2014.December 24.(Sze) 11:38 időpontban PaX Team ezt írta: >> I have both PT and XT present in my make.conf for markings. I was told >> before, that I should rather opt for only one of the two possibilities - >> kernel-option wise and make.conf-marking-selection wise. Kinda both PT >> and >> XT are not supported at the same time using the current utilities. > > what particular issues do you still have?
Things evolved, so I should test some combinations again. I missed as the problems of the past have passed by. >> Moreover: there is the question if PT marking is present and XATTR is >> missing at the same time: which one takes precedence? I suspect the >> system >> tries to interpret the missing XATTR, falling back to apply the default >> flags, while paying no attention to the PT flags present. Additionally, >> I >> haven't mentioned any policy defined PAX flags. > > the general rule is that if a marking is missing (either from the kernel > config or the executable) then it won't participate in the decision making > process. > > if both marks are present then they must be the same, otherwise the > existing > mark will be used as is. > > if neither mark exists then defaults will be used whose value depends on > softmode. in practice you'll get secure defaults in !softmode (this > hierarchy > was introduced earlier this year, the defaults used to be not secure > before > due to compatibility concerns for unmarked binaries, but i finally made > the > switch). > > for this reason these days you should really only set marks when you > actually > want to deviate from the (now) secure defaults. > > note that PT_PAX_FLAGS is special in that it's easier to create it at link > time than afterwards, so its presence is ok even if you don't change its > default value (which has always been secure for !softmode). As of 3.9.2 hardened applies a patch to make EMUTRAMP enabled by default. I know that it's needed for python to work. The comments of the patch also talks about the libffi library as a reason. Thanks for clarifying the situation. Boldog Karácsonyt: Dw. -- dr Tóth Attila, Radiológus, 06-20-825-8057 Attila Toth MD, Radiologist, +36-20-825-8057
