Hi Markus, It looks like you missed something in the process. The steps to converting are (skipping details):
1) switch profile 2) recompile the toolchain: emerge glibc gcc binutils 3) recompile system: emerge -e system 4) recompile world: emerge -e world If you didn't do these, its possible you have some binaries left that will trigger pax violations. One way to quickly check if you got hardened binaries is to use a script called checksec.sh [1] and run it on /bin or /sbin. You should see that all your binaries have FULL RELRO, STACK CANARY, NX, PIE and ASLR. Ref: [1] http://tk-blog.blogspot.com/2009/02/checksec.html On 07/14/2011 05:54 AM, Markus Oehme wrote: > Hi, > > I successfully switched to hardened profile during the last week and it was > quite painless. I think I can hand out some praise for the great work done > on Gentoo Hardened. :) > > Just one thing puzzles me a bit. I activated pax in hardened sources and > this resulted in quite some segfaulting processes due to mprotect. I found > lines like the following in the logs. > > Jul 13 17:09:41 localhost kernel: [ 286.180994] grsec: denied RWX mprotect > of /lib64/ld-2.13.so by /usr/bin/python2.7[decibel-audio-p:6393] > uid/euid:1000/1000 gid/egid:1005/1005, parent /sbin/init[init:1] uid/euid:0/0 > gid/egid:0/0 > > I remedied this with paxctl -m /usr/bin/python2.7 and similar, but the list > [1] of binaries where I had to do this includes some stuff, where mprotect > would be quite useful (sudo, polkitd, etc.). Also I didn't see a note in the > docs (which otherwise are really helpful :) about what to expect for > excpetions from mprotect. Is this expected behaviour or have I made some > mistake in my configuration? > > > Markus > > [1] > /usr/lib64/courier/courier-authlib/authdaemond > /usr/sbin/console-kit-daemon > /usr/libexec/polkitd > /usr/bin/xfconf-query > /usr/lib64/xfce4/xfconf/xfconfd > /usr/bin/xscreensaver > /usr/bin/xfce4-session > /usr/bin/gkrellm > /usr/bin/Xorg > /usr/bin/xfdesktop > /usr/bin/xfce4-panel > /usr/bin/Terminal > /usr/libexec/udisks-daemon > /usr/bin/xfce4-session-logout > /usr/bin/emacs-23 > /usr/bin/sudo > /usr/bin/perl > /usr/libexec/xfce4/panel-plugins/xfce4-mixer-plugin > /usr/bin/xfce4-mixer > /usr/bin/python2.7 > /usr/libexec/git-core/git > /usr/libexec/gcc/x86_64-pc-linux-gnu/4.6.1/cc1 > > > -- > Aoccdrnig to a threoy, it deosn't mttaer in waht oredr the ltteers in a wrod > are, the olny iprmoatnt tihng is taht the frist and lsat ltteer are in the > rghit pclae. The rset can be a taotl mses and you can sitll raed it in msot > csaes. Tihs is bcuseae the huamn mnid deos not raed ervey lteter by istlef, > but the wrod as a wlohe. And I awlyas thought slpeling was ipmorantt. -- Anthony G. Basile, Ph.D. Gentoo Linux Developer [Hardened] E-Mail : bluen...@gentoo.org GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535 GnuPG ID : D0455535
