As you may know, I've been working on a set of utilities to use with a
PaX enabled kernel. These are installed with sys-app/elfix which
depends on dev-python/pypax. They're currently in the gentoo tree, but
masked. I need testers. The two utilities I needed tested are:
1. revdep-pax. Basically it will look at elf binaries and the libraries
they link against and see if there is a mismatch between the PaX
markings of the binary and the library. It does both forward and
reverse mappings, ie. you can start from an executable and find all the
libraries with mismatched markings, or you can start from a library and
find all the binaries that link against it and have different PaX
markings. If you want, you can forward or reverse migrate those markings.
I suspect it may have one issue: I get all the elf objects for the
forward mappings from /var/db/pkg/<cat>/<pkg>/NEEDED. However, since
some libraries link against other libraries, I'm not sure I've gotten
everything. I may have to switch to getting the elf objects out of some
predefined $PATH and $LD_PATH.
2. paxctl-ng. This will do the same thing that paxctl does, but it adds
support for doing pax markings in Extended Attributes if the filesystem
will support them. It has some important differences from paxctl, one
being that it will *never* try to edit the elf object, beyond just
changing the PT_PAX flags, which is always safe. ie, if an elf binary
lacks a PT_PAX program header, paxctl-ng will never try to create one,
so it is always safe to use even on self-checking elfs like skype. You
can also use paxctl-ng to create the XT_PAX (ie extended attribute)
markings and then it will use either PT_PAX or XT_PAX or both to keep
the PaX flag markings.
The only known issue here is that it doesn't do file globbing. I'll add
it in a later release.
NOTE: XT_PAX is NOT YET supported in the kernel. I'm working on that
now. Until then, we're just testing the userland utility. When the
kernel has XT_PAX support, I'll write some POC test which creates an elf
without a PT_PAX program header, and only XT_PAX markings and see if it
works. We'll then be able to cover binaries which cannot support PT_PAX
program headers with XT_PAX.
Please read the man pages! Make sure they read okay too.
Anthony G. Basile, Ph. D.
Chair of Information Technology
Buffalo, NY 14201