[prev in list] [next in list] [prev in thread] [next in thread] 

List:       gentoo-hardened
Subject:    Re: [gentoo-hardened] Some PaX (and newbie) Questions
From:       pageexec () freemail ! hu
Date:       2004-05-20 8:23:20
Message-ID: 40AC8718.18313.12AB1185 () localhost
[Download RAW message or body]

> Well, i was directed to asking here from the networking/security forums, which 
> seemed like a good idea for the question that i had: I was wondering what I 
> have to do to get all of the PaX options selected in the kernel to be in effect 
> for all programs. It seems like going through my entire system with paxctl 
> cannot be the correct way to do this.

unless you enabled/use softmode, most of the PaX enforcements are enabled
by default (in particular, PAGEEXEC or SEGMEXEC, MPROTECT and RANDMMAP).

only EMUTRAMP and RANDEXEC have to be enabled explicitly as they either
pose a security or reliability risk (a recent toolchain will handle
EMUTRAMP automatically though). if you want to be sure, just run paxtest
and see what it reports.

> It did occur to me that this might be the default behavior, but it wouldn't 
> appear to be, as gcc has had no problems with compilations (and the trampoline 
> emuklation was not selected in the kernel, nor was gcc exempted from any of the 
> enabled restrictions) so it would appear that, at least for gcc, the PaX 
> protections aren't enabled, and hence i assume they aren't for anything else (I 
> actually couldn't confirm this after a few, probably misguided, attempts at 
> paxctl -PEMRXS *).

you're confusing gcc nested function trampolines with gcc itself ;-), the
latter doesn't use the former hence no need to enable emulation on it. you'd
notice the lack of EMUTRAMP on apps that actually use nested functions (and
are not marked by the toolchain properly).


--
gentoo-hardened@gentoo.org mailing list

[prev in list] [next in list] [prev in thread] [next in thread]