Re: kern/37992: PaX flags on non-NetBSD binaries

To: gnats-bugs%NetBSD.org@localhost, kern-bug-people%netbsd.org@localhost, gnats-admin%netbsd.org@localhost, netbsd-bugs%netbsd.org@localhost
Subject: Re: kern/37992: PaX flags on non-NetBSD binaries
From: christos%zoulas.com@localhost (Christos Zoulas)
Date: Sun, 10 Feb 2008 09:47:08 -0500

On Feb 10, 12:05pm, aw-netbsd%instandbesetzt.net@localhost (Andreas Wiese) 
wrote:
-- Subject: kern/37992: PaX flags on non-NetBSD binaries

| >Number:         37992
| >Category:       kern
| >Synopsis:       There's no way to save PaX flags on non-native binaries
| >Confidential:   no
| >Severity:       non-critical
| >Priority:       medium
| >Responsible:    kern-bug-people
| >State:          open
| >Class:          sw-bug
| >Submitter-Id:   net
| >Arrival-Date:   Sun Feb 10 12:05:00 +0000 2008
| >Originator:     Andreas Wiese
| >Release:        NetBSD 4.99.49
| >Organization:
|         BSD-Crew Dresden, Germany
| >Environment:
| System: NetBSD schroeder.lan.instandbesetzt.net 4.99.49 NetBSD 4.99.49
| (SCHROEDER) #0: Tue Jan 22 18:18:53 CET 2008
| 
root%schroeder.lan.instandbesetzt.net@localhost:/usr/obj/sys/arch/i386/compile/SCHROEDER
| i386
| Architecture: i386
| Machine: i386
| >Description:
| Hey, folks.
| 
| I played around with PaX and its several sysctl variables a while and
| was happy to see that setting security.pax.*.global to 1 seems to work
| for most programs.  The only native program not running was mplayer, but
| for this I set the according flags via paxctl(8) and everything is fine.
| 
| Then I needed to use OpenOffice (I only have the Linux version
| installed) and Linux glibc complained about being unable to write-enable
| certain ELF sections.  paxctl(8) (naturally) doesn't solve the problem
| here, so I have to disable mprotect globally to get OpenOffice work.
| 
| Is there any solution for this problem or had anybody an idea for this,
| yet?  If not:  Why not save the PaX flags via the extattr(9) framework?
| If I understood this right, its purpose is associating meta-data with
| files, for which is no room in another way.  Why not create a
| paxflags=0x?? key-value pair for each binary, you want to set PaX flags
| on?  I see several advantages in this approach:
| 
|   1) It's transparent for different ELF formats.
|   2) You don't touch the binary itself, therefor not messing around with
|      checksums and veriexec(9), for example.
|   3) You could easily transfer your binaries to another system (for
|      whatever reason) without taking the PaX flags with you.
|   4) We would have another use for extattr(9) to present the other guys ;)
| 
| Just a quick idea I wanted to share.  Could be nonsene, too =]

Yes, it is noted in the bugs section of paxctl :-)

christos

References:
- kern/37992: PaX flags on non-NetBSD binaries
  - From: Andreas Wiese

Prev by Date: Re: kern/37986: any user can hog the all cpu with _sched_setparam.
Next by Date: Re: kern/37992: PaX flags on non-NetBSD binaries
Previous by Thread: kern/37992: PaX flags on non-NetBSD binaries
Next by Thread: Re: kern/37992: PaX flags on non-NetBSD binaries
Indexes:

Home | Main Index | Thread Index | Old Index