On Feb 10, 12:05pm, aw-netbsd@xxxxxxxxxxxxxxxxxx (Andreas Wiese) wrote:
-- Subject: kern/37992: PaX flags on non-NetBSD binaries
| >Number: 37992
| >Category: kern
| >Synopsis: There's no way to save PaX flags on non-native binaries
| >Confidential: no
| >Severity: non-critical
| >Priority: medium
| >Responsible: kern-bug-people
| >State: open
| >Class: sw-bug
| >Submitter-Id: net
| >Arrival-Date: Sun Feb 10 12:05:00 +0000 2008
| >Originator: Andreas Wiese
| >Release: NetBSD 4.99.49
| BSD-Crew Dresden, Germany
| System: NetBSD schroeder.lan.instandbesetzt.net 4.99.49 NetBSD 4.99.49
| (SCHROEDER) #0: Tue Jan 22 18:18:53 CET 2008
| Architecture: i386
| Machine: i386
| Hey, folks.
| I played around with PaX and its several sysctl variables a while and
| was happy to see that setting security.pax.*.global to 1 seems to work
| for most programs. The only native program not running was mplayer, but
| for this I set the according flags via paxctl(8) and everything is fine.
| Then I needed to use OpenOffice (I only have the Linux version
| installed) and Linux glibc complained about being unable to write-enable
| certain ELF sections. paxctl(8) (naturally) doesn't solve the problem
| here, so I have to disable mprotect globally to get OpenOffice work.
| Is there any solution for this problem or had anybody an idea for this,
| yet? If not: Why not save the PaX flags via the extattr(9) framework?
| If I understood this right, its purpose is associating meta-data with
| files, for which is no room in another way. Why not create a
| paxflags=0x?? key-value pair for each binary, you want to set PaX flags
| on? I see several advantages in this approach:
| 1) It's transparent for different ELF formats.
| 2) You don't touch the binary itself, therefor not messing around with
| checksums and veriexec(9), for example.
| 3) You could easily transfer your binaries to another system (for
| whatever reason) without taking the PaX flags with you.
| 4) We would have another use for extattr(9) to present the other guys ;)
| Just a quick idea I wanted to share. Could be nonsene, too =]
Yes, it is noted in the bugs section of paxctl :-)