Re: kern/37992: PaX flags on non-NetBSD binaries

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost,Andreas Wiese <aw-netbsd%instandbesetzt.net@localhost>
Subject: Re: kern/37992: PaX flags on non-NetBSD binaries
From: christos%zoulas.com@localhost (Christos Zoulas)
Date: Sun, 10 Feb 2008 14:50:01 +0000 (UTC)

The following reply was made to PR kern/37992; it has been noted by GNATS.

From: christos%zoulas.com@localhost (Christos Zoulas)
To: gnats-bugs%NetBSD.org@localhost, kern-bug-people%netbsd.org@localhost, 
        gnats-admin%netbsd.org@localhost, netbsd-bugs%netbsd.org@localhost
Cc: 
Subject: Re: kern/37992: PaX flags on non-NetBSD binaries
Date: Sun, 10 Feb 2008 09:47:08 -0500

 On Feb 10, 12:05pm, aw-netbsd%instandbesetzt.net@localhost (Andreas Wiese) 
wrote:
 -- Subject: kern/37992: PaX flags on non-NetBSD binaries

 | >Number:         37992
 | >Category:       kern
 | >Synopsis:       There's no way to save PaX flags on non-native binaries
 | >Confidential:   no
 | >Severity:       non-critical
 | >Priority:       medium
 | >Responsible:    kern-bug-people
 | >State:          open
 | >Class:          sw-bug
 | >Submitter-Id:   net
 | >Arrival-Date:   Sun Feb 10 12:05:00 +0000 2008
 | >Originator:     Andreas Wiese
 | >Release:        NetBSD 4.99.49
 | >Organization:
 |         BSD-Crew Dresden, Germany
 | >Environment:
 | System: NetBSD schroeder.lan.instandbesetzt.net 4.99.49 NetBSD 4.99.49
 | (SCHROEDER) #0: Tue Jan 22 18:18:53 CET 2008
 | 
root%schroeder.lan.instandbesetzt.net@localhost:/usr/obj/sys/arch/i386/compile/SCHROEDER
 | i386
 | Architecture: i386
 | Machine: i386
 | >Description:
 | Hey, folks.
 | 
 | I played around with PaX and its several sysctl variables a while and
 | was happy to see that setting security.pax.*.global to 1 seems to work
 | for most programs.  The only native program not running was mplayer, but
 | for this I set the according flags via paxctl(8) and everything is fine.
 | 
 | Then I needed to use OpenOffice (I only have the Linux version
 | installed) and Linux glibc complained about being unable to write-enable
 | certain ELF sections.  paxctl(8) (naturally) doesn't solve the problem
 | here, so I have to disable mprotect globally to get OpenOffice work.
 | 
 | Is there any solution for this problem or had anybody an idea for this,
 | yet?  If not:  Why not save the PaX flags via the extattr(9) framework?
 | If I understood this right, its purpose is associating meta-data with
 | files, for which is no room in another way.  Why not create a
 | paxflags=0x?? key-value pair for each binary, you want to set PaX flags
 | on?  I see several advantages in this approach:
 | 
 |   1) It's transparent for different ELF formats.
 |   2) You don't touch the binary itself, therefor not messing around with
 |      checksums and veriexec(9), for example.
 |   3) You could easily transfer your binaries to another system (for
 |      whatever reason) without taking the PaX flags with you.
 |   4) We would have another use for extattr(9) to present the other guys ;)
 | 
 | Just a quick idea I wanted to share.  Could be nonsene, too =]

 Yes, it is noted in the bugs section of paxctl :-)

 christos

Follow-Ups:
- Re: pkg/29836
  - From: Jared D. McNeill

Prev by Date: Re: kern/37992: PaX flags on non-NetBSD binaries
Next by Date: Re: kern/37933: very frequent crashes after suspend/resume
Previous by Thread: Re: kern/37992: PaX flags on non-NetBSD binaries
Next by Thread: Re: pkg/29836
Indexes:

Home | Main Index | Thread Index | Old Index