Hi everyone,
I've been doing some experimental work with PaX enabled kernels and I
wanted to share it with the community at large for feedback.
Motivation: There are two (soon three) ways of doing PaX markings so
that a PaX enabled kernel knows what restrictions to put on the running
process. These are:
1) EI_PAX markings. This puts the pax flags in the ELF header in bytes
14 and 15 of the e_ident[] field. This was a "hijacked" area and is now
broken. [1]
2) PT_PAX markings. This puts the flags in an ELF program header. On
Gentoo systems, all binaries are compiled with a PT_PAX header ready to
go because of a patch against binutils [2]. The problem is precompiled
binaries which lack a PT_PAX header and cannot have one added without
breaking. (eg. skype).
3) XT_PAX markings. This is the new experimental way of doing the
markings using xattrs for PaX markings. Currently, I'm using the name
space "user.pax" so as to allow users to mark their own binaries, but
this may change to "security.pax" depending on what direction upstream
(ie pipacs) wants to go. The advantage here is that the ELF binary is
not mangled in any way since the xattrs live in the inodes not the
blocks. The disadvantage is that xattrs is not supported on all
filesystems and in all our utilities we need for portage to work. I'm
working to get xattrs supported where we need it. This will also help
with supporting other features like ACL and CAPS. To this end:
a) There is a patch against tar to support xattrs based on a Fedora's
patch. [3]
b) Kernels 3.0 and above support xattrs in tmpfs, squashfs and other
filesystems.
c) Python 3.3 and above support os.getxattr and os.setxattr and zmedico
and Arfrever have patched portage to copy xattrs from ${D} to ${ROOT}.
d) There's probably more .... feedback welcome!
I've built two test systems, amd64 and x86, and so far so go.
Prometheanfire tested too and help find some snags. If anyone is
interested, I've got a HOWTO on converting any gentoo system to a *pure*
XT_PAX hardened system [4], ie one with *no* EI_PAX or PT_PAX. This
will not be the final situation where we will have backwards compat with
PT_PAX but not EI_PAX. However, for testing it will force any issues
with XT_PAX to the foreground.
Since many of you know more about the internals of Gentoo than I, I
would appreciate any suggestions regarding what I might be missing if we
eventually migrate in this direction.
References:
[1] https://bugs.gentoo.org/show_bug.cgi?id=387459
[2] As of this writing, PT_PAX support is provided by patch
63_all_binutils-2.21.1-pt-pax-flags-20110918.patch which can be
obtained from the patch bundles found at
http://dev.gentoo.org/~vapier/dist/ among other places.
[3] https://bugs.gentoo.org/show_bug.cgi?id=382067
[4]
http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-dev.git;a=blob;f=HOWTO.txt;h=9edc600f0d81d5e77c6cd7e961a05b56f51b51ec;hb=f4d0da5dcaf12e4b9a70c1d2528becf649b1de61
--
Anthony G. Basile, Ph.D.
Gentoo Linux Developer [Hardened]
E-Mail : bluen...@gentoo.org
GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535
GnuPG ID : D0455535
