Hi everyone, I'm working towards forcing a consistency in how we pax mark our binaries. The RFC for the design is at
http://git.overlays.gentoo.org/gitweb/?p=proj/elfix.git;a=blob;f=doc/paxctl-ng-design.txt;h=9de06a0f9f1c426a7e129b7da53cc43760cd3976;hb=128c1408ba8db6be3f9ade3dc1420a3bf0cee0a0 I am trying to force consistency between two (and in the future, three) ways of doing pax markings, EI_PAX (flags are in the elf header), PT_PAX (flags are in an elf program header) and a new design we're working on, putting the flags in an Extended Filesystem attribute. Each has advantages and disadvantages, and all three will have to be employed to cover the cases where the others don't work, so a utility which consistently marks all three is useful. There are two stages, the userland utility and kernel patching. The kernel patching is effectively done as long as you choose any of the gentoo predefined profiles: Security options ---> Grsecurity ---> Security Level ---> Hardened Gentoo [server] or Hardened Gentoo [workstation] or Hardened Gentoo [virtualization] The userland utility is callec paxctl-ng and its part of the sys-apps/elfix-0.2.0 package which is currently masked pending testing. That's where you come in. Please test the utility on binaries which require pax marking and let me know if it works. Of particular interest are self checking binaries (like skype) which don't have a PT_PAX section and would break if one were added. Current the only known issue with paxctl-ng is that it doesn't properly do file globbing. I have not yet seen it break a binary, but please don't use this on a production system until we have more confidence in it. Thanks. -- Anthony G. Basile, Ph.D. Gentoo Linux Developer [Hardened] E-Mail : bluen...@gentoo.org GnuPG FP : 8040 5A4D 8709 21B1 1A88 33CE 979C AF40 D045 5535 GnuPG ID : D0455535
