-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Russell Coker wrote: | On Mon, 26 Jul 2004 13:48, John Richard Moser <[EMAIL PROTECTED]> wrote: | |>| Before we can even start thinking about PaX on Debian we need to find a |>| maintainer for the kernel patch who will package new versions of the |>| patch which apply to the Debian kernel source tree. We have had a few |> |>Are you talking PaX or grsecurity? PaX is significantly less invasive |>than grsecurity. There will still be issues, of course. | | | PaX. AFAIK the only PaX kernel-patch package in Debian is the Adamantix | kernel source, which has RSBAC and a bunch of other stuff, and the GRSec | patch. Neither of them apply to the Debian kernel source tree. | |
I'm pretty much proposing that all your sources include PaX; your binaries can have it compiled out. I've got a working PaX patch for 2.6.7-ck* :) It was only a 1 miss issue. I'll see if Deb sources are kind or if they rape my ass. . .
|>Where would I see debian's 2.6.7 source tree? I'm not a deb user, |>remember, so I'll need a tarball or something. | | | http://ftp.debian.org/debian/pool/main/k/ |
OK how the hell does this work? What's this supposed to apply to? kernel-source-2.6.7_2.6.7-3_all.deb ?
ahh, 2.6.7 + kernel-source-2.6.7_2.6.7-3.diff.gz
I'll get on this right away. . . . I don't really see anything that stands out in my brain, so I think PaX will apply pretty cleanly to this.
icebox linux-2.6.7-deb # patch -p1 < ../kernel-source-2.6.7_2.6.7-3.diff patching file debian/changelog patching file debian/control patching file debian/apply patching file debian/patches/drivers-sb-pnp_unregister.dpatch patching file debian/patches/fs-cramfs-constify.dpatch patching file debian/patches/fs-jfs-compile.dpatch patching file debian/patches/netlink-macro-fixups.dpatch patching file debian/patches/acpi-typo.dpatch patching file debian/patches/envp.dpatch patching file debian/patches/include-linux-mca.h-fixups.dpatch patching file debian/patches/x86-i486_emu.dpatch patching file debian/patches/doc-post_halloween.dpatch patching file debian/patches/fs-isofs-acorn.dpatch patching file debian/patches/drivers-scsi-advansys-dma_api.dpatch patching file debian/patches/modular-ide-pnp.dpatch patching file debian/patches/include-missing-includes.dpatch patching file debian/patches/include-thread_info-ifdefs.dpatch patching file debian/patches/modular-ide.dpatch patching file debian/patches/fs-isofs-dont-check-period.dpatch patching file debian/patches/dont-dereference-netdev.name-before-register_netdev.dpatch patching file debian/patches/drivers-net-tg3-readd.dpatch patching file debian/patches/DPATCH patching file debian/patches/drivers-usb-net-pegasus-startstop_queue.dpatch patching file debian/patches/drivers-net-via_rhine-avoid_bitfield.dpatch patching file debian/patches/remove-references-to-removed-drivers.dpatch patching file debian/patches/drivers-ide-dma-blacklist-toshiba.dpatch patching file debian/patches/alpha-epoch-comment.dpatch patching file debian/patches/ipsec-missing_wakeup.dpatch patching file debian/patches/00list-1 patching file debian/patches/drivers-scsi-generic_proc_info.dpatch patching file debian/patches/drivers-isdn-io_funcs-fixup.dpatch patching file debian/patches/drivers-scsi-sd-NO_SENSE.dpatch patching file debian/patches/extraversion.dpatch patching file debian/patches/alpha-tembits.dpatch patching file debian/patches/drivers-input-psaux-hacks.dpatch patching file debian/patches/drivers-input-hiddev-HIDIOCGUCODE.dpatch patching file debian/patches/drivers-atkbd-quiten.dpatch patching file debian/patches/drivers-scsi_changer.dpatch patching file debian/patches/modular-swsusp.dpatch patching file debian/patches/drivers-dpt_i2o-fixup.dpatch patching file debian/patches/drivers-net-8139too-locking.dpatch patching file debian/patches/drivers-net-irda-dma_api.dpatch patching file debian/patches/modular-vesafb.dpatch patching file debian/patches/chown-gid-check.dpatch patching file debian/patches/drivers-ftape.dpatch patching file debian/patches/fs-asfs.dpatch patching file debian/patches/00list-2 patching file debian/patches/fs-asfs-2.dpatch patching file debian/patches/00list-3 patching file debian/patches/chown-procfs.dpatch patching file debian/patches/3w-9xxx.dpatch patching file debian/patches/marvell-pegasos.dpatch patching file debian/patches/xfs-update.dpatch patching file debian/patches/marvell-mm.dpatch patching file debian/patches/netfilter-signedcharbug.dpatch patching file debian/README.NMU patching file debian/rules patching file debian/make-kernel-patch-pkgs patching file debian/ChangeLog-2.6.7 patching file debian/substvars patching file debian/prune-non-free patching file debian/list-patches patching file debian/unpatch patching file debian/make-substvars patching file debian/copyright patching file debian/substvars.safe patching file debian/official patching file debian/README.Debian
So far so good, PaX next, dry run test real quick.
icebox linux-2.6.7-deb # patch -p1 --dry-run < ../pax-linux-2.6.7-200406252135.patch patching file arch/alpha/kernel/osf_sys.c patching file arch/alpha/mm/fault.c patching file arch/i386/Kconfig patching file arch/i386/kernel/apm.c patching file arch/i386/kernel/cpu/common.c patching file arch/i386/kernel/entry.S patching file arch/i386/kernel/head.S patching file arch/i386/kernel/ldt.c patching file arch/i386/kernel/process.c patching file arch/i386/kernel/reboot.c patching file arch/i386/kernel/setup.c patching file arch/i386/kernel/signal.c patching file arch/i386/kernel/sys_i386.c patching file arch/i386/kernel/sysenter.c patching file arch/i386/kernel/trampoline.S patching file arch/i386/kernel/traps.c patching file arch/i386/kernel/vmlinux.lds.S patching file arch/i386/mm/fault.c patching file arch/i386/mm/init.c patching file arch/i386/pci/pcbios.c patching file arch/ia64/ia32/binfmt_elf32.c patching file arch/ia64/ia32/ia32priv.h patching file arch/ia64/ia32/sys_ia32.c patching file arch/ia64/kernel/sys_ia64.c patching file arch/ia64/mm/fault.c patching file arch/mips/kernel/binfmt_elfn32.c patching file arch/mips/kernel/binfmt_elfo32.c patching file arch/mips/kernel/syscall.c patching file arch/mips/mm/fault.c patching file arch/parisc/kernel/sys_parisc.c patching file arch/parisc/kernel/traps.c patching file arch/parisc/mm/fault.c patching file arch/ppc/kernel/syscalls.c patching file arch/ppc/mm/fault.c patching file arch/ppc64/kernel/syscalls.c patching file arch/ppc64/mm/fault.c patching file arch/sparc/kernel/sys_sparc.c patching file arch/sparc/kernel/sys_sunos.c patching file arch/sparc/mm/fault.c patching file arch/sparc/mm/init.c patching file arch/sparc/mm/srmmu.c patching file arch/sparc64/kernel/itlb_base.S patching file arch/sparc64/kernel/sys_sparc.c patching file arch/sparc64/kernel/sys_sunos32.c patching file arch/sparc64/mm/fault.c patching file arch/sparc64/solaris/misc.c patching file arch/x86_64/ia32/ia32_binfmt.c patching file arch/x86_64/ia32/sys_ia32.c patching file arch/x86_64/kernel/setup64.c patching file arch/x86_64/kernel/sys_x86_64.c patching file arch/x86_64/mm/fault.c patching file drivers/char/mem.c patching file drivers/char/random.c patching file drivers/pnp/pnpbios/bioscalls.c patching file drivers/scsi/scsi_devinfo.c patching file drivers/video/vesafb.c patching file fs/binfmt_aout.c patching file fs/binfmt_elf.c patching file fs/binfmt_flat.c patching file fs/binfmt_misc.c patching file fs/exec.c patching file fs/proc/array.c patching file fs/proc/task_mmu.c patching file include/asm-alpha/a.out.h patching file include/asm-alpha/elf.h patching file include/asm-alpha/mman.h patching file include/asm-alpha/page.h patching file include/asm-alpha/pgtable.h patching file include/asm-i386/a.out.h patching file include/asm-i386/desc.h patching file include/asm-i386/elf.h patching file include/asm-i386/mach-default/apm.h patching file include/asm-i386/mach-pc9800/apm.h patching file include/asm-i386/mman.h patching file include/asm-i386/mmu.h patching file include/asm-i386/mmu_context.h patching file include/asm-i386/page.h patching file include/asm-i386/pgalloc.h patching file include/asm-i386/pgtable.h patching file include/asm-i386/processor.h patching file include/asm-i386/system.h patching file include/asm-ia64/elf.h patching file include/asm-ia64/mman.h patching file include/asm-ia64/page.h patching file include/asm-ia64/pgtable.h patching file include/asm-ia64/ustack.h patching file include/asm-mips/a.out.h patching file include/asm-mips/elf.h patching file include/asm-mips/page.h patching file include/asm-parisc/a.out.h patching file include/asm-parisc/elf.h patching file include/asm-parisc/mman.h patching file include/asm-parisc/page.h patching file include/asm-parisc/pgtable.h patching file include/asm-ppc/a.out.h patching file include/asm-ppc/elf.h patching file include/asm-ppc/mman.h patching file include/asm-ppc/page.h patching file include/asm-ppc/pgtable.h patching file include/asm-ppc64/a.out.h patching file include/asm-ppc64/elf.h patching file include/asm-ppc64/mman.h patching file include/asm-ppc64/page.h patching file include/asm-ppc64/pgtable.h patching file include/asm-sparc/a.out.h patching file include/asm-sparc/elf.h patching file include/asm-sparc/mman.h patching file include/asm-sparc/page.h patching file include/asm-sparc/pgtable.h patching file include/asm-sparc/pgtsrmmu.h patching file include/asm-sparc/uaccess.h patching file include/asm-sparc64/a.out.h patching file include/asm-sparc64/elf.h patching file include/asm-sparc64/mman.h patching file include/asm-sparc64/page.h patching file include/asm-sparc64/pgtable.h patching file include/asm-x86_64/a.out.h patching file include/asm-x86_64/elf.h patching file include/asm-x86_64/mman.h patching file include/asm-x86_64/page.h patching file include/asm-x86_64/pgalloc.h patching file include/asm-x86_64/pgtable.h patching file include/linux/a.out.h patching file include/linux/binfmts.h patching file include/linux/elf.h patching file include/linux/mm.h patching file include/linux/mman.h patching file include/linux/random.h patching file include/linux/sched.h patching file include/linux/sysctl.h patching file kernel/fork.c patching file kernel/sysctl.c patching file mm/filemap.c patching file mm/madvise.c patching file mm/memory.c patching file mm/mlock.c patching file mm/mmap.c patching file mm/mprotect.c patching file mm/mremap.c patching file mm/rmap.c patching file security/Kconfig icebox linux-2.6.7-deb #
. . . . what maintainer? You just need a packager for now; the patch applies cleanly to the debian sources for 2.6.7.
| |>| We have recently discussed this on at least one of the lists you |>| posted to. |> |>| The end result of the discussion is that GCC is getting another SSP type |>| technology known as "mudflap". Mudflap depends on some major new |>| features of |>| GCC 3.5, so it looks like we won't be getting this until GCC 3.5 as the |>| Debian GCC people don't want to merge in other patches which have no |>| apparent chance of being included upstream. |> |>Then don't use ProPolice/SSP for now. | | | That seems to be what will happen. I'd rather see SSP included sooner, but I | guess it won't happen. | I'm glad to see somebody's sane :)
Now, read this very carefully, as it's important.
http://pax.grsecurity.net/binutils-2.14.90.0.8-pt-pax-flags-200402042140.patch http://pax.grsecurity.net/binutils-2.15.91.0.1-pt-pax-flags-200405291420.patch
These two binutils patches are on pax.grsecurity.net. They affect binutils-2.14.90.0.8 and 2.15.91.0.1, respectively.
These add PT_PAX_FLAGS to the elf headers that binutils produces. These ELF files are compatible with non-PaX Linux systems. It is HIGHLY recommended that you use the corresponding patch for the version of binutils used to build Debian's base system, rather than use the depricated EI_PAX field used by chpax.
Even if you're not interested in patches that won't necessarily go to mainline, this is HIGHLY recommended. The EI_PAX field is an unused field, while PT_PAX_FLAGS is created specifically for PaX. This means you can't predict what else might use EI_PAX (including other experimental patches end users find/create). That field is volitile under certain conditions; for example, in at least some versions of strip, strip clears the EI_PAX flags. All versions of strip I'm aware of leave PT_PAX_FLAGS untouched.
Also, by using this and PaX, you could very well influence the mainline for the toolchain :)
That's a strong recommendation for if you go with PaX. You can ignore it, but be ready to face any consequences that are incurred, if any.
- -- All content of all messages exchanged herein are left in the Public Domain, unless otherwise explicitely stated.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFBBIXehDd4aOud5P8RAkMJAJ4+m/W+Bw1AkHp2+lsJ4QNGfJIjBwCghY2I D8Z9hnzvRPe4Nw0a78GHlGk= =qlsd -----END PGP SIGNATURE-----
-- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
