-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Andres Salomon wrote: | On Sun, 25 Jul 2004 12:57:29 -0400, John Richard Moser wrote: | | | I'm interested in discussing the viability of PaX on Debian. I'd like | to discuss the changes to the base system that would be made, the costs | in terms of overhead and compatibility, the gains in terms of security, | and the mutability (elimination) of the costs. | | | | |> I think debian-kernel would be a better place to discuss this (at least, |> the PAX stuff). I have used PAX/grsec for a while now, on 2.4, and have |> been very pleased with it. I would love to be able to include it in |> debian 2.6 kernels, but we need to make sure that: | |> a) it's stable (currently, we have a glibc bug that breaks PAX; #245563. |> I've also heard reports of various grsec problems on 2.6; I don't know how |> many of those are PAX issues)
Did some digging. pipacs said that PAGEEXEC force-enables the 'disable vsyscall' option, so you'd be forced to use SEGMEXEC on x86 to avoid #245563, if I'm reading this right. On amd64, it should be fine; he said that vsyscall is force disabled because having a high page executable area will cause PAGEEXEC performance to fall through the ground, due to the workings of the recent speed-up (which follows the same method Exec Shield uses as a speed boost, and falls back to the old way when that fails). Because amd64 has hardware NX, there's no emulation issue, thus I'm supposing no breakage due to vsyscall.
: Tags added: fixed-upstream Request was from GOTO Masanori : <[EMAIL PROTECTED]> to [EMAIL PROTECTED] Full text available.
Fixed in upstream. Either use an updated glibc in the next debian release (I know there's no way you're going to suddenly shift STABLE to PaX/pie/ssp, and I'm even going to recommend AGAINST that due to Debian's development model), or backport the changes to whatever glibc you use.
- -- All content of all messages exchanged herein are left in the Public Domain, unless otherwise explicitely stated.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFBBU97hDd4aOud5P8RAjRuAJ9k3EiS+zVnEFmLoCM8KnTOZehe8ACgh7FC a9PyG2GbEkpMi17HlrUcyTY= =3Mtk -----END PGP SIGNATURE-----
-- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
