'm working towards forcing a consistency in how we pax mark our
> binaries. The RFC for the design is at
>
> http://git.overlays.gentoo.org/gitweb/?p=proj/elfix.git;a=blob;f=doc/paxctl-ng-design.txt;h=9de06a0f9f1c426a7e129b7da53cc43760cd3 976;hb=128c1408ba8db6be3f9ade3dc1420a3bf0cee0a0
>
> I am trying to force consistency between two (and in the future, three)
> ways of doing pax markings, EI_PAX (flags are in the elf header), PT_PAX
> (flags are in an elf program header) and a new design we're working on,
> putting the flags in an Extended Filesystem attribute. Each has
> advantages and disadvantages, and all three will have to be employed to
> cover the cases where the others don't work, so a utility which
> consistently marks all three is useful.
>
> There are two stages, the userland utility and kernel patching. The
> kernel patching is effectively done as long as you choose any of the
> gentoo predefined profiles:
>
> Security options --->
> Grsecurity --->
> Security Level --->
> Hardened Gentoo [server]
> or Hardened Gentoo [workstation]
> or Hardened Gentoo [virtualization]
>
> The userland utility is callec paxctl-ng and its part of the
> sys-apps/elfix-0.2.0 package which is currently masked pending testing.
> That's where you come in. Please test the utility on binaries which
> require pax marking and let me know if it works. Of particular interest
> are self checking binaries (like skype) which don't have a PT_PAX
> section and would break if one were added.
>
> Current the only known issue with paxctl-ng is that it doesn't properly
> do file globbing. I have not yet seen it break a binary, but please
> don't use this on a production system until we have more confidence in it.
>
> Thanks.
>
> --
> Anthony G. Basile, Ph.D.
> Gentoo Linux Developer [Hardened]
> E-Mail : blueness@gentoo.org
> GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535
> GnuPG ID : D0455535
>
 
Old 09-21-2011, 01:07 AM
"Anthony G. Basile"
 
Default Testing request for sys-apps/elfix-0.2.0

Both CONFIG_PAX_EI_PAX and CONFIG_PAX_PT_PAX_FLAGS must be set.

On 09/20/2011 03:52 PM, "Tth Attila" wrote:
> What if somebody uses a custom set of config options instead of the gentoo
> predefined profiles?
> Which kernel option is responsilbe to enable the new design?
>
> Thanks:
> Dw.


--
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197
 

Thread Tools




All times are GMT. The time now is 05:18 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org