netbsd-bugs@netbsd.org
[Top] [All Lists]

Re: kern/37992: PaX flags on non-NetBSD binaries

Subject: Re: kern/37992: PaX flags on non-NetBSD binaries
From: Christos Zoulas
Date: Sun, 10 Feb 2008 09:47:08 -0500
On Feb 10, 12:05pm, aw-netbsd@xxxxxxxxxxxxxxxxxx (Andreas Wiese) wrote:
-- Subject: kern/37992: PaX flags on non-NetBSD binaries

| >Number:         37992
| >Category:       kern
| >Synopsis:       There's no way to save PaX flags on non-native binaries
| >Confidential:   no
| >Severity:       non-critical
| >Priority:       medium
| >Responsible:    kern-bug-people
| >State:          open
| >Class:          sw-bug
| >Submitter-Id:   net
| >Arrival-Date:   Sun Feb 10 12:05:00 +0000 2008
| >Originator:     Andreas Wiese
| >Release:        NetBSD 4.99.49
| >Organization:
|         BSD-Crew Dresden, Germany
| >Environment:
| System: NetBSD schroeder.lan.instandbesetzt.net 4.99.49 NetBSD 4.99.49
| (SCHROEDER) #0: Tue Jan 22 18:18:53 CET 2008
| root@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx:/usr/obj/sys/arch/i386/compile/SCHROEDER
| i386
| Architecture: i386
| Machine: i386
| >Description:
| Hey, folks.
| 
| I played around with PaX and its several sysctl variables a while and
| was happy to see that setting security.pax.*.global to 1 seems to work
| for most programs.  The only native program not running was mplayer, but
| for this I set the according flags via paxctl(8) and everything is fine.
| 
| Then I needed to use OpenOffice (I only have the Linux version
| installed) and Linux glibc complained about being unable to write-enable
| certain ELF sections.  paxctl(8) (naturally) doesn't solve the problem
| here, so I have to disable mprotect globally to get OpenOffice work.
| 
| Is there any solution for this problem or had anybody an idea for this,
| yet?  If not:  Why not save the PaX flags via the extattr(9) framework?
| If I understood this right, its purpose is associating meta-data with
| files, for which is no room in another way.  Why not create a
| paxflags=0x?? key-value pair for each binary, you want to set PaX flags
| on?  I see several advantages in this approach:
| 
|   1) It's transparent for different ELF formats.
|   2) You don't touch the binary itself, therefor not messing around with
|      checksums and veriexec(9), for example.
|   3) You could easily transfer your binaries to another system (for
|      whatever reason) without taking the PaX flags with you.
|   4) We would have another use for extattr(9) to present the other guys ;)
| 
| Just a quick idea I wanted to share.  Could be nonsene, too =]

Yes, it is noted in the bugs section of paxctl :-)

christos

<Prev in Thread] Current Thread [Next in Thread>