On 19 Sep 2015 at 22:40, Alex Efros wrote: > Hi! > > On Sat, Sep 19, 2015 at 09:33:15PM +0200, PaX Team wrote: > > > > 1. enable ELFRELOCS in your kernel config (and keep MPROTECT enforced > > > > on all binaries) > > > Done. This works. I don't really like it, but let it be, at least for now. > > well, disabling MPROTECT is much worse, this way you can at least > > control which binaries can map libaries with textrels. > > I don't get it. With MPROTECT I control which binaries won't be protected.
not quite ;). for MPROTECT to be effective you also need to control what the application can do to the filesystem (in particular you have to prevent anything equivalent to the sequence of open/write/mmap). this requires the use of some access control system that PaX itself lacks (by design). in grsecurity's case it's the RBAC system with a proper policy. if you're not doing this part then MPROTECT doesn't provide you the guarantees over runtime codegen. > With ELFRELOCS I don't control binaries and all of them will be less > protected. > And I doubt "all less protected" is better than "few not protected". based on the above explanation now you can probably see that once you have RBAC (or equivalent) in place then that same mechanism can also be used to control which apps can load textrel libs which is how you win twice: 1. MPROTECT can be enforced on everything (or at least no need to relax it because of textrels) 2. only specifically allowed apps can punch a controlled hole into MPROTECT.
