Re: [gentoo-hardened] XATTR_PAX, paxmark.sh, elog, icedtea, and maybe more

Thu, 18 Dec 2014 16:58:07 -0800 

On 12/13/14 18:52, Karl-Johan Karlsson wrote:



That's problem number one: paxmark.sh (from sys-apps/elfix-0.9.0) tries to
call elog and fails.



I'll fix this.  I missed it when I copied from the eclass where we do 
want elog.




about elog. So paxmark.sh from 0.8.4 still fails, it's just silent about it:


# /usr/sbin/paxmark.sh -m /export/portage/portage/dev-
java/icedtea-7.2.5.3/work/icedtea-2.5.3/openjdk.build-boot/bin/java

# echo $?
1



I intentionally left off diagnostics because in the middle of a build 
system you will know where it failed.  make will stop on shell false.





So it's managed to set PT_PAX flags, but not XATTR_PAX. Looking at the code,
paxmark.sh first tries to set PT_PAX, then XATTR_PAX, and if either fails, the
entire thing returns failure. Unless PAX_MARKINGS is set, in which case that
controls which type of markings is used. It isn't set on this machine.



That is the correct behavior.  If you want for both PT and XATTR_PAX 
flags to be set and either fail (or both) you want ret=1.




Problem number two: that's not what the docs say should happen. Acording to
https://wiki.gentoo.org/wiki/Hardened/PaX_Quickstart:

"If you decide on PaX marking method, you should adjust PAX_MARKINGS variable
in your /etc/portage/make.conf with either XT (for extended attributes) or PT
(for program header marking). You can set both XT PT if you wish. Default is
PT."



So the real bug is that PAX_MARKINGS is not inherited in that 
environment.  It is set according to that logic in the eclass which is 
inherited by the icedtea ebuild and should percolate down but apparently 
doesn't.  Thanks that would have been hard to catch except in the wild.




But why isn't XATTR_PAX working? I thought I completed that transition ages
ago.




So it works on ext4, but not ext3, even though both have the ext_attr flag on
disk. Any difference in kernel support?




Because on ext3 you need to add user_xattr to the mount options.  Either 
`mount -o user_xattr` or in fstab in column 4 like this


/dev/sdb5 /tmp  ext3 user_xattr 0 1


Its automatic on ext4.  `man mount` for more info.  Please let me know 
if this works for you.  Is that in the Pax_Quickstart?  If not we should 
add it.



--
Anthony G. Basile, Ph. D.
Chair of Information Technology
D'Youville College
Buffalo, NY 14201
(716) 829-8197























					Reply via email to