-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
This post is also being forwarded to debian-kernel, as it contains the appropriate kernel settings. This is a continuation of the message from the debian-security and debian-devel lists, archived at
http://lists.debian.org/debian-security/2004/07/msg00159.html
There is a recapitulation of the data from this thread at
http://lists.debian.org/debian-security/2004/07/msg00201.html
As noted, kernel settings have not yet been discussed. Here, I will discuss the settings I recommend for best compatibility, and what issues PaX raises in kernel packaging.
It still hasn't been decided if Debian will actually supply a PaX-enabled base, with ET_DYN binaries or even with PT_PAX_FLAGS in the ELF headers (PaX binutils patch makes these) and appropriate markings to prevent breakage under a PaX kernel.
If Debian is indeed going to support a PaX protected base, it will have to supply a PaX kernel to make any use of it; however, it is possible to supply a PaX kernel without the special base. Things will break under the PaX kernel without the support of the distribution to find and mark these ahead of time; but it would still make an easy first step. Users should NOT by default use a PaX kernel image without a PaX base!
In either case, the below settings can be used most safely with PaX on x86. Notes about breakage and other architectures appear below; read them if you intend to make any use of this.
|Security options ---> | PaX ---> |[*] Enable various PaX features | PaX Control ---> | [*] Support soft mode | [*] Use legacy ELF header marking | [*] Use ELF program header marking | MAC system integration (none) ---> | Non-executable pages ---> | [*] Enforce non-executable pages | [*] Paging based non-executable pages | [*] Segmentation based non-executable pages | Default non-executable page method (SEGMEXEC) ---> | [*] Emulate trampolines | [*] Restrict mprotect() | [ ] Disallow ELF text relocations | Address Space Layout Randomization ---> | [*] Address Space Layout Randomization | [*] Randomize kernel stack base | [*] Randomize user stack base | [*] Randomize mmap() base | [*] Randomize ET_EXEC base | --- Disable the vsyscall page
The "[ ] Disallow ELF text relocations" option must be disabled, else certain programs won't work. There is no way to disable this at runtime that I am aware of.
"MAC system integration (none) --->" can be set to "Hook" (I believe) for certain SELinux patches or for other ACL systems; but this is beyond the scope. ACL systems are appropriate for Adamantix, but I do not believe they are appropriate for Debian's standard distribution.
"[*] Paging based non-executable pages" will FORCE "Disable the vsyscall page" on on x86. This breaks Debian's current glibc as per Debian Bug #245563; however, this issue is fixed in upstream glibc (as noted on the bug). Patches should be ported back so that PAGEEXEC can be used; and/or a newer glibc should be used on whatever Debian release starts off with PaX. This should not affect amd64 or other archs.
Archs with a hardware NX bit should use PAGEEXEC. This includes AMD64 and PowerPC I believe, as well as many others (sparc, etc).
"[*] Segmentation based non-executable pages" (SEGMEXEC), when used, will halve the virtual address space available to a task. Be wary.
A patch can be supplied that will make the "Default none-xecutable page method" selectable at boot via a kernel command line option.
A big one here, it was found that PaX patches onto Debian's 2.6.7 patched kernel cleanly. You may or may not supply PaX in your base kernel patch set; however, it is encouraged that you supply *BOTH* a PaX-enabled and PaX-disabled kernel. Just putting "N" on 'enable various PaX features' up there for the PaXless one should be sufficient.
There are various other patches that go well with PaX, such as the obscurity patch (which NULLs out /proc/<PID>/maps to prevent basic information leaking) and the pax_default_nx= patch. It's up to you to decide what you want if you're going to supply a more secure kernel image.
- -- All content of all messages exchanged herein are left in the Public Domain, unless otherwise explicitely stated.
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFBBsDuhDd4aOud5P8RAiKJAJ92Zam6Xho/nCYt0AEOAVVhm7j/0QCbBSRA plOEaYP3i3KEhx2h2mgCt1o= =8h/m -----END PGP SIGNATURE-----
-- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
